Edit tour

Windows Analysis Report
Notificacion_juzgadoPdf.exe

Overview

General Information

Sample name:	Notificacion_juzgadoPdf.exe
Analysis ID:	1428605
MD5:	ae224c5e196ff381836c9e95deebb7d5
SHA1:	910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256:	bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample is a service DLL but no service has been registered

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

Notificacion_juzgadoPdf.exe (PID: 5632 cmdline: "C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe" MD5: AE224C5E196FF381836C9E95DEEBB7D5)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Notificacion_juzgadoPdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Notificacion_juzgadoPdf.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: Notificacion_juzgadoPdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb source: Notificacion_juzgadoPdf.exe

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075E20 DeregisterEventSource,UnregisterDeviceNotification,CloseHandle,??3@YAXPAX@Z,

0_2_00075E20

Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: http://www.vmware.com/0

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075190 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,

0_2_00075190

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: String function: 00071000 appears 33 times

Source: Notificacion_juzgadoPdf.exe, 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevmtoolsd.exe: vs Notificacion_juzgadoPdf.exe
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: OriginalFilenamevmtoolsd.exe: vs Notificacion_juzgadoPdf.exe

Source: Notificacion_juzgadoPdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus25.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: OpenSCManagerW,GetModuleFileNameW,Str_Aswprintf,Str_Aswprintf,Panic,CreateServiceW,free,CloseServiceHandle,Str_Snwprintf,RegCreateKeyW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegSetValueExW,RegSetValueExW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00075B20

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent,

0_2_00075E80

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent,

0_2_00075E80

Source: Notificacion_juzgadoPdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help--version-v-h-?Failed to set console control handler: %uNamed event for 'DumpEvent' already exists. Exiting.
Source: Notificacion_juzgadoPdf.exe	String found in binary or memory: --help--version-v-h-?Failed to set console control handler: %uNamed event for 'DumpEvent' already exists. Exiting.

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: intl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: glib-2.0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: gmodule-2.0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: gobject-2.0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: gthread-2.0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Section loaded: vmtools.dll	Jump to behavior

Source: Notificacion_juzgadoPdf.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Notificacion_juzgadoPdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Notificacion_juzgadoPdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Notificacion_juzgadoPdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb source: Notificacion_juzgadoPdf.exe

Source: Notificacion_juzgadoPdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Notificacion_juzgadoPdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Notificacion_juzgadoPdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Notificacion_juzgadoPdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Notificacion_juzgadoPdf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075620 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00075620

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00076571 push ecx; ret

0_2_00076584

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075E80 StartServiceCtrlDispatcherW,GetLastError,SetEvent,

0_2_00075E80

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c vmtoolsd	0_2_00072600
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: vmtoolsdControlWndClass vmtoolsdControlWndTitle vmtoolsdControlWndClass %S\VMwareToolsQuitEvent_%s %S\VMwareToolsDumpStateEvent_%s	0_2_00071880
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd vmtoolsd Runs the VMware Tools daemon. VMware Tools daemon, version vmtoolsd %S\VMwareToolsQuitEvent_%s %S\VMwareToolsDumpStateEvent_%s	0_2_00073AC0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: @&!@@(cmdline.rpcerror)Unable to send command to VMware hypervisor. vmtoolsd	0_2_00073910
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: vmtoolsd vmtoolsd VMware Tools Service VMTools	0_2_00071530
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c vmtoolsd	0_2_000733F0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Notificacion_juzgadoPdf.exe	Binary or memory string: Command line parsing failedRuns the VMware Tools daemon.%s %sversion@&!@@(cmdline.version)Prints the daemon version and exits.log@&!@@(cmdline.log)Ignored, kept for backwards compatibility.debug@&!@@(cmdline.debug)Runs in debug mode, using the given plugin.config@&!@@(cmdline.config)Uses the config file at the given path.@&!@@(cmdline.displayname.argument)namedisplayname@&!@@(cmdline.displayname)Service display name (only used with -i).uninstall@&!@@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.@&!@@(cmdline.install.args)argsinstall@&!@@(cmdline.install)Installs the service with the Service Control Manager.@&!@@(cmdline.kill)Stops a running instance of a tools service.killdump-state@&!@@(cmdline.state)Dumps the internal state of a running service instance to the logs.@&!@@(cmdline.rpc.command)commandcmd@&!@@(cmdline.rpc)Sends an RPC command to the host and exits.plugin-path@&!@@(cmdline.pluginpath)Path to the plugin directory.@&!@@(cmdline.path)pathcommon-path@&!@@(cmdline.commonpath)Path to the common plugin directory.@&!@@(cmdline.name.argument)svcnamename@&!@@(cmdline.name)Name of the service being started.D
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: http://www.vmware.com/0
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMware Tools daemon, version%s: %s
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: file %s: line %d: assertion `%s' failedd:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.cprov->regType != existing->prov->regTypeCannot find provider for app type %d, plugin %s may not work.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: %S\VMwareToolsQuitEvent_%s
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: d:\build\ob\bora-4448491\bora-vmsoft\build\release\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: services/vmtoolsd/svcSignals-gm.c
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMware, Inc.0
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMware, Inc.1>0<
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_AttachConsole+
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: vmtools.dll
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_SuspendLogIO
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_NewHandleSource
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: ProductNameVMware ToolsP
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: vmtoolsdControlWndTitle
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: %S\VMwareToolsDumpStateEvent_%s
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: vmtools
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: services/vmtoolsd/svcSignals-gm.creturn_value != NULLn_param_values == 3n_param_values == 4n_param_values == 6Service UninstallCould not remove %S. Error %d
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_BindTextDomain0
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_LoadConfig
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: %S\VMwareToolsQuitEvent_%sFailed to create control window: %uvmtoolsdControlWndTitlevmtoolsdControlWndClassLocalGlobalWaitForSingleObject failed: %u.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: Runs the VMware Tools daemon.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: FileDescriptionVMware Tools Core Service8
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: tools.set.version %utools.set.versiontype %u %uvmtoolsdisable-tools-versionUnable to register guest conf directory capability.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: InternalNamevmtoolsdj#
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMware Tools Service
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: %S\VMwareToolsDumpStateEvent_%sNamed event for 'QuitEvent' already exists. Exiting.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_LoadConfigB
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: vmtoolsdControlWndClass
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_NewHandleSource4
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_BindTextDomain
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_ConfigLogging
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMware Tools daemon, version
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMToolsVMware Tools ServiceCannot convert to UTF16: %s
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: Str_Vasprintfvmtools.dllRCloseHandleY
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: @&!@@(cmdline.rpcerror)Unable to send command to VMware hypervisor.
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: vmtoolsd
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="VMware.VMware.vmtoolsd" type="win32"></assemblyIdentity><description>"VMware Tools Core Service"</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.30729.4148" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings xmlns:settings="http://schemas.microsoft.com/SMI/2005/WindowsSettings"><settings:dpiAware>True/PM</settings:dpiAware></windowsSettings></application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: tcs_shutdowntcs_capabilitieserror sending work request, executing in service thread: %sd:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.cid != 0failed to start thread: %s.error initializing thread pool, running single threaded: %spool.maxUnusedThreadspool.maxIdleTimetcs_prop_thread_poolpool.maxThreads@&!@@(cmdline.rpcerror)Unable to send command to VMware hypervisor.%s
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_AttachConsole
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: OriginalFilenamevmtoolsd.exe:
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_GetString
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: CompanyNameVMware, Inc.\
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: 1998-2016 VMware, Inc.B
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_ResumeLogIO8
Source: Notificacion_juzgadoPdf.exe	Binary or memory string: VMTools_ResumeLogIO

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_000761F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

0_2_000761F0

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00075620 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_00075620

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: 0_2_000762A6 SetUnhandledExceptionFilter,		0_2_000762A6
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: 0_2_000761F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,		0_2_000761F0

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_00071880 AllocateAndInitializeSid,GetLastError,memset,SetEntriesInAclW,malloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorOwner,GetLastError,GetModuleHandleW,GetModuleHandleW,RegisterClassW,GetModuleHandleW,GetDesktopWindow,CreateWindowExW,GetLastError,SetWindowLongW,CreateEventW,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,Str_Aswprintf,CreateEventW,vm_free,GetLastError,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,VMTools_NewHandleSource,g_source_set_callback,g_main_loop_get_context,g_source_attach,g_source_unref,SetConsoleCtrlHandler,GetLastError,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,SetEvent,SetConsoleCtrlHandler,FreeSid,LocalFree,free,

0_2_00071880

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

0_2_00071880

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe

Code function: 0_2_000765D8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_000765D8

Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: 0_2_00072AE0 GuestApp_GetInstallPath,g_strdup_printf,vm_free,g_ptr_array_new,g_strdup_printf,g_file_test_utf8,g_strdup_printf,g_file_test_utf8,g_file_test_utf8,g_ptr_array_new,g_log,g_module_close,g_module_error,g_free,g_free,g_module_make_resident,g_ptr_array_add,VMTools_BindTextDomain,g_module_close,g_module_error,g_free,g_free,g_malloc,VMTools_BindTextDomain,g_ptr_array_add,g_ptr_array_free,g_free,		0_2_00072AE0
Source: C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe	Code function: 0_2_00071530 __ehhandler$?_Init@?$numpunct@_W@std@@IAEXABV_Locinfo@2@_N@Z,memset,SetErrorMode,Unicode_InitW,setlocale,VMTools_ConfigLogging,VMTools_BindTextDomain,g_str_has_prefix,VMTools_AttachConsole,CodeSet_Utf8ToUtf16le,CodeSet_Utf8ToUtf16le,vm_free,??2@YAPAXI@Z,vm_free,vm_free,??2@YAPAXI@Z,		0_2_00071530

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	14 Windows Service	14 Windows Service	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Notificacion_juzgadoPdf.exe	0%	ReversingLabs
Notificacion_juzgadoPdf.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vmware.com/0	Notificacion_juzgadoPdf.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Notificacion_juzgadoPdf.exe	false		high
http://ocsp.thawte.com0	Notificacion_juzgadoPdf.exe	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428605
Start date and time:	2024-04-19 10:00:41 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Notificacion_juzgadoPdf.exe
Detection:	SUS
Classification:	sus25.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 60
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Notificacion_juzgadoPdf.exe, PID 5632 because there are no executed function

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.603701690598596
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Notificacion_juzgadoPdf.exe
File size:	64'704 bytes
MD5:	ae224c5e196ff381836c9e95deebb7d5
SHA1:	910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256:	bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
SHA512:	f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c
SSDEEP:	1536:Wio8DVyYs7JZT0uPXn8OS6sIe3ekT5Z240jSZk:WkhyYIJZT0uPXn8OdsIe3c4Ql
TLSH:	8A537E52BA4400E1DCD049F0AA2597BA8EFEEE651FA4A0D74390F9580CF55FAD63870F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e&...HQ..HQ..HQ?K.Q..HQ.\|.Q..HQ.\|.Q..HQ..IQr.HQ.\|.Q..HQ.\|.Q..HQ.\|.Q..HQ...Q..HQ.\|.Q..HQRich..HQ........PE..L......W...........

File Icon


Icon Hash:	ffbfa9a9aaaabd55

Static PE Info

General

Entrypoint:	0x4061e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57ECBDC2 [Thu Sep 29 07:07:46 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8e149a2ff051703c4fba168a5a92f52d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	17/10/2013 02:00:00 16/11/2016 00:59:59
Subject Chain	CN="VMware, Inc.", OU=Digital ID Class 3 - Microsoft Software Validation v2, O="VMware, Inc.", L=Palo Alto, S=California, C=US
Version:	3
Thumbprint MD5:	31E7FB307B9796C0A2B1963C4441488B
Thumbprint SHA-1:	968970C359F148B1F3670A41C48B4DC47B1478A9
Thumbprint SHA-256:	E0EE6CB3E8F109F9196F74619C60831E68CC516D8B56BD50CB3DE83C994FEFD8
Serial:	4451AD3717CFA22371FFBC07DF13E65D

Entrypoint Preview

Instruction
call 00007FBC0982F278h
jmp 00007FBC0982EC24h
jmp dword ptr [00407164h]
cmp ecx, dword ptr [0040B068h]
jne 00007FBC0982EE84h
rep ret
jmp 00007FBC0982F2F4h
mov edi, edi
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000002h
push edi
mov edi, ecx
je 00007FBC0982EEA7h
push esi
push 00406866h
lea esi, dword ptr [edi-04h]
push dword ptr [esi]
push 0000000Ch
push edi
call 00007FBC0982F437h
test byte ptr [ebp+08h], 00000001h
je 00007FBC0982EE89h
push esi
call 00007FBC0982EEA5h
pop ecx
mov eax, esi
pop esi
jmp 00007FBC0982EE96h
call 00007FBC0982F4B4h
test byte ptr [ebp+08h], 00000001h
je 00007FBC0982EE89h
push edi
call 00007FBC0982EE8Eh
pop ecx
mov eax, edi
pop edi
pop ebp
retn 0004h
int3
jmp dword ptr [0040715Ch]
jmp dword ptr [00407158h]
jmp dword ptr [00407150h]
jmp dword ptr [0040713Ch]
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007FBC0982EEACh
cmp dword ptr [eax+10h], 03h
jne 00007FBC0982EEA6h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007FBC0982EE97h
cmp eax, 19930521h
je 00007FBC0982EE90h
cmp eax, 19930522h
je 00007FBC0982EE89h
cmp eax, 01994000h
jne 00007FBC0982EE87h
call 00007FBC0982F41Bh
xor eax, eax
pop ebp
retn 0004h
push 00000064h

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x930c	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x3288	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xde00	0x1ec0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0x8b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7410	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9018	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x3f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c11	0x5e00	47c9b747e9634bbb313400c28cb0dc35	False	0.5442985372340425	data	6.1827115862778195	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x3b50	0x3c00	e61832c05989e5067e3aa7bba37b46a9	False	0.402734375	data	5.304455430423138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x44c	0x200	589ac884c171bd64bc022f15c6f40cc7	False	0.1796875	data	1.544944190184897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x3288	0x3400	9721aeeca4db61f9788affc37fd611c8	False	0.2841045673076923	data	5.799076947787685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x9c0	0xa00	7342135eb256f499f778604405cc6a34	False	0.765234375	data	6.285100382095465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc178	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.23817427385892115
RT_MESSAGETABLE	0xe720	0x2c8	Matlab v4 mat-file (little endian) T, text, rows 100, columns 109, imaginary	English	United States	0.3539325842696629
RT_GROUP_ICON	0xe9e8	0x14	data			1.15
RT_VERSION	0xe9fc	0x31c	data	English	United States	0.4685929648241206
RT_MANIFEST	0xed18	0x56d	ASCII text, with very long lines (1389), with no line terminators	English	United States	0.44204463642908565

Imports

DLL	Import
ADVAPI32.dll	FreeSid, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclW, AllocateAndInitializeSid, CloseServiceHandle, OpenServiceW, OpenSCManagerW, DeleteService, ReportEventW, RegisterEventSourceW, SetServiceStatus, DeregisterEventSource, RegCloseKey, RegSetValueExW, RegCreateKeyW, CreateServiceW, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
ole32.dll	CoUninitialize
USER32.dll	UnregisterClassW, UnregisterDeviceNotification, RegisterDeviceNotificationW, MessageBoxW, RegisterClassW, GetDesktopWindow, CreateWindowExW, SetWindowLongW, GetWindowLongW, DefWindowProcW, PeekMessageW, TranslateMessage, DispatchMessageW, DestroyWindow
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
MSVCR90.dll	_cexit, _exit, _XcptFilter, __winitenv, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, _encode_pointer, __set_app_type, ?terminate@@YAXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, _crt_debugger_hook, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, _purecall, wprintf, _wcsicmp, malloc, free, memset, setlocale, ??2@YAPAXI@Z, ??3@YAXPAX@Z, exit, __CxxFrameHandler3, __wgetmainargs, _amsg_exit
intl.dll	libintl_gettext
glib-2.0.dll	g_strdup, g_str_has_suffix, g_dir_read_name_utf8, g_ptr_array_new, g_dir_open_utf8, g_malloc0, g_strdup_printf, g_ptr_array_remove_index, g_array_free, g_thread_join, g_queue_remove, g_thread_functions_for_glib_use, g_idle_add_full, g_ptr_array_remove, g_free, g_thread_pool_push, g_queue_push_head, g_queue_delete_link, g_queue_find_custom, g_thread_create_full, g_queue_new, g_thread_pool_set_max_unused_threads, g_thread_pool_set_max_idle_time, g_thread_pool_new, g_malloc, g_queue_free, g_ptr_array_add, g_print, g_printerr, g_win32_error_message, g_option_context_free, g_option_context_parse, g_option_group_set_error_hook, g_option_context_get_main_group, g_option_context_add_main_entries, g_option_context_set_summary, g_option_context_new, g_key_file_get_boolean, g_ptr_array_free, g_array_append_vals, g_queue_pop_tail, g_log, g_clear_error, g_main_loop_run, g_source_remove, g_timeout_add, g_threads_got_initialized, g_main_context_default, g_main_loop_new, g_main_context_unref, g_key_file_new, g_key_file_free, g_dir_close, g_ptr_array_sort, g_thread_pool_free, g_file_test_utf8, g_idle_add, g_source_set_callback, g_main_loop_get_context, g_source_attach, g_source_unref, g_str_has_prefix, g_main_loop_is_running, g_main_loop_quit, g_logv, g_key_file_get_integer, g_main_loop_unref, g_array_new
gmodule-2.0.dll	g_module_symbol, g_module_open_utf8, g_module_error, g_module_make_resident, g_module_close
gobject-2.0.dll	g_signal_emit_by_name, g_object_unref, g_object_set, g_object_new, g_type_init, g_signal_connect_data, g_signal_lookup, g_signal_parse_name, g_value_set_boolean, g_value_get_boolean, g_value_set_pointer, g_value_get_pointer, g_value_set_uint, g_value_get_uint, g_object_notify, g_type_check_instance_cast, g_type_register_static, g_type_check_class_cast, g_cclosure_marshal_VOID__POINTER, g_signal_new, g_type_class_peek_parent, g_object_class_install_property, g_param_spec_pointer, g_value_peek_pointer
gthread-2.0.dll	g_thread_init
vmtools.dll	RpcChannel_New, GuestApp_GetConfPath, StrUtil_GetNextToken, RpcChannel_SetRetVals, RpcChannel_Send, Str_SafeAsprintf, RpcOut_sendOne, VMTools_GetString, GuestApp_GetInstallPath, RpcChannel_RegisterCallback, RpcChannel_Start, VMTools_SuspendLogIO, VMTools_ResumeLogIO, VMTools_LoadConfig, VMTools_NewHandleSource, Unicode_InitW, VMTools_ConfigLogging, VMTools_BindTextDomain, VMTools_AttachConsole, CodeSet_Utf8ToUtf16le, RpcChannel_Stop, RpcChannel_Destroy, Str_SafeVaswprintf, Str_Aswprintf, vm_free, Hostinfo_GetOSType, RpcChannel_Setup, Panic, Str_Vaswprintf, Str_Snwprintf, VmCheck_IsVirtualWorld, Str_Wcscpy, Str_Vasprintf
KERNEL32.dll	IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, InterlockedCompareExchange, Sleep, InterlockedExchange, LocalAlloc, LoadLibraryW, GetProcAddress, FreeLibrary, OutputDebugStringA, OutputDebugStringW, GetModuleFileNameW, OpenEventW, WaitForSingleObject, GetLastError, GetModuleHandleW, CreateEventW, SetConsoleCtrlHandler, GetCurrentProcess, SetPriorityClass, GetCurrentThread, SetThreadPriority, LocalFree, SetErrorMode, SetEvent, CloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	10:01:24
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Notificacion_juzgadoPdf.exe"
Imagebase:	0x70000
File size:	64'704 bytes
MD5 hash:	AE224C5E196FF381836C9E95DEEBB7D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00073AC0 Relevance: 152.6, APIs: 41, Strings: 46, Instructions: 373COMMON

Download Yara Rule

APIs

VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073B0E
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073B23
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073B62
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073B77
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.pluginpath)Path to the plugin directory.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073BB2
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.pluginpath)Path to the plugin directory.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073BC7
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.rpc)Sends an RPC command to the host and exits.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.pluginpath)Path to the plugin directory.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.,00000001,?), ref: 00073C06
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.rpc.command)command,vmtoolsd,@&!*@*@(cmdline.rpc)Sends an RPC command to the host and exits.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.pluginpath)Path to the plugin directory.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.commonpath)Path to the common plugin directory.,vmtoolsd,@&!*@*@(cmdline.name.argument)svcname,vmtoolsd,@&!*@*@(cmdline.name)Name of the service being started.), ref: 00073C1B
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00073C59
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073C9A
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073CE4
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.install.args)args,vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073CF9
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.install.args)args,vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073D3D
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.displayname)Service display name (only used with -i).,vmtoolsd,@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.install.args)args,vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073D82
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.displayname.argument)name,vmtoolsd,@&!*@*@(cmdline.displayname)Service display name (only used with -i).,vmtoolsd,@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.install.args)args,vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073D97
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.config)Uses the config file at the given path.,vmtoolsd,@&!*@*@(cmdline.displayname.argument)name,vmtoolsd,@&!*@*@(cmdline.displayname)Service display name (only used with -i).,vmtoolsd,@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.install.args)args,vmtoolsd,@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.,vmtoolsd,@&!*@*@(cmdline.kill)Stops a running instance of a tools service.,vmtoolsd,@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.), ref: 00073DD2
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073DEA
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.,vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073E1C
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.,vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073E2E
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.,vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073E5A
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.version)Prints the daemon version and exits.,vmtoolsd,@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.,vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073E86
Str_SafeAsprintf.VMTOOLS(00000000,00077FB4,?,vmtoolsd,@&!*@*@(cmdline.version)Prints the daemon version and exits.,vmtoolsd,@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility.,vmtoolsd,@&!*@*@(cmdline.path)path,vmtoolsd,@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.,vmtoolsd,@&!*@*@(cmdline.path)path), ref: 00073EB7
Str_SafeAsprintf.VMTOOLS(00000000,%s %s,00000000), ref: 00073EE4
free.MSVCR90(?,00000000,%s %s,00000000), ref: 00073EF0
g_option_context_new.GLIB-2.0(00000000), ref: 00073F00
g_option_context_set_summary.GLIB-2.0(00000000,Runs the VMware Tools daemon.,00000000), ref: 00073F10
g_option_context_add_main_entries.GLIB-2.0(00000000,00078500,00000000,00000000,Runs the VMware Tools daemon.,00000000), ref: 00073F1E
g_option_context_get_main_group.GLIB-2.0(00000000,!0), ref: 00073F2C
g_option_group_set_error_hook.GLIB-2.0(00000000,!0), ref: 00073F35
g_option_context_parse.GLIB-2.0(00000000,?,000716D1,?,00000000,!0), ref: 00073F47
g_printerr.GLIB-2.0(%s: %s,Command line parsing failed,?), ref: 00073F64
libintl_gettext.INTL(VMware Tools daemon, version,10.0.12.325,build-4448491), ref: 00073F85
g_print.GLIB-2.0(%s %s (%s),00000000), ref: 00073F94
exit.MSVCR90 ref: 00073F9D
g_printerr.GLIB-2.0(%s is an invalid container name.), ref: 00073FF1
g_log.GLIB-2.0(vmtoolsd,00000040,CmdLine: "%s",?,?,00000001), ref: 00074052
exit.MSVCR90 ref: 00074075
exit.MSVCR90 ref: 00074096
free.MSVCR90(?), ref: 000740A7
g_clear_error.GLIB-2.0(?), ref: 000740B1
g_option_context_free.GLIB-2.0(?,?), ref: 000740B7

Strings

!0, xrefs: 00073F26
%s %s, xrefs: 00073EDB
@&!*@*@(cmdline.rpc)Sends an RPC command to the host and exits., xrefs: 00073BCC
@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility., xrefs: 00073E39
@&!*@*@(cmdline.pluginpath)Path to the plugin directory., xrefs: 00073B7F
vmsvc, xrefs: 00073FA9, 00074001
@&!*@*@(cmdline.displayname.argument)name, xrefs: 00073D87
vmtoolsd, xrefs: 00073AD6, 00073B18, 00073B3B, 00073B6C, 00073B84, 00073BBC, 00073BD1, 00073C10, 00073C2B, 00073C8F, 00073CA4, 00073CEE, 00073D03, 00073D4A, 00073D8C, 00073DA4, 00073DDF, 00073DFD, 00073E26, 00073E3E, 00073E67, 0007404D
@&!*@*@(cmdline.install)Installs the service with the Service Control Manager., xrefs: 00073C9F
@&!*@*@(cmdline.rpc.command)command, xrefs: 00073C0B
CmdLine: "%s", xrefs: 00074046
%S\VMwareToolsQuitEvent_%s, xrefs: 00074061
debug, xrefs: 00073E02
@&!*@*@(cmdline.kill)Stops a running instance of a tools service., xrefs: 00073C8A
@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin., xrefs: 00073DF8
v, xrefs: 00073E79
d, xrefs: 00073D65
build-4448491, xrefs: 00073F76
@&!*@*@(cmdline.name)Name of the service being started., xrefs: 00073AD1
%s: %s, xrefs: 00073F5F
%s %s (%s), xrefs: 00073F8F
VMware Tools daemon, version, xrefs: 00073F80
k, xrefs: 00073C74
%S\VMwareToolsDumpStateEvent_%s, xrefs: 00074082
@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs., xrefs: 00073C26
10.0.12.325, xrefs: 00073F7B
g, xrefs: 00073E0C
@&!*@*@(cmdline.version)Prints the daemon version and exits., xrefs: 00073E62
@&!*@*@(cmdline.name.argument)svcname, xrefs: 00073B13
c, xrefs: 00073DB9
common, xrefs: 00073FBB
l, xrefs: 00073E4D
Command line parsing failed, xrefs: 00073F5A
Runs the VMware Tools daemon., xrefs: 00073F07
p, xrefs: 00073B99
i, xrefs: 00073CBF
%s is an invalid container name., xrefs: 00073FEC
n, xrefs: 00073AF1
@&!*@*@(cmdline.displayname)Service display name (only used with -i)., xrefs: 00073D45
u, xrefs: 00073D18
s, xrefs: 00073C40
@&!*@*@(cmdline.path)path, xrefs: 00073B67, 00073BB7, 00073DDA, 00073E21
@&!*@*@(cmdline.install.args)args, xrefs: 00073CE9
@&!*@*@(cmdline.config)Uses the config file at the given path., xrefs: 00073D9F
@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager., xrefs: 00073CFE
@&!*@*@(cmdline.commonpath)Path to the common plugin directory., xrefs: 00073B31

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: StringTools_$exit$AsprintfSafeStr_freeg_printerr.$g_clear_error.g_log.g_option_context_add_main_entries.g_option_context_free.g_option_context_get_main_group.g_option_context_new.g_option_context_parse.g_option_context_set_summary.g_option_group_set_error_hook.g_print.libintl_gettext
String ID: %S\VMwareToolsDumpStateEvent_%s$%S\VMwareToolsQuitEvent_%s$%s %s$%s %s (%s)$%s is an invalid container name.$%s: %s$10.0.12.325$@&!*@*@(cmdline.commonpath)Path to the common plugin directory.$@&!*@*@(cmdline.config)Uses the config file at the given path.$@&!*@*@(cmdline.debug)Runs in debug mode, using the given plugin.$@&!*@*@(cmdline.displayname)Service display name (only used with -i).$@&!*@*@(cmdline.displayname.argument)name$@&!*@*@(cmdline.install)Installs the service with the Service Control Manager.$@&!*@*@(cmdline.install.args)args$@&!*@*@(cmdline.kill)Stops a running instance of a tools service.$@&!*@*@(cmdline.log)Ignored, kept for backwards compatibility.$@&!*@*@(cmdline.name)Name of the service being started.$@&!*@*@(cmdline.name.argument)svcname$@&!*@*@(cmdline.path)path$@&!*@*@(cmdline.pluginpath)Path to the plugin directory.$@&!*@*@(cmdline.rpc)Sends an RPC command to the host and exits.$@&!*@*@(cmdline.rpc.command)command$@&!*@*@(cmdline.state)Dumps the internal state of a running service instance to the logs.$@&!*@*@(cmdline.uninstall)Uninstalls the service from the Service Control Manager.$@&!*@*@(cmdline.version)Prints the daemon version and exits.$CmdLine: "%s"$Command line parsing failed$Runs the VMware Tools daemon.$VMware Tools daemon, version$build-4448491$c$common$d$debug$g$i$k$l$n$p$s$u$v$vmsvc$vmtoolsd$!0
API String ID: 701979547-3473466427
Opcode ID: e8a0f8a5b00491ad6715aeaef64794142877fd95738c35675fe782742ec5dc57
Instruction ID: 8a4115bc4ee0a7c1a21e09c5400bc22b5be1374218f7a9afc26d6c8469b7720a
Opcode Fuzzy Hash: e8a0f8a5b00491ad6715aeaef64794142877fd95738c35675fe782742ec5dc57
Instruction Fuzzy Hash: E1F160B0E44318ABDB60DF64CC45BDDBBB4BB05700F40C199E24DAB242DBBD4A948F59

Uniqueness

Uniqueness Score: -1.00%

Function 00071880 Relevance: 115.9, APIs: 54, Strings: 12, Instructions: 372memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00071902
GetLastError.KERNEL32 ref: 0007190C
memset.MSVCR90 ref: 00071920
SetEntriesInAclW.ADVAPI32(00000001,?,?,?), ref: 0007195A
malloc.MSVCR90 ref: 0007196C
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00071983
GetLastError.KERNEL32 ref: 0007198D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000719A5
GetLastError.KERNEL32 ref: 000719AF
FreeSid.ADVAPI32(?,?,00000000), ref: 00071CED
LocalFree.KERNEL32(?,?,00000000), ref: 00071CF7
free.MSVCR90(?,?,00000000), ref: 00071D01

Strings

%S\VMwareToolsDumpStateEvent_%s, xrefs: 00071B15
Named event for 'QuitEvent' already exists. Exiting., xrefs: 00071AF6
%S\VMwareToolsQuitEvent_%s, xrefs: 00071A98
?, xrefs: 0007193C
Failed to set console control handler: %u, xrefs: 00071C7C
vmtoolsdControlWndClass, xrefs: 00071A04, 00071A2F
vmtoolsdControlWndTitle, xrefs: 00071A2A
Local, xrefs: 000718B0
Out of memory!, xrefs: 00071B29
Global, xrefs: 000718A5, 00071A97, 00071B14
Named event for 'DumpEvent' already exists. Exiting., xrefs: 00071B89
Failed to create control window: %u, xrefs: 00071A4E

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ErrorLast$DescriptorFreeInitializeSecurity$AllocateDaclEntriesLocalfreemallocmemset
String ID: %S\VMwareToolsDumpStateEvent_%s$%S\VMwareToolsQuitEvent_%s$?$Failed to create control window: %u$Failed to set console control handler: %u$Global$Local$Named event for 'DumpEvent' already exists. Exiting.$Named event for 'QuitEvent' already exists. Exiting.$Out of memory!$vmtoolsdControlWndClass$vmtoolsdControlWndTitle
API String ID: 1240130137-3986172098
Opcode ID: c0af6319b2cf645438279e755c0e2b452f370544f7715b3ec83ef30901b32baf
Instruction ID: 470f585f02796ef00b202783e815faa690a5d4e028da15e7a063a06d2f2f573c
Opcode Fuzzy Hash: c0af6319b2cf645438279e755c0e2b452f370544f7715b3ec83ef30901b32baf
Instruction Fuzzy Hash: 7FC198B1D04305AFE7109FA88C85AFF77B9BB44344F148428F60EA7282DB7D9945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00072AE0 Relevance: 63.2, APIs: 27, Strings: 9, Instructions: 228COMMON

Download Yara Rule

APIs

GuestApp_GetInstallPath.VMTOOLS(00000000,00071CC1,00000000), ref: 00072AF0
g_strdup_printf.GLIB-2.0(%s%cplugins,00000000,0000005C,00000000,00071CC1,00000000), ref: 00072AFF
vm_free.VMTOOLS(00000000,%s%cplugins,00000000,0000005C,00000000,00071CC1,00000000), ref: 00072B0A
g_ptr_array_new.GLIB-2.0(?,00000000,00071CC1,00000000), ref: 00072B12
g_strdup_printf.GLIB-2.0(%s%s%c%s,00000000,0007760F,0000005C,common,?,00000000,00071CC1,00000000), ref: 00072B3C
g_file_test_utf8.GLIB-2.0(?,00000004,?,?,?,00000000,00071CC1,00000000), ref: 00072B4D
g_strdup_printf.GLIB-2.0(%s%s%c%s,00000000,0007760F,0000005C,00000000,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072B84
g_file_test_utf8.GLIB-2.0(?,00000004,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072B95

Part of subcall function 000728D0: g_dir_open_utf8.GLIB-2.0(?,00000000,00072BF4,00000000,00000000,?,?,00072BF4,?,00000000), ref: 000728E6

g_file_test_utf8.GLIB-2.0(?,00000004,?,00000000,00071CC1,00000000), ref: 00072BC0
g_ptr_array_new.GLIB-2.0(?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072BFF
g_log.GLIB-2.0(vmtoolsd,00000040,Plugin '%s' didn't provide deployment data, unloading.,00000000,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C39
g_module_close.GMODULE-2.0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C49
g_module_error.GMODULE-2.0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C55
g_free.GLIB-2.0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C6E
g_free.GLIB-2.0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00071CC1), ref: 00072C74
g_module_make_resident.GMODULE-2.0(?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C88
g_ptr_array_add.GLIB-2.0(?,00000000,?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072C92
VMTools_BindTextDomain.VMTOOLS(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00071CC1), ref: 00072CA1

Part of subcall function 000723A0: g_logv.GLIB-2.0(vmtoolsd,00000020,00000000,00000000,?,0007273E,Cannot find provider for app type %d, plugin %s may not work.,F7C033E4,00000000,00000000,?,000723C0,?), ref: 000723B2

g_module_close.GMODULE-2.0(?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072CCF
g_module_error.GMODULE-2.0(?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072CDB
g_free.GLIB-2.0(?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072CF4
g_free.GLIB-2.0(00000000,?,?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072CFA
g_malloc.GLIB-2.0(00000010,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072D18
VMTools_BindTextDomain.VMTOOLS(?,00000000,00000000,00000010,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072D36
g_ptr_array_add.GLIB-2.0(?,00000000,?,00000000,00000000,00000010,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072D40

Part of subcall function 000728D0: g_ptr_array_new.GLIB-2.0(00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072911
Part of subcall function 000728D0: g_dir_read_name_utf8.GLIB-2.0(00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007291C
Part of subcall function 000728D0: g_str_has_suffix.GLIB-2.0(00000000,.dll,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072936
Part of subcall function 000728D0: g_strdup.GLIB-2.0(00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072943
Part of subcall function 000728D0: g_ptr_array_add.GLIB-2.0(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007294A
Part of subcall function 000728D0: g_dir_read_name_utf8.GLIB-2.0(00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072953
Part of subcall function 000728D0: g_dir_close.GLIB-2.0(00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072962
Part of subcall function 000728D0: g_ptr_array_sort.GLIB-2.0(00000000,00072890,00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007296D
Part of subcall function 000728D0: g_strdup_printf.GLIB-2.0(%s%c%s,?,0000005C,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?), ref: 0007299E
Part of subcall function 000728D0: g_file_test_utf8.GLIB-2.0(00000000,00000001,%s%c%s,?,0000005C,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4), ref: 000729A9
Part of subcall function 000728D0: g_free.GLIB-2.0(?), ref: 00072A3E
Part of subcall function 000728D0: g_module_close.GMODULE-2.0(00000000), ref: 00072A4F
Part of subcall function 000728D0: g_module_error.GMODULE-2.0 ref: 00072A5B
Part of subcall function 000728D0: g_ptr_array_free.GLIB-2.0(00000000,00000001,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?), ref: 00072A87

g_ptr_array_free.GLIB-2.0(00000000,00000001,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072D5C
g_free.GLIB-2.0(?,?,?,?,?,?,?,?,00000000,00071CC1,00000000), ref: 00072D65

Strings

%s%s%c%s, xrefs: 00072B37, 00072B7F
Plugin '%s' initialized., xrefs: 00072CAC
Plugin path is not a directory: %s, xrefs: 00072BAB
Error unloading plugin '%s': %s, xrefs: 00072C5E, 00072CE4
Plugin '%s' didn't provide deployment data, unloading., xrefs: 00072C2D
%s%cplugins, xrefs: 00072AFA
vmtoolsd, xrefs: 00072C34
common, xrefs: 00072B2A
Common plugin path is not a directory: %s, xrefs: 00072BD4

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.$g_file_test_utf8.g_strdup_printf.$g_module_close.g_module_error.g_ptr_array_add.g_ptr_array_new.$BindDomainTextTools_g_dir_read_name_utf8.g_ptr_array_free.$App_GuestInstallPathg_dir_close.g_dir_open_utf8.g_log.g_logv.g_malloc.g_module_make_resident.g_ptr_array_sort.g_str_has_suffix.g_strdup.vm_free
String ID: %s%cplugins$%s%s%c%s$Common plugin path is not a directory: %s$Error unloading plugin '%s': %s$Plugin '%s' didn't provide deployment data, unloading.$Plugin '%s' initialized.$Plugin path is not a directory: %s$common$vmtoolsd
API String ID: 2583084313-4043991206
Opcode ID: f4ce28afdfbee300fb32da96cacd8eccd7d88d2f6bbc08d3e462674b62454c5f
Instruction ID: 1ebede4b90718025b4cf73b95b5fef4d75d1c513f7389a95391b1d24fb6669fc
Opcode Fuzzy Hash: f4ce28afdfbee300fb32da96cacd8eccd7d88d2f6bbc08d3e462674b62454c5f
Instruction Fuzzy Hash: AF7176B1E006017BD760AB65CC42FAA73A8AF14740F04C528F94D5B643E77EED508BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00075B20 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 184serviceregistryCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000000,00000000), ref: 00075B44
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000,00000000), ref: 00075B68
Str_Aswprintf.VMTOOLS(00000000,"%S" %S,?,00071216,?,00000000,00000000), ref: 00075B81
Str_Aswprintf.VMTOOLS(00000000,"%S",?,?,00000000,00000000), ref: 00075B99
Panic.VMTOOLS(VERIFY %s:%d,d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp,0000017D,?,00000000,00000000), ref: 00075BB6
CreateServiceW.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00075BDD
free.MSVCR90(00000000,?,00000000,00000000), ref: 00075BE6
CloseServiceHandle.ADVAPI32(?,?,?,00000000,00000000), ref: 00075BFA
Str_Snwprintf.VMTOOLS(?,000000FF,SYSTEM\CurrentControlSet\Services\EventLog\Application\%S,?,?,?,00000000,00000000), ref: 00075C54
RegCreateKeyW.ADVAPI32(80000002,?,00000000), ref: 00075C6F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00075C80
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00075C89
RegSetValueExW.ADVAPI32(00000000,EventMessageFile,00000000,00000002,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00075CE1
RegSetValueExW.ADVAPI32(00000000,TypesSupported,00000000,00000004,?,00000004,?,?,?,?,?,?,00000000,00000000), ref: 00075D06
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00075D0F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00075D31
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00075D3A

Strings

VERIFY %s:%d, xrefs: 00075BB1
"%S" %S, xrefs: 00075B7A
EventMessageFile, xrefs: 00075CDB
TypesSupported, xrefs: 00075CF6
SYSTEM\CurrentControlSet\Services\EventLog\Application\%S, xrefs: 00075C39
"%S", xrefs: 00075B92
d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp, xrefs: 00075BAC

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: CloseService$Handle$Str_$AswprintfCreateValue$FileManagerModuleNameOpenPanicSnwprintffree
String ID: "%S"$"%S" %S$EventMessageFile$SYSTEM\CurrentControlSet\Services\EventLog\Application\%S$TypesSupported$VERIFY %s:%d$d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp
API String ID: 498066331-3437903475
Opcode ID: 8b150bef1618870fba44417f9224817144f845352be6dd0e506ee0eb9e29a691
Instruction ID: d6fb1b01609e44c4e74b5eb69a61a222d7f0815afb0c0a9324145fda01b69be5
Opcode Fuzzy Hash: 8b150bef1618870fba44417f9224817144f845352be6dd0e506ee0eb9e29a691
Instruction Fuzzy Hash: D8514BB1E40318ABD720DB54DC46FEA73B8EB44701F40C5A9F70DA71C1DBB95A848BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00071530 Relevance: 37.0, APIs: 15, Strings: 6, Instructions: 292COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 00071566
SetErrorMode.KERNEL32(00000001), ref: 00071570
Unicode_InitW.VMTOOLS(?,?,00000000,?,00000000), ref: 00071586
setlocale.MSVCR90 ref: 00071592
VMTools_ConfigLogging.VMTOOLS(vmtoolsd,00000000,00000000,00000000), ref: 000715A3
VMTools_BindTextDomain.VMTOOLS(vmtoolsd,00000000,00000000,vmtoolsd,00000000,00000000,00000000), ref: 000715B1
g_str_has_prefix.GLIB-2.0(?,--help), ref: 000716A3
VMTools_AttachConsole.VMTOOLS ref: 000716BB
CodeSet_Utf8ToUtf16le.VMTOOLS(?,?,?,00000000), ref: 00071701
CodeSet_Utf8ToUtf16le.VMTOOLS(?,?,?,00000000), ref: 00071754
vm_free.VMTOOLS(?,Cannot convert to UTF16: %s,?), ref: 0007176F
??2@YAPAXI@Z.MSVCR90 ref: 0007177E
vm_free.VMTOOLS(?), ref: 000717B8
vm_free.VMTOOLS(?,?), ref: 000717C1
??2@YAPAXI@Z.MSVCR90 ref: 000717D0

Strings

VMTools, xrefs: 000717EF
--version, xrefs: 0007166D
VMware Tools Service, xrefs: 000717EA
Cannot convert to UTF16: %s, xrefs: 00071711, 00071761
vmtoolsd, xrefs: 0007159E, 000715AC
--help, xrefs: 0007169D

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Tools_vm_free$??2@CodeSet_Utf16leUtf8$AttachBindConfigConsoleDomainErrorInitLoggingModeTextUnicode_g_str_has_prefix.memsetsetlocale
String ID: --help$--version$Cannot convert to UTF16: %s$VMTools$VMware Tools Service$vmtoolsd
API String ID: 2608364553-420446370
Opcode ID: 65b0a9a6cac3837e673dc0842a28b5456637b39d4b40841e612a240646a11fea
Instruction ID: bcfbca7f7b417fb0034dae1ecb594df4f40980c520b486d1de9c37e31e83cafd
Opcode Fuzzy Hash: 65b0a9a6cac3837e673dc0842a28b5456637b39d4b40841e612a240646a11fea
Instruction Fuzzy Hash: 61915571E046046BDB20DF7C8C82BFA77B59F55340F18C258E94D9B2C2E63AD905C799

Uniqueness

Uniqueness Score: -1.00%

Function 00073910 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

VMTools_AttachConsole.VMTOOLS ref: 00073915
VmCheck_IsVirtualWorld.VMTOOLS ref: 0007391A
RpcOut_sendOne.VMTOOLS(?,00000000,00077FB4,?), ref: 00073939
g_printerr.GLIB-2.0(%s,00000000), ref: 00073959
g_print.GLIB-2.0(%s,00000000), ref: 00073969
vm_free.VMTOOLS(00000000), ref: 00073975
exit.MSVCR90 ref: 00073985
VMTools_GetString.VMTOOLS(vmtoolsd,@&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor.), ref: 00073995
g_printerr.GLIB-2.0(%s,00000000,vmtoolsd,@&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor.), ref: 000739A0
exit.MSVCR90 ref: 000739AA

Strings

NULL, xrefs: 0007394E, 00073953
@&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor., xrefs: 0007398B
vmtoolsd, xrefs: 00073990
%s, xrefs: 00073954, 00073964, 0007399B

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Tools_exitg_printerr.$AttachCheck_ConsoleOut_sendStringVirtualWorldg_print.vm_free
String ID: %s$@&!*@*@(cmdline.rpcerror)Unable to send command to VMware hypervisor.$NULL$vmtoolsd
API String ID: 3546223006-3697952442
Opcode ID: ab59b24925201de5a534fbe489bf4bda68b54c438fba093339686836cb31affe
Instruction ID: 9c5d0c4e2160b58fc617d8cf3b68a01c724cbf6e7ae52452ee476b57425e2106
Opcode Fuzzy Hash: ab59b24925201de5a534fbe489bf4bda68b54c438fba093339686836cb31affe
Instruction Fuzzy Hash: C9015BB0E48604B7E714A7A49E43FEE33589B41740F14C064F64EA6283D6FF5A14566E

Uniqueness

Uniqueness Score: -1.00%

Function 000733F0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

g_queue_find_custom.GLIB-2.0(00000000,?,Function_000030A0), ref: 0007344B
g_queue_delete_link.GLIB-2.0(00000000,00000000), ref: 00073460
g_source_remove.GLIB-2.0(?), ref: 00073493
g_free.GLIB-2.0(00000000), ref: 000734B1
g_log.GLIB-2.0(vmtoolsd,00000008,file %s: line %d: assertion `%s' failed,d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c,0000016D,id != 0), ref: 000734D9

Strings

file %s: line %d: assertion `%s' failed, xrefs: 000734CD
id != 0, xrefs: 000734BE
vmtoolsd, xrefs: 000734D4
d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c, xrefs: 000734C8

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.g_log.g_queue_delete_link.g_queue_find_custom.g_source_remove.
String ID: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/threadPool.c$file %s: line %d: assertion `%s' failed$id != 0$vmtoolsd
API String ID: 2059732791-1535085077
Opcode ID: 9b140b012870f341b6d54a357c44f1291eb019308378750817aba4bc464b9208
Instruction ID: 87136ceaa37f0d4e10802e161fbffa189a5b71c25d9ba0bd09c5e5fb7acf76c8
Opcode Fuzzy Hash: 9b140b012870f341b6d54a357c44f1291eb019308378750817aba4bc464b9208
Instruction Fuzzy Hash: E82191B1E402049BE754DF68EC42AABB3E8AB44710B44C169ED0DAB351E77DEE40C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 00075E80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00075EB7
GetLastError.KERNEL32 ref: 00075EC1

Part of subcall function 000753D0: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00075EEA), ref: 000753F6
Part of subcall function 000753D0: GetLastError.KERNEL32(?,?,00075EEA), ref: 00075416

SetEvent.KERNEL32(?), ref: 00075EFE

Strings

StartServiceCtrlDispatcher returned error: %u, xrefs: 00075F1A
Calling StartServiceCtrlDispatcher(), xrefs: 00075EA8
StartServiceCtrlDispatcher() failed to connect, xrefs: 00075ED8

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ErrorEventLast$CreateCtrlDispatcherServiceStart
String ID: Calling StartServiceCtrlDispatcher()$StartServiceCtrlDispatcher returned error: %u$StartServiceCtrlDispatcher() failed to connect
API String ID: 3541900144-3982274156
Opcode ID: 6795dcf33bda4583c060d96c48ef5f846e49d4aa1f4fffb16de9b9ec82fe3533
Instruction ID: 9a8d40eec4a016cf5ebb38f88a638f85036915cb551adbcb05adf66ed322946c
Opcode Fuzzy Hash: 6795dcf33bda4583c060d96c48ef5f846e49d4aa1f4fffb16de9b9ec82fe3533
Instruction Fuzzy Hash: 3D116070F002049FC710EFA4DC44A9E73E9BB48300B0485A9E90DD7350EB7DE9418BD4

Uniqueness

Uniqueness Score: -1.00%

Function 000761F0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00076729
_crt_debugger_hook.MSVCR90(00000001), ref: 00076736
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0007673E
UnhandledExceptionFilter.KERNEL32(00079010), ref: 00076749
_crt_debugger_hook.MSVCR90(00000001), ref: 0007675A
GetCurrentProcess.KERNEL32(C0000409), ref: 00076765
TerminateProcess.KERNEL32(00000000), ref: 0007676C

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: ce7c0df40bfa6f8ebb99ed28ccce8d70659085d41103fa8f66d8e391c5f85538
Instruction ID: 2c962022f7100147b84dddf7e9ac7acd65272baf6ab088453816bfa60dfda4b7
Opcode Fuzzy Hash: ce7c0df40bfa6f8ebb99ed28ccce8d70659085d41103fa8f66d8e391c5f85538
Instruction Fuzzy Hash: 2C21C0B4D02208DFE740DF19F998B583BA4BB08304F90812AE51DA7272E77D55C6CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00072600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

g_array_append_vals.GLIB-2.0(?,?,00000001), ref: 00072646
g_log.GLIB-2.0(vmtoolsd,00000008,file %s: line %d: assertion `%s' failed,d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c,0000011A,prov->regType != existing->prov->regType), ref: 00072675

Strings

file %s: line %d: assertion `%s' failed, xrefs: 00072669
d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c, xrefs: 00072664
prov->regType != existing->prov->regType, xrefs: 0007265A
vmtoolsd, xrefs: 00072670

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_append_vals.g_log.
String ID: d:/build/ob/bora-4448491/bora-vmsoft/services/vmtoolsd/pluginMgr.c$file %s: line %d: assertion `%s' failed$prov->regType != existing->prov->regType$vmtoolsd
API String ID: 3716258587-1871715410
Opcode ID: bb80c32ffa8b4f1b2ad839e816d0690a91ce4d9ead4858a12edc8ee5182b414e
Instruction ID: 9cd91f7f62aacfbea0d59186a6fc6fb4ba431e56192b4b5bfb11967b8322bc65
Opcode Fuzzy Hash: bb80c32ffa8b4f1b2ad839e816d0690a91ce4d9ead4858a12edc8ee5182b414e
Instruction Fuzzy Hash: BE012D31F403086BCB10DE08DC82ED977A9EB84710F50C166F94C9B342D776AD5186D6

Uniqueness

Uniqueness Score: -1.00%

Function 00075E20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00075560: Str_Vasprintf.VMTOOLS(00000000,?,?,?,?,00075AE4,?,CNTService::~CNTService(),?,00071177,?,?,?,?,00076BB8,000000FF), ref: 0007557C
Part of subcall function 00075560: Panic.VMTOOLS(VERIFY %s:%d,d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp,000003C4), ref: 00075599
Part of subcall function 00075560: OutputDebugStringA.KERNEL32(00000000), ref: 0007559F
Part of subcall function 00075560: free.MSVCR90(00000000), ref: 000755A6

DeregisterEventSource.ADVAPI32(?), ref: 00075E45
UnregisterDeviceNotification.USER32(?), ref: 00075E56
CloseHandle.KERNEL32(?), ref: 00075E63
??3@YAXPAX@Z.MSVCR90 ref: 00075E70

Strings

CNTService::~CNTService(), xrefs: 00075E26

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ??3@CloseDebugDeregisterDeviceEventHandleNotificationOutputPanicSourceStr_StringUnregisterVasprintffree
String ID: CNTService::~CNTService()
API String ID: 2275839205-1120596600
Opcode ID: d49da12d0fdab2fb889897bb17b5dca4aa6a4e0ec28869bf2e26fe97267f8b69
Instruction ID: f12657e0ff21928e5d12630199cc08fc04c897ec1854ab894ca3f0c053335bd5
Opcode Fuzzy Hash: d49da12d0fdab2fb889897bb17b5dca4aa6a4e0ec28869bf2e26fe97267f8b69
Instruction Fuzzy Hash: 59F05E71E40B909BD6606BA8DC09A977BDC9F10742F04C429F94DE2281DABDE94087E8

Uniqueness

Uniqueness Score: -1.00%

Function 00075620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32.dll,00000000,?,?,00075C35,?,00000000,00000001,?,?,?,00000000,00000000), ref: 0007562C
GetProcAddress.KERNEL32(00000000,ChangeServiceConfig2W), ref: 0007563A
FreeLibrary.KERNEL32(00000000,?,?,00075C35,?,00000000,00000001,?,?,?,00000000,00000000), ref: 00075655

Strings

advapi32.dll, xrefs: 00075625
ChangeServiceConfig2W, xrefs: 00075634

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ChangeServiceConfig2W$advapi32.dll
API String ID: 145871493-3377829029
Opcode ID: 3241d28813bd86031395ba3dc2dbd8bf6f65103364b8a7e0c5298e1e3c172ef8
Instruction ID: 65938ab43892f7b2792950480630062ca17e7efbfb6cfe11606ba715e236f7af
Opcode Fuzzy Hash: 3241d28813bd86031395ba3dc2dbd8bf6f65103364b8a7e0c5298e1e3c172ef8
Instruction Fuzzy Hash: D8E09236740214AB53109B66AC08DBF3769EBC47A17008024FA1DD3280DA3C9C01C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00075190 Relevance: 7.6, APIs: 5, Instructions: 57serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 000751A2
OpenServiceW.ADVAPI32(00000000,?,00010000), ref: 000751C7
DeleteService.ADVAPI32(00000000), ref: 000751D4
CloseServiceHandle.ADVAPI32(00000000), ref: 00075200
CloseServiceHandle.ADVAPI32(?), ref: 0007520A

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Service$CloseHandleOpen$DeleteManager
String ID:
API String ID: 204194956-0
Opcode ID: 55e41d3c33327ba89fcb716cb8d3899feb2ad665e7e80fa4acc92f06b7733960
Instruction ID: 605d8d4c9f60982d8f22d3f40c7b3121eb06e385433664f20dad7e9c7cecd0d6
Opcode Fuzzy Hash: 55e41d3c33327ba89fcb716cb8d3899feb2ad665e7e80fa4acc92f06b7733960
Instruction Fuzzy Hash: EC019675F44304BBE7209B989C49F9A77ACEB48752F004055FA0DA72C1DAF9D94087E1

Uniqueness

Uniqueness Score: -1.00%

Function 000762A6 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006264), ref: 000762AB

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 949da1b0d9a2120ffefb43a308cc375f4ec3d83ed4b422b2698f534556230fda
Instruction ID: 3b9b9c97e377f52797c7ce01a40d6c9db670554af7890f27229b212a279dd102
Opcode Fuzzy Hash: 949da1b0d9a2120ffefb43a308cc375f4ec3d83ed4b422b2698f534556230fda
Instruction Fuzzy Hash: 5A902230E08A008A0A082B30AC0800020800B082023008080320EC8000CA0C00000280

Uniqueness

Uniqueness Score: -1.00%

Function 00074810 Relevance: 77.3, APIs: 29, Strings: 15, Instructions: 348COMMON

Download Yara Rule

APIs

g_strdup.GLIB-2.0(tools.capability.features,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 00074856
g_strdup_printf.GLIB-2.0(%s %d=%u,00000000,?,00000000,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 00074877
g_free.GLIB-2.0(00000000,%s %d=%u,00000000,?,00000000,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B), ref: 0007487F
g_strdup_printf.GLIB-2.0(tools.capability.%s ,?,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 000748A0
RpcChannel_Send.VMTOOLS(00000010,00000000,00000001,00000000,00072F1B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000748C7
g_strdup_printf.GLIB-2.0(tools.capability.%s %u,?,00000000,00000000,00000000,?,00072F1B,?,?,00000000), ref: 00074907
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,00072F1B,00000000,00000000,?,00072F1B,?,?,00000000), ref: 0007492C
vm_free.VMTOOLS(00000000,?,?,?,?,?,00000000,00000000,?,00072F1B,?,?,00000000), ref: 00074951
g_free.GLIB-2.0(00000000,00000000,?,?,?,?,?,00000000,00000000,?,00072F1B,?,?,00000000), ref: 00074957
RpcChannel_Send.VMTOOLS(00000010,00000000,00000002,00000000,00072F1B,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 000749A8
vm_free.VMTOOLS(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 000749C9
g_free.GLIB-2.0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000749CF
GuestApp_GetConfPath.VMTOOLS(00000000,00000010,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000749F9
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_capabilities,00000048,00000001,?,00000000,00000010,00000000), ref: 00074A23
g_array_free.GLIB-2.0(00000000,00000001,?,00000000,00000001,?,?,00000000,00000010,00000000), ref: 00074A44
g_strdup_printf.GLIB-2.0(tools.capability.guest_conf_directory %s,00000000,?,?,00000000,00000010,00000000), ref: 00074A52
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000010,00000000), ref: 00074A74
g_free.GLIB-2.0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000010,00000000), ref: 00074A8E
g_key_file_get_boolean.GLIB-2.0(?,vmtools,disable-tools-version,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000010), ref: 00074AB7
g_strdup_printf.GLIB-2.0(tools.set.versiontype %u %u,-0000280C,00000001,?,vmtools,disable-tools-version,00000000), ref: 00074AD6
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,?), ref: 00074AFB
vm_free.VMTOOLS(00000000), ref: 00074B0B
g_free.GLIB-2.0(00000000,00000000), ref: 00074B11
g_strdup_printf.GLIB-2.0(tools.set.version %u,-0000280C,00000000,00000000), ref: 00074B1C
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,?), ref: 00074B48
vm_free.VMTOOLS(00000000), ref: 00074B69
g_free.GLIB-2.0(00000000,00000000), ref: 00074B6F
free.MSVCR90(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000010,00000000), ref: 00074B82
RpcChannel_SetRetVals.VMTOOLS(00000000,0007760F,00000001,?,?,?,?,?,?,?,?,?,?,00000000,00000010,00000000), ref: 00074B93

Strings

tools.set.version %u, xrefs: 00074B17
vmtools, xrefs: 00074AAA
Error sending new-style capabilities: %s, xrefs: 000749B8
tools.capability.%s %u, xrefs: 00074902
tools.capability.guest_conf_directory %s, xrefs: 00074A4D
Error sending capability %s: %s, xrefs: 000748DB, 00074940
tools.set.versiontype %u %u, xrefs: 00074AD1
tools.capability.features, xrefs: 00074851
Error setting tools version: %s., xrefs: 00074B58
tools.capability.%s , xrefs: 0007489B
Unable to register guest conf directory capability., xrefs: 00074A80
%s %d=%u, xrefs: 00074872
tcs_capabilities, xrefs: 00074A1A
disable-tools-version, xrefs: 00074AA5
Invalid capability type: %d, xrefs: 000749E0

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Channel_$Sendg_free.g_strdup_printf.$vm_free$App_ConfGuestPathValsfreeg_array_free.g_key_file_get_boolean.g_signal_emit_by_name.g_strdup.
String ID: %s %d=%u$Error sending capability %s: %s$Error sending new-style capabilities: %s$Error setting tools version: %s.$Invalid capability type: %d$Unable to register guest conf directory capability.$disable-tools-version$tcs_capabilities$tools.capability.%s $tools.capability.%s %u$tools.capability.features$tools.capability.guest_conf_directory %s$tools.set.version %u$tools.set.versiontype %u %u$vmtools
API String ID: 916430676-831586535
Opcode ID: a85a08297be206a894eaf719e48746949eeb3af5fa06b190ff1a00d7dfa3fdcf
Instruction ID: 860a237dc94edb5f07947ff0157458c87e66c29bd5ce75f46ed4578470f9f576
Opcode Fuzzy Hash: a85a08297be206a894eaf719e48746949eeb3af5fa06b190ff1a00d7dfa3fdcf
Instruction Fuzzy Hash: 1AB1C6B1E00605BBDB54DBA8CC85EEB73A8EF44704F14C154F90E97242EB79EE0487A9

Uniqueness

Uniqueness Score: -1.00%

Function 000728D0 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 167COMMON

Download Yara Rule

APIs

g_dir_open_utf8.GLIB-2.0(?,00000000,00072BF4,00000000,00000000,?,?,00072BF4,?,00000000), ref: 000728E6
g_ptr_array_new.GLIB-2.0(00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072911
g_dir_read_name_utf8.GLIB-2.0(00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007291C
g_str_has_suffix.GLIB-2.0(00000000,.dll,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072936
g_strdup.GLIB-2.0(00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072943
g_ptr_array_add.GLIB-2.0(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007294A
g_dir_read_name_utf8.GLIB-2.0(00000000,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072953
g_dir_close.GLIB-2.0(00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 00072962
g_ptr_array_sort.GLIB-2.0(00000000,00072890,00000000,00000000,?,00000000,00000000,?,?,00072BF4,?,00000000), ref: 0007296D
g_strdup_printf.GLIB-2.0(%s%c%s,?,0000005C,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?), ref: 0007299E
g_file_test_utf8.GLIB-2.0(00000000,00000001,%s%c%s,?,0000005C,00000000,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4), ref: 000729A9
g_free.GLIB-2.0(?), ref: 00072A3E
g_module_close.GMODULE-2.0(00000000), ref: 00072A4F
g_module_error.GMODULE-2.0 ref: 00072A5B
g_ptr_array_free.GLIB-2.0(00000000,00000001,?,?,?,00000000,?,00000000,00000000,?,?,00072BF4,?), ref: 00072A87

Part of subcall function 00071000: g_logv.GLIB-2.0(vmtoolsd,00000010,?,?), ref: 00071012

Strings

Lookup of plugin entry point for '%s' failed., xrefs: 00072A03
File '%s' is not a regular file, skipping., xrefs: 000729B6
%s%c%s, xrefs: 00072995
Error opening dir: %s, xrefs: 000728FB
Error unloading plugin '%s': %s, xrefs: 00072A62
ToolsOnLoad, xrefs: 000729F0
Opening plugin '%s' failed: %s., xrefs: 000729E0
.dll, xrefs: 00072930

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_dir_read_name_utf8.$g_dir_close.g_dir_open_utf8.g_file_test_utf8.g_free.g_logv.g_module_close.g_module_error.g_ptr_array_add.g_ptr_array_free.g_ptr_array_new.g_ptr_array_sort.g_str_has_suffix.g_strdup.g_strdup_printf.
String ID: %s%c%s$.dll$Error opening dir: %s$Error unloading plugin '%s': %s$File '%s' is not a regular file, skipping.$Lookup of plugin entry point for '%s' failed.$Opening plugin '%s' failed: %s.$ToolsOnLoad
API String ID: 3703271903-3305830105
Opcode ID: cd05d8c0b0d37b1fb1ada0ab12bf48d468e8fbd7d0514f8a78ff07c1c85e2e4a
Instruction ID: a5b3ccb4f6dda1dfe925b8679f52c7e5f3d9e039b992c41adbe165bb320af532
Opcode Fuzzy Hash: cd05d8c0b0d37b1fb1ada0ab12bf48d468e8fbd7d0514f8a78ff07c1c85e2e4a
Instruction Fuzzy Hash: 8841DEB1D006057BC760E6945D82FEF779CAB54741F04C128FE0DA7243E67E9A4086AA

Uniqueness

Uniqueness Score: -1.00%

Function 00074E90 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 247COMMON

Download Yara Rule

APIs

wprintf.MSVCR90 ref: 00074F2E

Strings

%s Version %d.%dThe service is %s installed, xrefs: 00074F29
Service Uninstall, xrefs: 00075102
Service Install, xrefs: 00075006
%s is not installed, xrefs: 00075064
not, xrefs: 00074F11
currently, xrefs: 00074F0A, 00074F1C
%s is already installed, xrefs: 00074F77
%s removed. (You must delete the file (%s) yourself.), xrefs: 000750B6
Could not remove %S. Error %d, xrefs: 000750E7
%S failed to install. Error %d, xrefs: 00074FEB
%s installed, xrefs: 00074FBA

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: wprintf
String ID: %S failed to install. Error %d$%s Version %d.%dThe service is %s installed$%s installed$%s is already installed$%s is not installed$%s removed. (You must delete the file (%s) yourself.)$Could not remove %S. Error %d$Service Install$Service Uninstall$currently$not
API String ID: 3614878089-1162465379
Opcode ID: d36b440c60d2e59d198c4f48fefcd2688bdac0989f70bb6e0b0778acedbddb7d
Instruction ID: 68b2bc32e9a0eacf20bdd3ae2886107df65ad941b56a90a1dead1fe37e9c3ca9
Opcode Fuzzy Hash: d36b440c60d2e59d198c4f48fefcd2688bdac0989f70bb6e0b0778acedbddb7d
Instruction Fuzzy Hash: 1A710672F401049BD750EB28DC45AEAB3A8FF64325F44C166F80E9B282DB6E9D40C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 000743D0 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 122COMMON

Download Yara Rule

APIs

g_type_class_peek_parent.GOBJECT-2.0(?), ref: 000743D8
g_signal_new.GOBJECT-2.0(tcs_capabilities,00000000,00000002,00000000,Function_00004100,00000000,00074C90,00000044,00000002,00000044,00000014,?), ref: 00074402
g_signal_new.GOBJECT-2.0(tcs_conf_reload,?,00000002,00000000,00000000,00000000,00076A82,00000004,00000001,00000044,tcs_capabilities,00000000,00000002,00000000,Function_00004100,00000000), ref: 00074422
g_signal_new.GOBJECT-2.0(tcs_dump_state,?,00000002,00000000,00000000,00000000,00076A82,00000004,00000001,00000044), ref: 00074445
g_signal_new.GOBJECT-2.0(tcs_reset,00000000,00000002,00000000,00000000,00000000,00076A82,00000004,00000001,00000044,tcs_dump_state,?,00000002,00000000,00000000,00000000), ref: 00074465
g_signal_new.GOBJECT-2.0(tcs_set_option,?,00000002,00000000,Function_000040D0,00000000,00074D20,00000014,00000003,00000044,00000040,00000040), ref: 0007448F
g_signal_new.GOBJECT-2.0(tcs_shutdown,?,00000002,00000000,00000000,00000000,00076A82,00000004,00000001,00000044,tcs_set_option,?,00000002,00000000,Function_000040D0,00000000), ref: 000744AF
g_signal_new.GOBJECT-2.0(tcs_service_control,00000000,00000002,00000000,Function_00004190,00000000,00074DB0,0000001C,00000005,00000044,00000044,0000001C,0000001C,00000044), ref: 000744DD
g_type_check_class_cast.GOBJECT-2.0(?,00000050,tcs_service_control,00000000,00000002,00000000,Function_00004190,00000000,00074DB0,0000001C,00000005,00000044,00000044,0000001C,0000001C,00000044), ref: 000744E5
g_type_check_class_cast.GOBJECT-2.0(?,00000050), ref: 000744F7
g_type_check_class_cast.GOBJECT-2.0(?,00000050,?,00000050), ref: 00074506
g_type_check_class_cast.GOBJECT-2.0(?,00000050,?,00000050,?,00000050), ref: 00074515

Strings

tcs_service_control, xrefs: 000744D8
tcs_reset, xrefs: 00074460
tcs_shutdown, xrefs: 000744AA
tcs_set_option, xrefs: 0007448A
tcs_capabilities, xrefs: 000743FD
tcs_conf_reload, xrefs: 0007441D
tcs_dump_state, xrefs: 00074440

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_signal_new.$g_type_check_class_cast.$g_type_class_peek_parent.
String ID: tcs_capabilities$tcs_conf_reload$tcs_dump_state$tcs_reset$tcs_service_control$tcs_set_option$tcs_shutdown
API String ID: 1847561511-1967261372
Opcode ID: ee9f465b69ebb34fea6141926056b58f1f777fa52fbe4cf3fb736ec7694b6d8c
Instruction ID: cbf2a7bdc6daf569b8476dc38c3138b486ba5d5cb935ac23286a4639c64440fb
Opcode Fuzzy Hash: ee9f465b69ebb34fea6141926056b58f1f777fa52fbe4cf3fb736ec7694b6d8c
Instruction Fuzzy Hash: A231D3B0FD0B00BAF231AA549C47F9A66589B55F14FA0C004B74D3E1C3DAEE69504EAE

Uniqueness

Uniqueness Score: -1.00%

Function 000735D0 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 124COMMON

Download Yara Rule

APIs

g_key_file_get_integer.GLIB-2.0(?,?,pool.maxThreads,00000000,00071BDF,00071BA7), ref: 0007361E
g_clear_error.GLIB-2.0(00000000,?,?,00071BDF,00071BA7), ref: 00073637

Part of subcall function 00071000: g_logv.GLIB-2.0(vmtoolsd,00000010,?,?), ref: 00071012

g_thread_pool_new.GLIB-2.0(00073260,00000000,00000000,00000000,00000000,?,?,00071BDF,00071BA7), ref: 00073657
g_key_file_get_integer.GLIB-2.0(?,?,pool.maxIdleTime,00000000,00000000,?,?,?,?,?,?,?,00071BDF,00071BA7), ref: 0007367D
g_clear_error.GLIB-2.0(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00071BDF,00071BA7), ref: 0007369A
g_key_file_get_integer.GLIB-2.0(?,?,pool.maxUnusedThreads,00000000,?,?,?,?,00000000), ref: 000736B3
g_clear_error.GLIB-2.0(00000000,?,?,?,?,?,?,?,?,00000000), ref: 000736CD
g_thread_pool_set_max_idle_time.GLIB-2.0(00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 000736D6
g_thread_pool_set_max_unused_threads.GLIB-2.0(00000000,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 000736DC
g_clear_error.GLIB-2.0(00000000,error initializing thread pool, running single threaded: %s,?,?,?,?,?,?,?,?,00071BDF,00071BA7), ref: 000736F9
g_ptr_array_new.GLIB-2.0(?,?,00071BDF,00071BA7), ref: 00073719
g_queue_new.GLIB-2.0(?,?,00071BDF,00071BA7), ref: 00073723
g_object_set.GOBJECT-2.0(?,tcs_prop_thread_pool,0007B09C,00000000,?,tcs_prop_thread_pool,?,?,00071BDF,00071BA7), ref: 0007374A

Strings

pool.maxIdleTime, xrefs: 00073676
error initializing thread pool, running single threaded: %s, xrefs: 000736EB
pool.maxThreads, xrefs: 00073609
tcs_prop_thread_pool, xrefs: 00073617, 00073733, 00073744
pool.maxUnusedThreads, xrefs: 000736AC

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_clear_error.$g_key_file_get_integer.$g_logv.g_object_set.g_ptr_array_new.g_queue_new.g_thread_pool_new.g_thread_pool_set_max_idle_time.g_thread_pool_set_max_unused_threads.
String ID: error initializing thread pool, running single threaded: %s$pool.maxIdleTime$pool.maxThreads$pool.maxUnusedThreads$tcs_prop_thread_pool
API String ID: 3420377804-3633275952
Opcode ID: dc3e038fa03b15005a3637812de26147959e6d6600ba8807cd8171d3eefafef4
Instruction ID: f0be5bac9ef0fecd689be7cb1fb231a1d831c2ea6123d2d22c09c4faf0b3bd2f
Opcode Fuzzy Hash: dc3e038fa03b15005a3637812de26147959e6d6600ba8807cd8171d3eefafef4
Instruction Fuzzy Hash: C541A6B5D00704BBE710DBA4CD42FAB73B9AB84700F10C459E60D57242E77EAB04DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 000739D0 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

Str_Aswprintf.VMTOOLS(00000000,0007408D,Local,?,?,?,?,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 000739E9
g_printerr.GLIB-2.0(Out of memory!,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 000739FC
OpenEventW.KERNEL32(00000002,00000000,00000000,00000000,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 00073A14
vm_free.VMTOOLS(00000000,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 00073A1D
Str_Aswprintf.VMTOOLS(00000000,0007408D,Global,?,00000000,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 00073A30
g_printerr.GLIB-2.0(Out of memory!,?,?,?,?,?,?,0007408D,?,%S\VMwareToolsDumpStateEvent_%s), ref: 00073A43
vm_free.VMTOOLS(00000000,0007408D), ref: 00073A92
CloseHandle.KERNEL32(00000000,?,?,0007408D), ref: 00073A9B

Strings

Local, xrefs: 000739DD
Out of memory!, xrefs: 000739F7, 00073A3E
Global, xrefs: 00073A29
Cannot open event: %s, xrefs: 00073A74

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: AswprintfStr_g_printerr.vm_free$CloseEventHandleOpen
String ID: Cannot open event: %s$Global$Local$Out of memory!
API String ID: 647659793-21351046
Opcode ID: 011f848e2d269124a525557e8e0d2729ca7d1dc18af6ddc18ccf1d34dec505be
Instruction ID: e79b283efdca4dfb0d57c7aefd8f2a22240f411aea0a83e3c4a2fbb6d617ce83
Opcode Fuzzy Hash: 011f848e2d269124a525557e8e0d2729ca7d1dc18af6ddc18ccf1d34dec505be
Instruction Fuzzy Hash: 06110BB1E44600B7E621A6684C47EBF76AC9B81790F00C018F94D67242E57E9E0056FB

Uniqueness

Uniqueness Score: -1.00%

Function 00072ED0 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 172COMMON

Download Yara Rule

APIs

g_signal_emit_by_name.GOBJECT-2.0(?,tcs_capabilities,?,00000000,?,?,?,?,000714AE,?,?,?,00071524), ref: 00072EFD
g_array_free.GLIB-2.0(?,00000001), ref: 00072F24

Part of subcall function 00074810: g_strdup.GLIB-2.0(tools.capability.features,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 00074856
Part of subcall function 00074810: g_strdup_printf.GLIB-2.0(%s %d=%u,00000000,?,00000000,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 00074877
Part of subcall function 00074810: g_free.GLIB-2.0(00000000,%s %d=%u,00000000,?,00000000,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B), ref: 0007487F
Part of subcall function 00074810: g_strdup_printf.GLIB-2.0(tools.capability.%s ,?,?,?,?,?,?,?,?,00000000,00000000,?,00072F1B,?), ref: 000748A0
Part of subcall function 00074810: RpcChannel_Send.VMTOOLS(00000010,00000000,00000001,00000000,00072F1B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000748C7
Part of subcall function 00074810: vm_free.VMTOOLS(00000000,?,?,?,?,?,00000000,00000000,?,00072F1B,?,?,00000000), ref: 00074951
Part of subcall function 00074810: g_free.GLIB-2.0(00000000,00000000,?,?,?,?,?,00000000,00000000,?,00072F1B,?,?,00000000), ref: 00074957

g_free.GLIB-2.0(?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F72
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_shutdown,?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F8E
g_array_free.GLIB-2.0(?,00000001), ref: 00072FEF
g_array_free.GLIB-2.0(00000000,00000001), ref: 00073000
g_ptr_array_remove_index.GLIB-2.0(?,-00000001), ref: 00073014
g_module_close.GMODULE-2.0(?), ref: 00073024
g_module_error.GMODULE-2.0 ref: 00073030

Strings

tcs_shutdown, xrefs: 00072F88
Unloading plugin '%s'., xrefs: 00072FC3
tcs_capabilities, xrefs: 00072EF4
Error unloading plugin '%s': %s, xrefs: 00073039

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_free.g_free.$g_signal_emit_by_name.g_strdup_printf.$Channel_Sendg_module_close.g_module_error.g_ptr_array_remove_index.g_strdup.vm_free
String ID: Error unloading plugin '%s': %s$Unloading plugin '%s'.$tcs_capabilities$tcs_shutdown
API String ID: 3458889376-3989184144
Opcode ID: 883e8d920431a6b831ed3a20b5b47d8b84d354554e3f364711b6a04485d7ad3e
Instruction ID: e705afa85c580a3acab469a145023796717b8094384e4e63b015f10be50211b4
Opcode Fuzzy Hash: 883e8d920431a6b831ed3a20b5b47d8b84d354554e3f364711b6a04485d7ad3e
Instruction Fuzzy Hash: B0518171E005009BDB64DF18C881EAA77E9AF44700B15C179F90D9B206D73AED85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00073ECE Relevance: 29.8, APIs: 12, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

Str_SafeAsprintf.VMTOOLS(00000000,%s %s,00000000), ref: 00073EE4
free.MSVCR90(?,00000000,%s %s,00000000), ref: 00073EF0
g_option_context_new.GLIB-2.0(00000000), ref: 00073F00
g_option_context_set_summary.GLIB-2.0(00000000,Runs the VMware Tools daemon.,00000000), ref: 00073F10
g_option_context_add_main_entries.GLIB-2.0(00000000,00078500,00000000,00000000,Runs the VMware Tools daemon.,00000000), ref: 00073F1E
g_option_context_get_main_group.GLIB-2.0(00000000,!0), ref: 00073F2C
g_option_group_set_error_hook.GLIB-2.0(00000000,!0), ref: 00073F35
g_option_context_parse.GLIB-2.0(00000000,?,000716D1,?,00000000,!0), ref: 00073F47
g_printerr.GLIB-2.0(%s: %s,Command line parsing failed,?), ref: 00073F64
free.MSVCR90(?), ref: 000740A7
g_clear_error.GLIB-2.0(?), ref: 000740B1
g_option_context_free.GLIB-2.0(?,?), ref: 000740B7

Strings

!0, xrefs: 00073F26
%s %s, xrefs: 00073EDB
%s: %s, xrefs: 00073F5F
Command line parsing failed, xrefs: 00073F5A
Runs the VMware Tools daemon., xrefs: 00073F07

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: free$AsprintfSafeStr_g_clear_error.g_option_context_add_main_entries.g_option_context_free.g_option_context_get_main_group.g_option_context_new.g_option_context_parse.g_option_context_set_summary.g_option_group_set_error_hook.g_printerr.
String ID: %s %s$%s: %s$Command line parsing failed$Runs the VMware Tools daemon.$!0
API String ID: 2133348964-967970936
Opcode ID: d9dd3836a6e808473134ff67463db17513f8f05fa9c8dc1656942f2e0956275d
Instruction ID: b859ee3480db3a0fdb972e664e746261970cf04662830d7ba1680e86f284bb8a
Opcode Fuzzy Hash: d9dd3836a6e808473134ff67463db17513f8f05fa9c8dc1656942f2e0956275d
Instruction Fuzzy Hash: 161157B6E00104BBDB00EFA4DC82CEE777CAB84750B04C455FA0E97103EA3A9A5597A5

Uniqueness

Uniqueness Score: -1.00%

Function 00072D80 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

g_array_new.GLIB-2.0(00000000,00000001,00000008,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072D9F
g_malloc0.GLIB-2.0(0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072DB2
g_array_append_vals.GLIB-2.0(8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072DE4
g_malloc0.GLIB-2.0(0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072DEE
g_array_append_vals.GLIB-2.0(8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072E24
g_malloc0.GLIB-2.0(0000001C,8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072E2B
g_array_append_vals.GLIB-2.0(8B55C35D,000722F2,00000001,0000001C,8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072E61
g_malloc0.GLIB-2.0(0000001C,8B55C35D,000722F2,00000001,0000001C,8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2,00071CC1,?,?), ref: 00072E68
g_array_append_vals.GLIB-2.0(8B55C35D,000722F2,00000001,0000001C,8B55C35D,000722F2,00000001,0000001C,8B55C35D,000722F2,00000001,0000001C,?,00071CC1,00000000,000722F2), ref: 00072E9B

Strings

Signals, xrefs: 00072E01
App Provider, xrefs: 00072E3E
GuestRPC, xrefs: 00072DC1
Service Properties, xrefs: 00072E78

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_append_vals.g_malloc0.$g_array_new.
String ID: App Provider$GuestRPC$Service Properties$Signals
API String ID: 3411924442-2588028709
Opcode ID: 249915b33929e55b11b0b52997be75fb7c30842154a858168685a3a5e45b40ed
Instruction ID: 666a9a487291232094f6de3a494ee09454a1ebf35ca8ec8774e8f9e23bd04aa2
Opcode Fuzzy Hash: 249915b33929e55b11b0b52997be75fb7c30842154a858168685a3a5e45b40ed
Instruction Fuzzy Hash: 9431F8B0D41304AFEB449F54C849F99BBB8EF04304F11C099E90D6F392D7B99A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00074660 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

g_strdup_printf.GLIB-2.0(vmx.capability.unified_loop %s,00000000), ref: 0007468A
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,00000000), ref: 000746AB
g_free.GLIB-2.0(00000000), ref: 000746C5
g_strdup_printf.GLIB-2.0(log %s: Version: %s,00000000,build-4448491), ref: 000746E1
RpcChannel_Send.VMTOOLS(?,00000000,00000002,00000000,00000000), ref: 00074704
g_free.GLIB-2.0(00000000,?,00000000,00000002,00000000,00000000), ref: 0007470A
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_reset,?), ref: 00074729
g_main_loop_quit.GLIB-2.0(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00074744

Strings

tcs_reset, xrefs: 00074723
log %s: Version: %s, xrefs: 000746DC
VMX doesn't support the Tools unified loop.Some functionality (like setting options) may not work., xrefs: 000746B7
build-4448491, xrefs: 000746D6
vmx.capability.unified_loop %s, xrefs: 00074685

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Channel_Sendg_free.g_strdup_printf.$g_main_loop_quit.g_signal_emit_by_name.
String ID: VMX doesn't support the Tools unified loop.Some functionality (like setting options) may not work.$build-4448491$log %s: Version: %s$tcs_reset$vmx.capability.unified_loop %s
API String ID: 3470732697-1979357634
Opcode ID: 035fcfef08ea0b309bb85f4d4b1c3b3328e979feee763e3c826126cfec4e93bb
Instruction ID: d27f33a4c4983f54a0a920e84b6e9aa78c1774f1f946c3b97d6496aecbd353b5
Opcode Fuzzy Hash: 035fcfef08ea0b309bb85f4d4b1c3b3328e979feee763e3c826126cfec4e93bb
Instruction Fuzzy Hash: 3221C4B2D406006BEB10AA949C56FA73798DB92354F08C150FD0D9B253EB7ED944C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00072150 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

g_thread_init.GTHREAD-2.0(00000000,?,?,00071BA7), ref: 00072167
g_main_context_default.GLIB-2.0(Tools Version: %s (%s),10.0.12.325,build-4448491,00000000,?,00000000,?,?,00071BA7), ref: 00072186
g_main_loop_new.GLIB-2.0(00000000,00000000,Tools Version: %s (%s),10.0.12.325,build-4448491,00000000,?,00000000,?,?,00071BA7), ref: 000721A8
VmCheck_IsVirtualWorld.VMTOOLS(00000000,00000000,Tools Version: %s (%s),10.0.12.325,build-4448491,00000000,?,00000000,?,?,00071BA7), ref: 000721B0
g_main_context_unref.GLIB-2.0(00000000,00000000,00000000,Tools Version: %s (%s),10.0.12.325,build-4448491,00000000,?,00000000,?,?,00071BA7), ref: 000721BC
g_type_init.GOBJECT-2.0(?,00000000,?,?,00071BA7), ref: 000721C4
g_object_new.GOBJECT-2.0(00000000,00000000,?,00000000,?,?,00071BA7), ref: 000721D1
g_object_set.GOBJECT-2.0(E8570007,tcs_app_ctx,00071BDF,00000000,00000000,tcs_app_ctx,00000000,00000000,?,00000000,?,?,00071BA7), ref: 000721EF

Strings

tcs_app_ctx, xrefs: 00072159, 000721D9, 000721E9
10.0.12.325, xrefs: 00072177
build-4448491, xrefs: 00072172
Tools Version: %s (%s), xrefs: 0007217C

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Check_VirtualWorldg_main_context_default.g_main_context_unref.g_main_loop_new.g_object_new.g_object_set.g_thread_init.g_type_init.
String ID: 10.0.12.325$Tools Version: %s (%s)$build-4448491$tcs_app_ctx
API String ID: 3983522452-473273203
Opcode ID: 251c1e0c8db54f0ba80021ea7ad09dfcc6063bf86b74d09dad78d65698612fc6
Instruction ID: 5cf87468b00a463a484154a5508b1685c87e991ea26dff8e0df8954f86f45c0c
Opcode Fuzzy Hash: 251c1e0c8db54f0ba80021ea7ad09dfcc6063bf86b74d09dad78d65698612fc6
Instruction Fuzzy Hash: 7011D370D44700ABD260ABA5DC82BDB77A8EB44704F40C528F60E66243DABEA4448A6B

Uniqueness

Uniqueness Score: -1.00%

Function 00073760 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

g_thread_pool_free.GLIB-2.0(00000000,00000001,00000001,00000000,?,000714A2,?,?,00071524), ref: 000737F3
g_thread_join.GLIB-2.0(?,?,00000000,?,000714A2,?,?,00071524), ref: 00073811
g_free.GLIB-2.0(00000000), ref: 0007382A
g_queue_pop_tail.GLIB-2.0(00000000,?,00000000,?,000714A2,?,?,00071524), ref: 00073844
g_free.GLIB-2.0(00000000), ref: 00073864
g_queue_pop_tail.GLIB-2.0(00000000,00000000), ref: 00073870
g_ptr_array_free.GLIB-2.0(00000000,00000001), ref: 00073886
g_queue_free.GLIB-2.0(00000000,00000000,00000001), ref: 00073892
g_object_set.GOBJECT-2.0(?,tcs_prop_thread_pool,00000000,00000000), ref: 000738FC

Strings

tcs_prop_thread_pool, xrefs: 000738F6

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.g_queue_pop_tail.$g_object_set.g_ptr_array_free.g_queue_free.g_thread_join.g_thread_pool_free.
String ID: tcs_prop_thread_pool
API String ID: 3417389216-4128436201
Opcode ID: 5c8fb34bc850285f7399123d37a27b9231a38ce01222e0d18c7d1004e41a0122
Instruction ID: cdf66fbf2cfcd41bd418ce80e7ab2828ae75c9519999c4055c81ce0f7f115aae
Opcode Fuzzy Hash: 5c8fb34bc850285f7399123d37a27b9231a38ce01222e0d18c7d1004e41a0122
Instruction Fuzzy Hash: E95108B5E003009FE764DB68EC81B5773A6BB44300B04C529E91DAB361DB3EE985CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00071F90 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 81COMMON

Download Yara Rule

APIs

g_main_loop_is_running.GLIB-2.0(?), ref: 00071FB3
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_dump_state,?,?), ref: 0007205C

Part of subcall function 00071E70: g_strdup_printf.GLIB-2.0(%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E86
Part of subcall function 00071E70: g_logv.GLIB-2.0(state,00000040,00000000,?,%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E99
Part of subcall function 00071E70: g_free.GLIB-2.0(00000000,state,00000040,00000000,?,%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E9F

Strings

App provider: %s (%s), xrefs: 00072018
VM Tools Service '%s':, xrefs: 00071FD8
idle, xrefs: 00071F9E, 00072016
Plugin path: %s, xrefs: 00071FE8
active, xrefs: 00071FA5
tcs_dump_state, xrefs: 00072056
error, xrefs: 00071FAC, 00072017
VM Tools Service '%s': not running., xrefs: 00071FC2

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.g_logv.g_main_loop_is_running.g_signal_emit_by_name.g_strdup_printf.
String ID: App provider: %s (%s)$Plugin path: %s$VM Tools Service '%s':$VM Tools Service '%s': not running.$active$error$idle$tcs_dump_state
API String ID: 2988867475-3982586681
Opcode ID: b23f83fd87134207799e88e6b715d28016ac8437a070232697660e2ecc791f4d
Instruction ID: 9abad4b9fb4b53dace1bdc460b248e5c8e02cde85579c91b7c42c6d57e7fb4a6
Opcode Fuzzy Hash: b23f83fd87134207799e88e6b715d28016ac8437a070232697660e2ecc791f4d
Instruction Fuzzy Hash: A7218E71E402046FDB50EF58CC85DAA33A9EF89344B00C1A4E90C9B287DA79ED41CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00074BB0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

g_main_loop_get_context.GLIB-2.0(8378428B,00000000,00071CC1,00000000,?,0007229D,00071CC1,00071CC1,?,00072397,00071CC1,?,?,00071CC1,?), ref: 00074BBD
RpcChannel_Setup.VMTOOLS(8B5704C4,00000000,00000000,00071CF9,00074660,00071CC1,?,?), ref: 00074BF8
RpcChannel_RegisterCallback.VMTOOLS(8B5704C4,0007B038,?,?,?,?,?,?,?,?), ref: 00074C18
g_log.GLIB-2.0(vmtoolsd,00000040,The %s service needs to run inside a virtual machine.,00000000,?), ref: 00074C47
RpcChannel_New.VMTOOLS(?), ref: 00074C58

Strings

debug, xrefs: 00074BD7, 00074BF6
Trying to start RPC channel for invalid %s container., xrefs: 00074C76
The %s service needs to run inside a virtual machine., xrefs: 00074C3B
vmtoolsd, xrefs: 00074C42

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Channel_$CallbackRegisterSetupg_log.g_main_loop_get_context.
String ID: The %s service needs to run inside a virtual machine.$Trying to start RPC channel for invalid %s container.$debug$vmtoolsd
API String ID: 2160703730-49393852
Opcode ID: d167e979bb647dab8aafcc518291ad230659af7a5d3a56c8a319b1b0a550b494
Instruction ID: ca2e9092b5463987ac8364cc72c58e567ab2829db4c4dd43fab951be7a26c8f7
Opcode Fuzzy Hash: d167e979bb647dab8aafcc518291ad230659af7a5d3a56c8a319b1b0a550b494
Instruction Fuzzy Hash: A221C5B2E407046FD7609A56DC45B9773E8FB85310F40C929F94E87642E77AF8408BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00074750 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

StrUtil_GetNextToken.VMTOOLS(?,?,000786C4), ref: 00074777
StrUtil_GetNextToken.VMTOOLS(00000000,00000000,0007760F,?,?,000786C4), ref: 0007478E
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_set_option,00000000,00000000,00000000,?,Setting option '%s' to '%s'.,00000000,00000000), ref: 000747D0
vm_free.VMTOOLS(00000000), ref: 000747D9
vm_free.VMTOOLS(00000000,00000000), ref: 000747DF
RpcChannel_SetRetVals.VMTOOLS(?,0007760F,?), ref: 000747FB

Strings

Unknown or invalid option, xrefs: 000747F3, 000747F9
Setting option '%s' to '%s'., xrefs: 000747B0
tcs_set_option, xrefs: 000747CA

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: NextTokenUtil_vm_free$Channel_Valsg_signal_emit_by_name.
String ID: Setting option '%s' to '%s'.$Unknown or invalid option$tcs_set_option
API String ID: 693905943-3331377741
Opcode ID: 47f90fec06494d39ab88ea9a6cd4524152ffcba40242c2bab3d6f3d8e596a586
Instruction ID: a12e55340d6a5d8359004d7f56a93afadce33ee2b6ae930937cd3a0809d72c3a
Opcode Fuzzy Hash: 47f90fec06494d39ab88ea9a6cd4524152ffcba40242c2bab3d6f3d8e596a586
Instruction Fuzzy Hash: D1215475E00504BB8714DB59CC85CEF7BB8DF46700B15C154F90DAB206EB39DA44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00074D20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074D45
g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074D4C
g_value_set_boolean.GOBJECT-2.0(?,00000000), ref: 00074D78
g_log.GLIB-2.0(00000000,00000008,file %s: line %d: assertion `%s' failed,services/vmtoolsd/svcSignals-gm.c,0000006E,return_value != NULL), ref: 00074DA3

Strings

file %s: line %d: assertion `%s' failed, xrefs: 00074D9A
n_param_values == 4, xrefs: 00074D85
return_value != NULL, xrefs: 00074D8E
services/vmtoolsd/svcSignals-gm.c, xrefs: 00074D95

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_value_peek_pointer.$g_log.g_value_set_boolean.
String ID: file %s: line %d: assertion `%s' failed$n_param_values == 4$return_value != NULL$services/vmtoolsd/svcSignals-gm.c
API String ID: 1301481111-384797674
Opcode ID: 4cb6dbf17312c9e2aeaf81a6f19b08c4b4d92865dd3caf1f9e1c9286466fdcef
Instruction ID: 5d54594071911623bb88edf2972f31dce661a3b83f90a0106fc9ff4b58dc7317
Opcode Fuzzy Hash: 4cb6dbf17312c9e2aeaf81a6f19b08c4b4d92865dd3caf1f9e1c9286466fdcef
Instruction Fuzzy Hash: CF01A571A407046BDB60DE98CC85F67339DAB88714F44C015FA4D9B246D779EC10CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00074C90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074CB5
g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074CBC
g_value_set_pointer.GOBJECT-2.0(?,00000000), ref: 00074CE4
g_log.GLIB-2.0(00000000,00000008,file %s: line %d: assertion `%s' failed,services/vmtoolsd/svcSignals-gm.c,00000044,return_value != NULL), ref: 00074D0F

Strings

file %s: line %d: assertion `%s' failed, xrefs: 00074D06
n_param_values == 3, xrefs: 00074CF1
return_value != NULL, xrefs: 00074CFA
services/vmtoolsd/svcSignals-gm.c, xrefs: 00074D01

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_value_peek_pointer.$g_log.g_value_set_pointer.
String ID: file %s: line %d: assertion `%s' failed$n_param_values == 3$return_value != NULL$services/vmtoolsd/svcSignals-gm.c
API String ID: 3595519431-1174728911
Opcode ID: d4804e0b8b75c8448a3611b8a264870fa75b9065fce423d92b85c68c8bf4aee0
Instruction ID: 99c70a4ffa798112f3221c065ef84cc75d31b07c04b833079d84fab0bce4499c
Opcode Fuzzy Hash: d4804e0b8b75c8448a3611b8a264870fa75b9065fce423d92b85c68c8bf4aee0
Instruction Fuzzy Hash: 4C019671E41604ABDB94DE54DC81FA77399AB44714F44C015FE0E9B282DB7DEC10CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00071EB0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00073760: g_thread_pool_free.GLIB-2.0(00000000,00000001,00000001,00000000,?,000714A2,?,?,00071524), ref: 000737F3
Part of subcall function 00073760: g_thread_join.GLIB-2.0(?,?,00000000,?,000714A2,?,?,00071524), ref: 00073811
Part of subcall function 00073760: g_free.GLIB-2.0(00000000), ref: 0007382A
Part of subcall function 00073760: g_queue_pop_tail.GLIB-2.0(00000000,?,00000000,?,000714A2,?,?,00071524), ref: 00073844
Part of subcall function 00073760: g_free.GLIB-2.0(00000000), ref: 00073864
Part of subcall function 00073760: g_queue_pop_tail.GLIB-2.0(00000000,00000000), ref: 00073870

Part of subcall function 00072ED0: g_signal_emit_by_name.GOBJECT-2.0(?,tcs_capabilities,?,00000000,?,?,?,?,000714AE,?,?,?,00071524), ref: 00072EFD
Part of subcall function 00072ED0: g_array_free.GLIB-2.0(?,00000001), ref: 00072F24
Part of subcall function 00072ED0: g_free.GLIB-2.0(?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F72
Part of subcall function 00072ED0: g_signal_emit_by_name.GOBJECT-2.0(?,tcs_shutdown,?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F8E

RpcChannel_Stop.VMTOOLS(8B5704C4,00000000,0007234A,?,?), ref: 00071ECD
RpcChannel_Destroy.VMTOOLS(8B5704C4,8B5704C4,00000000,0007234A,?,?), ref: 00071ED6
g_key_file_free.GLIB-2.0(8BD0FFCE,00000000,0007234A,?,?), ref: 00071EE5
g_main_loop_unref.GLIB-2.0(8378428B,8BD0FFCE,00000000,0007234A,?,?), ref: 00071EEE
CoUninitialize.OLE32(?,?,00000000,0007234A,?,?), ref: 00071EFB
g_object_set.GOBJECT-2.0(E85BCD33,tcs_app_ctx,00000000,00000000,?,?,00000000,0007234A,?,?), ref: 00071F0F
g_object_unref.GOBJECT-2.0(E85BCD33,E85BCD33,tcs_app_ctx,00000000,00000000,?,?,00000000,0007234A,?,?), ref: 00071F18

Strings

tcs_app_ctx, xrefs: 00071F09

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.$Channel_g_queue_pop_tail.g_signal_emit_by_name.$DestroyStopUninitializeg_array_free.g_key_file_free.g_main_loop_unref.g_object_set.g_object_unref.g_thread_join.g_thread_pool_free.
String ID: tcs_app_ctx
API String ID: 450053863-1237824698
Opcode ID: b19910876a485bfa380beadb19ead3f388c1f883b33eb771b865d32ea5aa3e70
Instruction ID: 229244e4c6ca4947a9536f4dabbe37bd1a2b3f1b48691fd8649147ba8138dcb9
Opcode Fuzzy Hash: b19910876a485bfa380beadb19ead3f388c1f883b33eb771b865d32ea5aa3e70
Instruction Fuzzy Hash: 860125B1D00B406BC630AB6AD84589BF7F8AFC4704304CD1DF18B56A12D67EE044CB66

Uniqueness

Uniqueness Score: -1.00%

Function 000732E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

g_malloc0.GLIB-2.0(00000014), ref: 000732E9
g_free.GLIB-2.0(00000000), ref: 0007332F
g_queue_push_head.GLIB-2.0(00000000,00000000), ref: 00073362
g_thread_pool_push.GLIB-2.0(00000000,0007B09C,?), ref: 00073384
g_clear_error.GLIB-2.0(00000000,error sending work request, executing in service thread: %s,?), ref: 000733A5
g_idle_add_full.GLIB-2.0(000000C8,Function_00003130,00000000,Function_00003100), ref: 000733BD

Strings

error sending work request, executing in service thread: %s, xrefs: 00073397

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_clear_error.g_free.g_idle_add_full.g_malloc0.g_queue_push_head.g_thread_pool_push.
String ID: error sending work request, executing in service thread: %s
API String ID: 217169121-1770752160
Opcode ID: 032bd4d431d8c956bd0bcd281dba9b7e5346a7ae3e71d18fcce139488ecfb4b0
Instruction ID: ffbb50c704c0b1d2b6a2959098c1a64878dd68ddc26f710d5c08d15721a3ef92
Opcode Fuzzy Hash: 032bd4d431d8c956bd0bcd281dba9b7e5346a7ae3e71d18fcce139488ecfb4b0
Instruction Fuzzy Hash: F13181B0D002009BE720DF28DC41A9B77E4FB44310B04C629F96D97352DB7DEA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00074DB9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074DD5
g_value_peek_pointer.GOBJECT-2.0(?), ref: 00074DDC
g_value_set_uint.GOBJECT-2.0(?,00000000), ref: 00074E13
g_log.GLIB-2.0(00000000,00000008,file %s: line %d: assertion `%s' failed,services/vmtoolsd/svcSignals-gm.c,0000009C,n_param_values == 6), ref: 00074E44

Strings

file %s: line %d: assertion `%s' failed, xrefs: 00074E3B
n_param_values == 6, xrefs: 00074E20
services/vmtoolsd/svcSignals-gm.c, xrefs: 00074E36

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_value_peek_pointer.$g_log.g_value_set_uint.
String ID: file %s: line %d: assertion `%s' failed$n_param_values == 6$services/vmtoolsd/svcSignals-gm.c
API String ID: 614598208-2216642544
Opcode ID: 9667caee8cda8ba190aed44acad9d6939d53fa1beb1f5e53372ca76c14eb58a6
Instruction ID: 6206d406b32c56a7c7a9547989f4c2553be8b63458fc3fbf399213ed5fe1ce73
Opcode Fuzzy Hash: 9667caee8cda8ba190aed44acad9d6939d53fa1beb1f5e53372ca76c14eb58a6
Instruction Fuzzy Hash: 77016172A40600ABDB64DE99DC81FA773A9BF88710F04C419FA4E9B242D775EC11CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00071F30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 33COMMON

Download Yara Rule

APIs

g_module_open_utf8.GMODULE-2.0(vmrpcdbg.dll,00000002,?,?,00072208,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00071F3B
g_module_symbol.GMODULE-2.0(00000000,RpcDebug_Initialize,00072208,?,00072208,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00071F5E
VMTools_AttachConsole.VMTOOLS(?,?,?,?,?,?,00072208), ref: 00071F85

Part of subcall function 00074610: g_logv.GLIB-2.0(vmtoolsd,00000004,?,000749EA,?,000749EA,Invalid capability type: %d,?,?,?,?,?,?,?,?,00000000), ref: 00074622

Strings

RpcDebug_Initialize, xrefs: 00071F58
vmrpcdbg.dll, xrefs: 00071F36
Cannot find symbol: RpcDebug_Initialize, xrefs: 00071F6A
Cannot load vmrpcdbg library., xrefs: 00071F4A

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: AttachConsoleTools_g_logv.g_module_open_utf8.g_module_symbol.
String ID: Cannot find symbol: RpcDebug_Initialize$Cannot load vmrpcdbg library.$RpcDebug_Initialize$vmrpcdbg.dll
API String ID: 2972082164-1852023065
Opcode ID: 69da35a50e385891096cfe3c250ad3511e27aaf42e42ccc56911f24939e099de
Instruction ID: 8cc70a8ea047a59a9ade39da0e87f9fbae5c0ebee4ffc852139ed3b06eb925ec
Opcode Fuzzy Hash: 69da35a50e385891096cfe3c250ad3511e27aaf42e42ccc56911f24939e099de
Instruction Fuzzy Hash: 99F08971D4470467CA50BBB4DD0B9DA729C9B00744B50C938F60E96543FA79E514876B

Uniqueness

Uniqueness Score: -1.00%

Function 00075950 Relevance: 12.1, APIs: 8, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

Str_Wcscpy.VMTOOLS(?,?,0000001F), ref: 00075981
Str_Wcscpy.VMTOOLS(?,?,0000003F,?,?,0000001F), ref: 0007598D
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 000759BF
GetFileVersionInfoSizeW.VERSION(?,?), ref: 000759D3
LocalAlloc.KERNEL32(00000000,00000000,?,?), ref: 000759E0
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 000759FC
VerQueryValueW.VERSION(?,00078DBC,?,?,?,?,00000000,00000000), ref: 00075A1F
LocalFree.KERNEL32(?,?,?,00000000,00000000), ref: 00075A4D

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: File$InfoLocalStr_VersionWcscpy$AllocFreeModuleNameQuerySizeValue
String ID:
API String ID: 2207963708-0
Opcode ID: f515f3ce8e89e7fa77f2b74d97824c18eddf2f653f80e506c6b9bc7b22103189
Instruction ID: dc6a9c38b0323a342bd215c1b334848cc90a3df0bc4a5924942368d079f2b91d
Opcode Fuzzy Hash: f515f3ce8e89e7fa77f2b74d97824c18eddf2f653f80e506c6b9bc7b22103189
Instruction Fuzzy Hash: 3C410CB19417189BD720DF69C884ADBF7F8FB58300F40896EE59E97241DB746984CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 000734F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

g_malloc0.GLIB-2.0(00000018), ref: 00073526
g_thread_create_full.GLIB-2.0(Function_000031C0,00000000,00000000,00000001,00000000,00000001,00000000,00000018), ref: 0007355D
g_ptr_array_add.GLIB-2.0(00000000,00000000), ref: 00073576

Part of subcall function 00071000: g_logv.GLIB-2.0(vmtoolsd,00000010,?,?), ref: 00071012

g_clear_error.GLIB-2.0(00000000,failed to start thread: %s.,?), ref: 00073592
g_free.GLIB-2.0(00000000,00000000,failed to start thread: %s.,?), ref: 00073598

Strings

failed to start thread: %s., xrefs: 00073584

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_clear_error.g_free.g_logv.g_malloc0.g_ptr_array_add.g_thread_create_full.
String ID: failed to start thread: %s.
API String ID: 3425470895-1663723008
Opcode ID: fe275ef0115182931db950825fe2e8b920250a60c89c69e9048b23178c8361ba
Instruction ID: 1360a8ee0fb0ceb9daee9128f94b34d0945202118f69aede5bdf9fbc58ceebfe
Opcode Fuzzy Hash: fe275ef0115182931db950825fe2e8b920250a60c89c69e9048b23178c8361ba
Instruction Fuzzy Hash: 86217C70D00605ABE720DF58DC42B9AB7A4AB48700F00C619F90DAB251D7BDEA80CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00072290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00074BB0: g_main_loop_get_context.GLIB-2.0(8378428B,00000000,00071CC1,00000000,?,0007229D,00071CC1,00071CC1,?,00072397,00071CC1,?,?,00071CC1,?), ref: 00074BBD
Part of subcall function 00074BB0: RpcChannel_Setup.VMTOOLS(8B5704C4,00000000,00000000,00071CF9,00074660,00071CC1,?,?), ref: 00074BF8
Part of subcall function 00074BB0: RpcChannel_RegisterCallback.VMTOOLS(8B5704C4,0007B038,?,?,?,?,?,?,?,?), ref: 00074C18

RpcChannel_Start.VMTOOLS(8B5704C4,?), ref: 000722B4
g_signal_lookup.GOBJECT-2.0(tcs_io_freeze,?,00071CC1,?,?), ref: 000722FF
g_signal_connect_data.GOBJECT-2.0(E85BCD33,tcs_io_freeze,00072230,00071CC1,00000000,00000000,?,?,?,?,?), ref: 0007231E
g_timeout_add.GLIB-2.0(00001388,00072210,00071CC1,?,?,?,?,?), ref: 00072331
g_main_loop_run.GLIB-2.0(8378428B,00001388,00072210,00071CC1,?,?,?,?,?), ref: 0007233D

Strings

tcs_io_freeze, xrefs: 000722FA, 00072318

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Channel_$CallbackRegisterSetupStartg_main_loop_get_context.g_main_loop_run.g_signal_connect_data.g_signal_lookup.g_timeout_add.
String ID: tcs_io_freeze
API String ID: 3279233046-3740225104
Opcode ID: 9c70de156590049d6170c3f86646a1b5a78923065edc630997607b8a2a5d4b77
Instruction ID: 1852a2a4e52a3d346472da97593be5ecd58f6e38bd4b9fc9643f54b3f30cb406
Opcode Fuzzy Hash: 9c70de156590049d6170c3f86646a1b5a78923065edc630997607b8a2a5d4b77
Instruction Fuzzy Hash: DA11B971E007107BD77066659C02B9733E89F15344F04C424FE0E96693E76EF941C6AE

Uniqueness

Uniqueness Score: -1.00%

Function 00074560 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

g_param_spec_pointer.GOBJECT-2.0(00000000,00000000,00000000,00000003,00071BDF,00071BA7,00000000,tcs_app_ctx,00000000,00000000,?,00000000,?,?,00071BA7), ref: 00074578
g_strdup.GLIB-2.0(?,?,00071BDF,00071BA7,00000000,tcs_app_ctx,00000000,00000000,?,00000000,?,?,00071BA7), ref: 000745B0
g_array_append_vals.GLIB-2.0(?,tcs_app_ctx,00000001,?,?,00071BDF,00071BA7,00000000,tcs_app_ctx,00000000), ref: 000745C9
g_type_check_class_cast.GOBJECT-2.0(00071BDF,00000050,tcs_app_ctx,00000000,?,?,?,?,?,00071BDF,00071BA7,00000000,tcs_app_ctx,00000000), ref: 000745DC
g_object_class_install_property.GOBJECT-2.0(00000000,tcs_app_ctx,00000000,?,?,?,?,?,00071BDF,00071BA7,00000000,tcs_app_ctx,00000000), ref: 000745E5

Strings

tcs_app_ctx, xrefs: 000745C0, 000745D8

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_append_vals.g_object_class_install_property.g_param_spec_pointer.g_strdup.g_type_check_class_cast.
String ID: tcs_app_ctx
API String ID: 1269780713-1237824698
Opcode ID: bffce6c1485f651af1c11bd83b24efdb5a2fe51b597e3f22dbec7a439dc380f3
Instruction ID: 0c931c3b2bf3c9c24d67a8ba9fbb9bb7989059dce6c2d09d260ce9ca78e8f679
Opcode Fuzzy Hash: bffce6c1485f651af1c11bd83b24efdb5a2fe51b597e3f22dbec7a439dc380f3
Instruction Fuzzy Hash: 93213E70D00204AFE714DF58DC81EAAB7B8EB49310F04C556FD1DA7352D679AA84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000720D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

VMTools_LoadConfig.VMTOOLS(?,00000000,?,?,?,?,00000000,?,00074042,?,00000001), ref: 000720EE
g_signal_emit_by_name.GOBJECT-2.0(?,tcs_conf_reload,?,Config file reloaded.,?,00074042,?,00000001), ref: 00072118
g_key_file_new.GLIB-2.0(?,00074042,?,00000001), ref: 00072125
VMTools_ConfigLogging.VMTOOLS(?,?,00000001,00074042,?,00074042,?,00000001), ref: 00072141

Part of subcall function 00074640: g_logv.GLIB-2.0(vmtoolsd,00000080,?,?,?,00071280,000774E0,00000000,00000000,?,?), ref: 00074655

Strings

Config file reloaded., xrefs: 00072101
tcs_conf_reload, xrefs: 00072112

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ConfigTools_$LoadLoggingg_key_file_new.g_logv.g_signal_emit_by_name.
String ID: Config file reloaded.$tcs_conf_reload
API String ID: 3096398729-1724484511
Opcode ID: 7657af298a2a9d839ee77fc7b34ee45172ee2a9a3b8e2798495431a85cba8465
Instruction ID: 1d7dc5868fac6d5a9614c7f291b55f6ef2ad718616f20937c2ecf2675cc9f5b0
Opcode Fuzzy Hash: 7657af298a2a9d839ee77fc7b34ee45172ee2a9a3b8e2798495431a85cba8465
Instruction Fuzzy Hash: 1501C471A00206BBDB10AF65CC81EA6B3E8FF60354F10C129F64C97141E779E950CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00075560 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Str_Vasprintf.VMTOOLS(00000000,?,?,?,?,00075AE4,?,CNTService::~CNTService(),?,00071177,?,?,?,?,00076BB8,000000FF), ref: 0007557C
Panic.VMTOOLS(VERIFY %s:%d,d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp,000003C4), ref: 00075599
OutputDebugStringA.KERNEL32(00000000), ref: 0007559F
free.MSVCR90(00000000), ref: 000755A6

Strings

VERIFY %s:%d, xrefs: 00075594
d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp, xrefs: 0007558F

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: DebugOutputPanicStr_StringVasprintffree
String ID: VERIFY %s:%d$d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp
API String ID: 3386590990-3040930954
Opcode ID: be3f70d6a16fb2283e3c9e9e9647e5e2ba55a20064188d5ea92959e5b5866dda
Instruction ID: 0d57bf9ddc2f1a66e71d9a388f0371fed39bf2c68664a49c63f55fd45cfb1085
Opcode Fuzzy Hash: be3f70d6a16fb2283e3c9e9e9647e5e2ba55a20064188d5ea92959e5b5866dda
Instruction Fuzzy Hash: CBF0A031E81A146BE741AB64DC06EDA33589F05750F00C020FE0DAA291DBBDAA4087EA

Uniqueness

Uniqueness Score: -1.00%

Function 000755C0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Str_Vaswprintf.VMTOOLS(00000000,?,?), ref: 000755DC
Panic.VMTOOLS(VERIFY %s:%d,d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp,000003EA), ref: 000755F9
OutputDebugStringW.KERNEL32(00000000), ref: 000755FF
free.MSVCR90(00000000), ref: 00075606

Strings

VERIFY %s:%d, xrefs: 000755F4
d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp, xrefs: 000755EF

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: DebugOutputPanicStr_StringVaswprintffree
String ID: VERIFY %s:%d$d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp
API String ID: 1251445052-3040930954
Opcode ID: d7a8b280d21fb63d4a3b88ca354768bde52c012727e56be346e22af29efbb889
Instruction ID: 45f4dcd28ede180b457adb6bf32de62c412af6bc6654fb5428520e6c0f43d70d
Opcode Fuzzy Hash: d7a8b280d21fb63d4a3b88ca354768bde52c012727e56be346e22af29efbb889
Instruction Fuzzy Hash: 02F0A731E40A156BD741AF54DC05EDA33589F05751F00C020FE0D9B281DA69AA4087EA

Uniqueness

Uniqueness Score: -1.00%

Function 00074100 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

g_value_get_pointer.GOBJECT-2.0(?), ref: 00074109
g_value_get_pointer.GOBJECT-2.0(?), ref: 0007411D
g_array_new.GLIB-2.0(00000000,00000001,00000010), ref: 00074130
g_value_set_pointer.GOBJECT-2.0(?,00000000,00000000,00000001,00000010), ref: 00074139
g_array_append_vals.GLIB-2.0(00000000,?,00000001), ref: 00074159
g_array_free.GLIB-2.0(00000000,00000001), ref: 0007416E

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_value_get_pointer.$g_array_append_vals.g_array_free.g_array_new.g_value_set_pointer.
String ID:
API String ID: 2432038468-0
Opcode ID: 263e2f314510560b570abd6313a052086bf5feea7f96cb809aaf832059fc86ef
Instruction ID: a77a1ee9dcc06ac8fb25d28c2810581ddedfef128c58e423f5058a3465bdac89
Opcode Fuzzy Hash: 263e2f314510560b570abd6313a052086bf5feea7f96cb809aaf832059fc86ef
Instruction Fuzzy Hash: 5B01D871D40614B7C720BAA49CC2EDFB35C9B50320F558124FE1F67303E67FA96186AA

Uniqueness

Uniqueness Score: -1.00%

Function 000715C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

g_str_has_prefix.GLIB-2.0(?,--help), ref: 000716A3
VMTools_AttachConsole.VMTOOLS ref: 000716BB
CodeSet_Utf8ToUtf16le.VMTOOLS(?,?,?,00000000), ref: 00071701
CodeSet_Utf8ToUtf16le.VMTOOLS(?,?,?,00000000), ref: 00071754
vm_free.VMTOOLS(?,Cannot convert to UTF16: %s,?), ref: 0007176F
??2@YAPAXI@Z.MSVCR90 ref: 0007177E
vm_free.VMTOOLS(?), ref: 000717B8
vm_free.VMTOOLS(?,?), ref: 000717C1
??2@YAPAXI@Z.MSVCR90 ref: 000717D0

Strings

--version, xrefs: 0007166D
Cannot convert to UTF16: %s, xrefs: 00071711
--help, xrefs: 0007169D

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: vm_free$??2@CodeSet_Utf16leUtf8$AttachConsoleTools_g_str_has_prefix.
String ID: --help$--version$Cannot convert to UTF16: %s
API String ID: 845805078-2363603103
Opcode ID: c21b3e8598550855e46c6302bc78deeaef625ca679076d57e497937b847281d2
Instruction ID: 253070e77f9b7c7fab471078eb800672c7fd172753ccb9066177ff1890433bd3
Opcode Fuzzy Hash: c21b3e8598550855e46c6302bc78deeaef625ca679076d57e497937b847281d2
Instruction Fuzzy Hash: C341D7B5E081854ACB754F2889957F63BE79B66384F1CC098CC8E8B282E61FDD09C358

Uniqueness

Uniqueness Score: -1.00%

Function 000713E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00074640: g_logv.GLIB-2.0(vmtoolsd,00000080,?,?,?,00071280,000774E0,00000000,00000000,?,?), ref: 00074655

g_signal_emit_by_name.GOBJECT-2.0(?,tcs_service_control,?,00000000,?,?,?,?,emitting service control signal (control code %u, event type %u),?,?), ref: 0007142A
SetEvent.KERNEL32(?), ref: 0007145D

Strings

tcs_service_control, xrefs: 00071424
emitting service control signal (control code %u, event type %u), xrefs: 000713FA
service control return for code %u: %u, xrefs: 00071445

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Eventg_logv.g_signal_emit_by_name.
String ID: emitting service control signal (control code %u, event type %u)$service control return for code %u: %u$tcs_service_control
API String ID: 228114587-2601008287
Opcode ID: 9f971295ced0342d67c79de0eb1f0dfccd281092722a366ac979f4044c6e1c6f
Instruction ID: ea41f6c3c131d126dad819fb9d834cd98ca1543cacbba79973b6d02fb63ee541
Opcode Fuzzy Hash: 9f971295ced0342d67c79de0eb1f0dfccd281092722a366ac979f4044c6e1c6f
Instruction Fuzzy Hash: 62116D75A04605EFD714DF98D885DA3B3EDEF887047108918FA8E9B742E678FC408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 000711C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Str_Aswprintf.VMTOOLS(00000000,-n %s %s,?,?), ref: 000711E6
Str_Aswprintf.VMTOOLS(00000000,-n %s,?), ref: 00071200
vm_free.VMTOOLS(00000000,00000000), ref: 00071219

Strings

-n %s %s, xrefs: 000711E0
-n %s, xrefs: 000711F9

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: AswprintfStr_$vm_free
String ID: -n %s$-n %s %s
API String ID: 3714628605-2783374973
Opcode ID: bb7b9f7fba380e3b793530f557a25db083e6102d9165a427bd68979669d0d5e3
Instruction ID: 453bf520da403d22397befd3fe36c8119a4e280116e585f1ff865728ce0f8907
Opcode Fuzzy Hash: bb7b9f7fba380e3b793530f557a25db083e6102d9165a427bd68979669d0d5e3
Instruction Fuzzy Hash: C2F0A9B2F016052BD610955C9C41EFBB3DDEB95750B04C236F60DD7242E565EC1143B9

Uniqueness

Uniqueness Score: -1.00%

Function 000742D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

g_type_check_class_cast.GOBJECT-2.0(00000000,00000050), ref: 000742DD
g_type_register_static.GOBJECT-2.0(00000050,ToolsCoreService,00078540,00000000), ref: 0007430E
g_type_check_instance_cast.GOBJECT-2.0(00000000,00000000), ref: 0007431D
g_array_new.GLIB-2.0(00000000,00000000,0000000C), ref: 00074336

Strings

ToolsCoreService, xrefs: 00074307

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_new.g_type_check_class_cast.g_type_check_instance_cast.g_type_register_static.
String ID: ToolsCoreService
API String ID: 3152341557-1642421017
Opcode ID: 1ee27b0fd04ac9183654bf77e290eaa979823c333cec7a5e7285e68fa45b52e4
Instruction ID: 1555d84937fa4bc808876f222089b010ebc37a7585786ccdc00e4213552d7334
Opcode Fuzzy Hash: 1ee27b0fd04ac9183654bf77e290eaa979823c333cec7a5e7285e68fa45b52e4
Instruction Fuzzy Hash: E5014471B407006FE710EB69DC46F6737A89B84750F00C519FA0DEB292E779E9408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00071E70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

g_strdup_printf.GLIB-2.0(%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E86
g_logv.GLIB-2.0(state,00000040,00000000,?,%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E99
g_free.GLIB-2.0(00000000,state,00000040,00000000,?,%*s%s,?,0007760F,?,?,?,00071FE4,VM Tools Service '%s':), ref: 00071E9F

Strings

state, xrefs: 00071E94
%*s%s, xrefs: 00071E81

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.g_logv.g_strdup_printf.
String ID: %*s%s$state
API String ID: 3277705846-2558999090
Opcode ID: caff622b321dcb00ac92f9b2781ae032823d5f50d050e543fe2f2619afa5a724
Instruction ID: dca0315a56d858aa0dd33640e93dff144185df3aa850085038952bebf9e67b18
Opcode Fuzzy Hash: caff622b321dcb00ac92f9b2781ae032823d5f50d050e543fe2f2619afa5a724
Instruction Fuzzy Hash: AEE0CD71D446143A951065C5CC43CEB374CCB857D0B04C111FB0D5E043ED696940C3FE

Uniqueness

Uniqueness Score: -1.00%

Function 000710E0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,821E78AA,?,?,?,?,00076BB8,000000FF), ref: 00071122
UnregisterClassW.USER32(?,?), ref: 0007113A
CloseHandle.KERNEL32(?,821E78AA,?,?,?,?,00076BB8,000000FF), ref: 00071151
CloseHandle.KERNEL32(?,821E78AA,?,?,?,?,00076BB8,000000FF), ref: 0007115A
CloseHandle.KERNEL32(?,?,?,?,?,00076BB8,000000FF), ref: 00071167

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: CloseHandle$ClassDestroyUnregisterWindow
String ID:
API String ID: 857740253-0
Opcode ID: e017fa7c62b1f1b9a7ae7369c3450bc0a6da0fdfa10ebfffef7fda4346376f33
Instruction ID: f34bc723e9786e32f676d43d0386af13bd6c3ba57829ceb5f5d9d1e23db8f189
Opcode Fuzzy Hash: e017fa7c62b1f1b9a7ae7369c3450bc0a6da0fdfa10ebfffef7fda4346376f33
Instruction Fuzzy Hash: 30114F71B05708ABE720DF69CC44B9BB7ECEB44750F40865EE91DD7380DB78A9008B94

Uniqueness

Uniqueness Score: -1.00%

Function 00071490 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00073760: g_thread_pool_free.GLIB-2.0(00000000,00000001,00000001,00000000,?,000714A2,?,?,00071524), ref: 000737F3
Part of subcall function 00073760: g_thread_join.GLIB-2.0(?,?,00000000,?,000714A2,?,?,00071524), ref: 00073811
Part of subcall function 00073760: g_free.GLIB-2.0(00000000), ref: 0007382A
Part of subcall function 00073760: g_queue_pop_tail.GLIB-2.0(00000000,?,00000000,?,000714A2,?,?,00071524), ref: 00073844
Part of subcall function 00073760: g_free.GLIB-2.0(00000000), ref: 00073864
Part of subcall function 00073760: g_queue_pop_tail.GLIB-2.0(00000000,00000000), ref: 00073870

Part of subcall function 00072ED0: g_signal_emit_by_name.GOBJECT-2.0(?,tcs_capabilities,?,00000000,?,?,?,?,000714AE,?,?,?,00071524), ref: 00072EFD
Part of subcall function 00072ED0: g_array_free.GLIB-2.0(?,00000001), ref: 00072F24
Part of subcall function 00072ED0: g_free.GLIB-2.0(?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F72
Part of subcall function 00072ED0: g_signal_emit_by_name.GOBJECT-2.0(?,tcs_shutdown,?,00000000,?,?,?,000714AE,?,?,?,00071524), ref: 00072F8E

RpcChannel_Stop.VMTOOLS(?), ref: 000714BF
RpcChannel_Destroy.VMTOOLS(?,?), ref: 000714CE
exit.MSVCR90 ref: 000714E5
GetWindowLongW.USER32(?,000000EB), ref: 000714FA
DefWindowProcW.USER32(00000000,?,?,?), ref: 00071512

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_free.$Channel_Windowg_queue_pop_tail.g_signal_emit_by_name.$DestroyLongProcStopexitg_array_free.g_thread_join.g_thread_pool_free.
String ID:
API String ID: 3128237692-0
Opcode ID: 31890be1550a11067cca31669b8e9bd60569fe305c79a053009d99d88c0f49e6
Instruction ID: c062fe96d67c58afbe889e0a2716a516036f6d403d4e7172f64ebd0b431d1645
Opcode Fuzzy Hash: 31890be1550a11067cca31669b8e9bd60569fe305c79a053009d99d88c0f49e6
Instruction Fuzzy Hash: E50171B1515608AFE714DB68DD45EEB33A9EF84311F048908FA1E97242C739FC108BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00071D30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113synchronizationCOMMON

Download Yara Rule

APIs

g_idle_add.GLIB-2.0(Function_000013E0,?), ref: 00071D8E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00071D9F
GetLastError.KERNEL32(?,?,?,?), ref: 00071DC1

Part of subcall function 00071F90: g_main_loop_is_running.GLIB-2.0(?), ref: 00071FB3

Strings

WaitForSingleObject failed: %u., xrefs: 00071DC8

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitg_idle_add.g_main_loop_is_running.
String ID: WaitForSingleObject failed: %u.
API String ID: 2240483399-2148394572
Opcode ID: 98b9e6ca3356d3e80e2a2fedd6f1aa12b31d9c582e4e67517639ffe3160bae1f
Instruction ID: 53f309e1e16048f575a3f756d007ad5236c96a7ad4da8c09954863a6a8ce54b3
Opcode Fuzzy Hash: 98b9e6ca3356d3e80e2a2fedd6f1aa12b31d9c582e4e67517639ffe3160bae1f
Instruction Fuzzy Hash: 1C319472F001189BC724DE9DE880AEEF3A8EB443A2F248167ED1DD7281C7799D508BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00072500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

Error activating provider %s: %s., xrefs: 00072571
Failed registration of app type %d (%s) from plugin %s., xrefs: 000725B8
Plugin %s wants to register app of type %d but the provider failed to activate., xrefs: 0007252B

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID:
String ID: Error activating provider %s: %s.$Failed registration of app type %d (%s) from plugin %s.$Plugin %s wants to register app of type %d but the provider failed to activate.
API String ID: 0-3281458332
Opcode ID: 595d6f59409a87393d790c63bd53a68612e617a8476c72e50ed6faf227f82e75
Instruction ID: c7669341cac19badaa588722f047c089941d3083c2f09741255b44ef52d0a058
Opcode Fuzzy Hash: 595d6f59409a87393d790c63bd53a68612e617a8476c72e50ed6faf227f82e75
Instruction Fuzzy Hash: 86316BB5A00205ABD710DF98DC81EABB3E8EF88350F548549F90DC7241E779ED50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 000753D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00075EEA), ref: 000753F6
GetLastError.KERNEL32(?,?,00075EEA), ref: 00075416

Strings

Leaving CNTService::Initialize(), xrefs: 0007545F
Entering CNTService::Initialize(), xrefs: 000753D8

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Entering CNTService::Initialize()$Leaving CNTService::Initialize()
API String ID: 545576003-3071269740
Opcode ID: 4087f35f04c163fddec7376f1f1eefc745abb1cb26522199a374e94b32796ec2
Instruction ID: f36dea0fcc0bf983d79d15083f0e82254e627c6511127bb6f2f08848785bbfba
Opcode Fuzzy Hash: 4087f35f04c163fddec7376f1f1eefc745abb1cb26522199a374e94b32796ec2
Instruction Fuzzy Hash: 9B114C35380610ABE625DB18DC42F597395AF88B10F218048F748AB3D0CBA6FD428BC9

Uniqueness

Uniqueness Score: -1.00%

Function 00075D60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 00075D96
SetEvent.KERNEL32(?), ref: 00075DFF

Strings

Leaving CNTService::ServiceMain(), xrefs: 00075E0A
Entering CNTService::ServiceMain(), xrefs: 00075D6C

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: CtrlEventHandlerRegisterService
String ID: Entering CNTService::ServiceMain()$Leaving CNTService::ServiceMain()
API String ID: 57603111-2772127321
Opcode ID: b279d2e911737eced4976c7a4a8870ef6a73ec30ad1197f897884ffa8141709a
Instruction ID: cb7934c52878f1b7b7f38f2d31ffeed06e7dd7ba009af54155b8b71b80cad2aa
Opcode Fuzzy Hash: b279d2e911737eced4976c7a4a8870ef6a73ec30ad1197f897884ffa8141709a
Instruction Fuzzy Hash: 15213D357806109BE620EF58CC45F9A73E5AF9CB00F21C408E78D9B3D1DBB9A8428BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00075AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00075560: Str_Vasprintf.VMTOOLS(00000000,?,?,?,?,00075AE4,?,CNTService::~CNTService(),?,00071177,?,?,?,?,00076BB8,000000FF), ref: 0007557C
Part of subcall function 00075560: Panic.VMTOOLS(VERIFY %s:%d,d:/build/ob/bora-4448491/bora/lib/ntservice/NTService.cpp,000003C4), ref: 00075599
Part of subcall function 00075560: OutputDebugStringA.KERNEL32(00000000), ref: 0007559F
Part of subcall function 00075560: free.MSVCR90(00000000), ref: 000755A6

DeregisterEventSource.ADVAPI32(?), ref: 00075AF2
UnregisterDeviceNotification.USER32(?), ref: 00075B03
CloseHandle.KERNEL32(?), ref: 00075B10

Strings

CNTService::~CNTService(), xrefs: 00075AD3

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: CloseDebugDeregisterDeviceEventHandleNotificationOutputPanicSourceStr_StringUnregisterVasprintffree
String ID: CNTService::~CNTService()
API String ID: 3779210951-1120596600
Opcode ID: bf0b67561ea9c97923c4d3eda567f3300f6c7b719a2e89d7bebcefe72d7f783f
Instruction ID: 3cb4d64137ab095302fb959b707ec3a323b2295e074eebc1d27b0d245683c6ef
Opcode Fuzzy Hash: bf0b67561ea9c97923c4d3eda567f3300f6c7b719a2e89d7bebcefe72d7f783f
Instruction Fuzzy Hash: 67E01A30E40A519BE6609B78EC4C99333E8AF04342B048559B88DE3280DFBCE840C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00071340 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00071359
TranslateMessage.USER32(?), ref: 00071374
DispatchMessageW.USER32(?), ref: 0007138F
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000713A1

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 409448b3972d2179fff44a2893b5f01665751d3894fbe1c6ae96ed01a5992490
Instruction ID: 4efd44c2d586ca7e52d2b4ae0285bc7b3c5979c80a92e2d05613e1549e4d101a
Opcode Fuzzy Hash: 409448b3972d2179fff44a2893b5f01665751d3894fbe1c6ae96ed01a5992490
Instruction Fuzzy Hash: 0A014831E5030AA7EB20DB9CCC81FEE777CAB44744F508055F608AB1C4D6A9E54587E4

Uniqueness

Uniqueness Score: -1.00%

Function 00075220 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

Str_Vaswprintf.VMTOOLS(00000000,?,?), ref: 0007522F
OutputDebugStringW.KERNEL32(00000000), ref: 0007524F
ReportEventW.ADVAPI32(?,00000001,00000000,0000006D,00000000,00000001,00000000,?,00000000), ref: 00075271
free.MSVCR90(00000000), ref: 00075278

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: DebugEventOutputReportStr_StringVaswprintffree
String ID:
API String ID: 4235810640-0
Opcode ID: d4c2055f84c92f3cb4dc0c532826b02531c8945f01b65f3a899cb96356c17083
Instruction ID: 694af26025f591d81dcc7e9cd4fde649de7b510d69cde5f35293914349d84ea5
Opcode Fuzzy Hash: d4c2055f84c92f3cb4dc0c532826b02531c8945f01b65f3a899cb96356c17083
Instruction Fuzzy Hash: DF01D131B40604BBE6108B44DC06FEA736CAF85B10F048115FE0CAB2C1DBB9AA5187E5

Uniqueness

Uniqueness Score: -1.00%

Function 00075150 Relevance: 6.0, APIs: 4, Instructions: 30serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000001), ref: 0007515B
OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0007516E
CloseServiceHandle.ADVAPI32(00000000,?,00000001), ref: 00075184
CloseServiceHandle.ADVAPI32(00000000,?,00000001), ref: 00075187

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: Service$CloseHandleOpen$Manager
String ID:
API String ID: 4196757001-0
Opcode ID: 51940d3032a97141528b118be91f645c6a25641f7643ca5133abb782b5664aa6
Instruction ID: 9f08c35620379cb1aaa6dad08cbb3f2334e8d6c2333665d1be71e73816fc98d2
Opcode Fuzzy Hash: 51940d3032a97141528b118be91f645c6a25641f7643ca5133abb782b5664aa6
Instruction Fuzzy Hash: 77E04FB6F026187FF231162A5C88F9B169CEBC57B6F460135F90CE2240CAADDC4695F0

Uniqueness

Uniqueness Score: -1.00%

Function 00072820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

g_signal_parse_name.GOBJECT-2.0(?,?,?,?,00000000), ref: 00072840
g_signal_connect_data.GOBJECT-2.0(?,?,?,?,00000000,00000000), ref: 0007285F

Strings

Plugin '%s' unable to connect to signal '%s'., xrefs: 00072879

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_signal_connect_data.g_signal_parse_name.
String ID: Plugin '%s' unable to connect to signal '%s'.
API String ID: 3769452046-1421272964
Opcode ID: ccad2c2fed89006096744fc23e9317250a0fbd3b2655d7d2ec819a270345170f
Instruction ID: 4556f86bff20642f12e7353aab8428df8b892b4ab0acb186e0c849ebcf7d9276
Opcode Fuzzy Hash: ccad2c2fed89006096744fc23e9317250a0fbd3b2655d7d2ec819a270345170f
Instruction Fuzzy Hash: FE0108B6600205AFD714EF98EC81FA7B3ACEB88710F148529FA49D7741E671FC508BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00074350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

g_free.GLIB-2.0(?), ref: 00074384

Part of subcall function 00071000: g_logv.GLIB-2.0(vmtoolsd,00000010,?,?), ref: 00071012

g_array_free.GLIB-2.0(?,00000001), ref: 000743A4

Strings

Property '%s' was not cleaned up before shut down., xrefs: 00074373

Memory Dump Source

Source File: 00000000.00000002.3306788747.0000000000071000.00000020.00000001.01000000.00000003.sdmp, Offset: 00070000, based on PE: true

Associated: 00000000.00000002.3306767515.0000000000070000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306805477.0000000000077000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306820266.0000000000078000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306835529.000000000007B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3306849845.000000000007C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70000_Notificacion_juzgadoPdf.jbxd

Similarity

API ID: g_array_free.g_free.g_logv.
String ID: Property '%s' was not cleaned up before shut down.
API String ID: 4098025969-2894426868
Opcode ID: f5fe1367681c432d8933e0ac61f15fe8720ec673581433e1b639ccbfa7ba9f88
Instruction ID: bfe7e4e02a57a97b4736caa5b9aeeef70e4ca2fcebf1a67ef90ca773824e491a
Opcode Fuzzy Hash: f5fe1367681c432d8933e0ac61f15fe8720ec673581433e1b639ccbfa7ba9f88
Instruction Fuzzy Hash: FF01CC72E003009FD724CF58EC81A5AB3E8FB84310B0AC529E99E5B241C639F980CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Notificacion_juzgadoPdf.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Notificacion_juzgadoPdf.exePID: 5632, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: Notificacion_juzgadoPdf.exePID: 5632, Parent PID: 4004COMMON

Non-executed Functions

Windows Analysis Report
Notificacion_juzgadoPdf.exe