Edit tour

Windows Analysis Report
Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Overview

General Information

Sample name:	Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
Analysis ID:	1446993
MD5:	7cf8781d8b1fa876f7632c568af5d727
SHA1:	7c7feec337fcab7cb9c023ebb41d2c4ef5aa612f
SHA256:	8530534bc175ea24f11da23e49fe1dc2110a9a5ee8e4daa4d0fc25c8cfe70780
Tags:	AgentTeslaBBVAESPexegeo
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sample uses process hollowing technique

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe" MD5: 7CF8781D8B1FA876F7632C568AF5D727)

RegSvcs.exe (PID: 5668 cmdline: "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 4188 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 12 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.corpsa.net", "Username": "newusd@corpsa.net", "Password": "ko=8J2,OjDt,"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32fb9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3302b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x330b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33147:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x331b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33223:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x332b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33349:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304cc:$s2: GetPrivateProfileString 0x2fbcc:$s3: get_OSFullName 0x311ba:$s5: remove_Key 0x31381:$s5: remove_Key 0x321de:$s6: FtpWebRequest 0x32f9b:$s7: logins 0x3350d:$s7: logins 0x36212:$s7: logins 0x362d0:$s7: logins 0x37bd6:$s7: logins 0x36e74:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5668	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32fb9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3302b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x330b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33147:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x331b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33223:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x332b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33349:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304cc:$s2: GetPrivateProfileString 0x2fbcc:$s3: get_OSFullName 0x311ba:$s5: remove_Key 0x31381:$s5: remove_Key 0x321de:$s6: FtpWebRequest 0x32f9b:$s7: logins 0x3350d:$s7: logins 0x36212:$s7: logins 0x362d0:$s7: logins 0x37bd6:$s7: logins 0x36e74:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32fb9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3302b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x330b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33147:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x331b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33223:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x332b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33349:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x304cc:$s2: GetPrivateProfileString 0x2fbcc:$s3: get_OSFullName 0x311ba:$s5: remove_Key 0x31381:$s5: remove_Key 0x321de:$s6: FtpWebRequest 0x32f9b:$s7: logins 0x3350d:$s7: logins 0x36212:$s7: logins 0x362d0:$s7: logins 0x37bd6:$s7: logins 0x36e74:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x311b9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3122b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x312b5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31347:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x313b1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31423:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x314b9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31549:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e6cc:$s2: GetPrivateProfileString 0x2ddcc:$s3: get_OSFullName 0x2f3ba:$s5: remove_Key 0x2f581:$s5: remove_Key 0x303de:$s6: FtpWebRequest 0x3119b:$s7: logins 0x3170d:$s7: logins 0x34412:$s7: logins 0x344d0:$s7: logins 0x35dd6:$s7: logins 0x35074:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 7 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.corpsa.net", "Username": "newusd@corpsa.net", "Password": "ko=8J2,OjDt,"}

Multi AV Scanner detection for submitted file

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	ReversingLabs: Detection: 34%
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Virustotal: Detection: 31%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for sample

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Joe Sandbox ML: detected

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00614696
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061C93C FindFirstFileW,FindClose,	0_2_0061C93C
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0061C9C7
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0061F200
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0061F35D
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0061F65E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00613A2B
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00613D4E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0061BF27

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_006225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006225E2

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, R1W.cs

.Net Code: G7kYr30iZ

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0062425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0062425A

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00624458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00624458

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

0_2_0062425A

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00610219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00610219

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0063CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0063CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: This is a third-party compiled AutoIt script.	0_2_005B3B4C
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b72b827d-1
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_073921b4-0
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6587e6c3-3
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e56e1a87-1

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00614021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00614021

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00608858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00608858

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0061545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0061545F

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005BE800	0_2_005BE800
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DDBB5	0_2_005DDBB5
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0063804A	0_2_0063804A
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005BE060	0_2_005BE060
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C4140	0_2_005C4140
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D2405	0_2_005D2405
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E6522	0_2_005E6522
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00630665	0_2_00630665
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E267E	0_2_005E267E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C6843	0_2_005C6843
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D283A	0_2_005D283A
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E89DF	0_2_005E89DF
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C8A0E	0_2_005C8A0E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00630AE2	0_2_00630AE2
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E6A94	0_2_005E6A94
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0060EB07	0_2_0060EB07
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00618B13	0_2_00618B13
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DCD61	0_2_005DCD61
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E7006	0_2_005E7006
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C710E	0_2_005C710E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C3190	0_2_005C3190
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005B1287	0_2_005B1287
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D33C7	0_2_005D33C7
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DF419	0_2_005DF419
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D16C4	0_2_005D16C4
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C5680	0_2_005C5680
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D78D3	0_2_005D78D3
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005C58C0	0_2_005C58C0
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D1BB8	0_2_005D1BB8
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005E9D05	0_2_005E9D05
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005BFE40	0_2_005BFE40
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005D1FD0	0_2_005D1FD0
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DBFE6	0_2_005DBFE6
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_01143660	0_2_01143660

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: String function: 005D0D27 appears 70 times
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: String function: 005B7F41 appears 35 times
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: String function: 005D8B40 appears 42 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 12

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088931819.00000000036C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2087172339.0000000003BBD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename06654b58-2932-4b00-baba-711656b1769c.exe4 vs Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/9@0/0

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0061A2D5 GetLastError,FormatMessageW,

0_2_0061A2D5

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00608713 AdjustTokenPrivileges,CloseHandle,		0_2_00608713
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00608CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00608CC3

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0061B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0061B59E

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0062F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0062F121

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0061C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0061C602

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005B4FE9

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5668

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

File created: C:\Users\user\AppData\Local\Temp\aut5E8B.tmp

Jump to behavior

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	ReversingLabs: Detection: 34%
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 12
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Section loaded: wldp.dll	Jump to behavior

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2088638395.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000003.2086403987.0000000003560000.00000004.00001000.00020000.00000000.sdmp

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0062C304 LoadLibraryA,GetProcAddress,

0_2_0062C304

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005D8B85 push ecx; ret

0_2_005D8B98

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005B4A35
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_006355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006355FD

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005D33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005D33C7

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99469

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00614696
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061C93C FindFirstFileW,FindClose,	0_2_0061C93C
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0061C9C7
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0061F200
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0061F35D
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0061F65E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00613A2B
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00613D4E
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0061BF27

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005B4AFE

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

API call chain: ExitProcess graph end node

graph_0-97709

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_006241FD BlockInput,

0_2_006241FD

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005B3B4C

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005E5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_005E5CCC

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_0062C304 LoadLibraryA,GetProcAddress,

0_2_0062C304

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_01143550 mov eax, dword ptr fs:[00000030h]	0_2_01143550
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_011434F0 mov eax, dword ptr fs:[00000030h]	0_2_011434F0
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_01141ED0 mov eax, dword ptr fs:[00000030h]	0_2_01141ED0

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_006081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006081F7

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DA364 SetUnhandledExceptionFilter,		0_2_005DA364
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_005DA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005DA395

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 440000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 791008

Jump to behavior

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00608C93 LogonUserW,

0_2_00608C93

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005B3B4C

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005B4A35

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00614EF5 mouse_event,

0_2_00614EF5

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

0_2_006081F7

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_00614C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00614C03

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005D886B cpuid

0_2_005D886B

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005E50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E50D7

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005F2230 GetUserNameW,

0_2_005F2230

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005E418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_005E418A

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Code function: 0_2_005B4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005B4AFE

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR

Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_81
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_XP
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_XPe
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_VISTA
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_7
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: WIN_8
Source: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe.1ed0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5668, type: MEMORYSTR

Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00626596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00626596
Source: C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	Code function: 0_2_00626A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00626A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	2 Valid Accounts	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	34%	ReversingLabs
Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	31%	Virustotal	Browse
Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://account.dyn.com/	Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe, 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446993
Start date and time:	2024-05-24 07:40:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 273
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
01:41:45	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_bb024b10-d75a-459b-92b6-56fb7dbdaa65\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5814643778992563
Encrypted:	false
SSDEEP:	96:k43FUhUOWr1gsQhMov7JYqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTA/9nf/0:k+aUOWrak0WbkQzuiF1Z24IO8b
MD5:	633C5A87A674595A767DBC8608DF1DDE
SHA1:	D84FB0E29B50417CC318862B32C40FD28018F7B5
SHA-256:	FF70B88DB99C46BE60536FF03E7CD94F67055032F843B3C0666F3450D6E37162
SHA-512:	A643FF849ADBB6C3F2D8DC282178AD491CC76FAAA4F793F8693BABE71759A3B2CE94B9C8111371E1E281579C84A46B043FE2ECA5047574A4598EC5AA6D20A046
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.0.0.2.8.9.5.6.8.6.2.3.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.0.0.2.8.9.9.9.2.0.6.1.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.0.2.4.b.1.0.-.d.7.5.a.-.4.5.9.b.-.9.2.b.6.-.5.6.f.b.7.d.b.d.a.a.6.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.9.a.0.1.a.6.-.b.1.f.e.-.4.9.b.a.-.8.c.4.8.-.1.a.4.4.b.7.3.4.8.2.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.2.4.-.0.0.0.1.-.0.0.1.5.-.f.2.a.3.-.b.f.0.9.9.d.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.!.R.e.g.S.v.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8216
Entropy (8bit):	3.671568001719397
Encrypted:	false
SSDEEP:	192:R6l7wVeJRR6j6YE167bLhgmfUMrpxG89bnzsfNtm:R6lXJn6j6Ym67xgmfUYnYfW
MD5:	CC13A03A748606C977F7258BFDFE2E98
SHA1:	105DF22FA59D6F55A19F55F2BD092CECB443561E
SHA-256:	E6DA0BD91BD7F9EA976B33B3EA471B9656D806A1A877FE552B43298CB13C6EC3
SHA-512:	6DA710AE69F84A5919214478BD0B6033EA76D7823D1A342A78A18DF1846FBB187C53CE504460A027F529FF0DE138C21CEF28DBF28088038AF26AA532BE0EC3DF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75CF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4572
Entropy (8bit):	4.432046597164192
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9VfARfXWpW8VY9Ym8M4JTHFGCo+q87qbm30Yd:uIjfzI7PfARfm7VhJsCoPm30Yd
MD5:	091D4387278FA9CD835D956592D9CEB0
SHA1:	09CB5094341107C2C1D53EC438B3E47272BFC39F
SHA-256:	A59FF22F32404B163AF5C3191BB06A434AE07B821ED3AEA4C0D9B6386E85A3B2
SHA-512:	A235026B08B67661571D3607CDC88319FF8ED40BD950733B20364FE88B075DC92C6204B0D11161121BE8E65B2700C289E92F8F2D79A55E61EBFC4930A76AC5A8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="336764" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\WER65D0.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4744
Entropy (8bit):	3.2405185908030725
Encrypted:	false
SSDEEP:	96:pwpIibkXkkXfkuguW+0QX0Q50QgM0QX30QzX0QrnLgIX5SszeuzSzbxGQI5lmnss:p2le+uSLPoeyOkNo
MD5:	01CB53E91E9913D7B3078861A24D45D7
SHA1:	BF4755AE588C0967738106B26E0C883850B535E6
SHA-256:	94A8B9998614B8FE858070F4376CCC7F0381F08EFD5E2C7BCF2C95C287227A8D
SHA-512:	5471824E43F7C2D78818DA59FC48A202FD820BF3FF02E7482209F2A27D9920FFE338412674C7EDB6B63257713ED7B4E70112D1C081998EE1C936271CF974E726
Malicious:	false
Reputation:	low
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .2.5.4.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .6.4.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .1. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .8.3.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .3.0.3.5.3.4.9. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . . . . .:.

C:\Users\user\AppData\Local\Temp\ambiparous

Download File

Process:	C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
File Type:	data
Category:	dropped
Size (bytes):	238592
Entropy (8bit):	6.520284929160993
Encrypted:	false
SSDEEP:	6144:FbUelPUxWP/s96OAwIzWyRyicttyzq5AsQ7yiNpCqoKfPq9Pz4qzLBo0cTCJsBO/:FHP/sQpFiySrDOsQlNpCqoKfPAXnBo0L
MD5:	38820A5F939BCC1D7E17AEB4A023E78C
SHA1:	9188B1F4F92A51B31D3B3277C431BA78CA96D9AD
SHA-256:	6A60B6B5E0EDF3F742615266E9002FC116576A1CB0214407CEB5F0C9D4A0FB0B
SHA-512:	7193F431666F4CC6CA1F5D7CB3AC74E03717EA6A1E943C7DA1377773EB68574491407F768D62E89EED21996F3C70CC839ACDEF1B3B9FCA28F6D5C5DD5AE58358
Malicious:	false
Reputation:	low
Preview:	u..P1V2AILK3.ZP.V2AMLK3xTZP2V2AMLK38TZP2V2AMLK38TZP2V2AMLK3.TZP<I.OM.B...[..wf)$?kCJ;="S;.","%\Lt85.$G/m%%.\|..p_9V$cAF9.TZP2V2A..K3tUYP.w.'MLK38TZP.V0@FM@38.YP2^2AMLK3..YP2v2AM.H38T.P2v2AMNK3<TZP2V2AILK38TZP2V6AMNK38TZP0Vr.ML[38DZP2V"AM\K38TZP"V2AMLK38TZPv.1A.LK38.YPtS2AMLK38TZP2V2AMLK38.YP>V2AMLK38TZP2V2AMLK38TZP2V2AMLK38TZP2V2AMLK38TZP2V2AMlK30TZP2V2AMLK30tZPzV2AMLK38TZP."W99LK3..YP2v2AM.H38VZP2V2AMLK38TZP.V2!c>8A[TZPtS2AM.H38RZP2.1AMLK38TZP2V2A.LKs.&?<]52AALK38.YP2T2AM.H38TZP2V2AMLK3xTZ.2V2AMLK38TZP2V2A..H38TZPzV2AOLN3..XP.{3ANLK39TZV2V2AMLK38TZP2V2AMLK38TZP2V2AMLK38TZP2V2AMLK38TZP/.......p)dZPQ.g.+.0..I../..B.^.C@.y.?.....!\.{V.N}...1...#.IH5J.....690C$.D.[;./...qjGx..V\.H...5..:\t.....jh..._F.j..8..[;7~S&B-(b.R^5(9.T.@MLK3......$4.i.WUN.DJ.....F"....3LK3\TZP@V2A,LK3.TZP]V2A#LK3FTZPLV2A.LK3xTZP.V2AhLK3UTZP.V2A3LK3.)U_...(>.38TZP...q.!....g...w<.5hZl...2....N`.[2.E.~...E..?..%.YGn..49R^U0Q6BAqEx..q0R6DOKO04iT...`.j.....C....6.O8TZP2V.AM.K38..P.V2A.L.3..ZP2..A.L.3...P

C:\Users\user\AppData\Local\Temp\aut5E8B.tmp

Download File

Process:	C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
File Type:	data
Category:	dropped
Size (bytes):	135754
Entropy (8bit):	7.84020016694751
Encrypted:	false
SSDEEP:	3072:eYZZFrLzRVqM+N9p/SV3Nh2pnKCB3d7DvaQr6e:e6ZZvARSlNWHJdfr/
MD5:	D67A7E737B025A993951A2E35452813B
SHA1:	18F73B2CC04E1924B425F79B5C2392B6D189822F
SHA-256:	873A8611E32A521529897103DE089671CD255428A0A5F66E1B693B0279F70F65
SHA-512:	E703334B8351C042BA9A4CF738AED56F400A4A9F17307A652DB79022695A55C4B367C6142CEE40432041ACAF2E39257929F3B53A43682F3BED5B4D42AA144F75
Malicious:	false
Reputation:	low
Preview:	EA06......U..ZeA..)s>>..P........T.T&@.....}[...yI.S...3..?.{4.I?...S..;.H..)-r.t.MbRJ<..%...M.9.I,t.4.8....&.3.Uk5....'.`.J.0.Q.....Y.L.....{@....a........S.s9..Fi .....@...r.Si.....0.4....$@...{.4...c.....0...iY.O.B? ...K....;0.V....N.$Uy...0.s@63.......J.2.....l.0...?...!..6\|..e....O...A.....`{.............P.L.N4.e:g....k..N.$'5J.Zd......Y..{....%6J.B....\|....I....u..^.P..m..!?.p.Y.~C\.....u....Lz:..bG..&.......B....I..E.s.4......6.=.?.W?.....5...U.....\|.V.w[K......rq..V.s{.NMB..,Q..zk(........fpY...$.@-1Z.V...R..n....H..7w.3.$+.....0.........H...0.aL..!`c..........E.....w)....^.}....P}........^....n....Z.c.~..R...S.....=E...M-.c..rX%f.n.D..z.0..T.......3...O....KMR7......W+...`xT?./O..w..0...i......s@u.g.g.....nh.a...;U.<.#..mtz..Q5..k.yE..g.A/R....y..b.6.N. ....r..._>g...*.J(..C.F...T2.2.F.T..:.T.U#.I...L..h.j.BmT.T.....u.._.Ui...L..h.P...,..`....R....m".y.@+U....L.E$.j.3]3.^-1...0..L.2M.2...D..( .!a..)3;=.IQ.j&v.}N....J.P.M

C:\Users\user\AppData\Local\Temp\aut5ECB.tmp

Download File

Process:	C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
File Type:	data
Category:	dropped
Size (bytes):	9888
Entropy (8bit):	7.603904757543239
Encrypted:	false
SSDEEP:	192:yyaFcTokxCW/EeiNo/GONuVROF9cfsSEyRnfcRsaKqH7z:cFxkUWceiNo3NiWeRnfcRHKqf
MD5:	561CE7C860D0353E81ACC45B02630CD5
SHA1:	D2900FBDDADC5652C3B9E17C1FE61D4E1304B7C4
SHA-256:	A78E376CECA34A34B07416D688F41577C0B583622A29E714B94C0E4AF19C18EE
SHA-512:	125F97253CFDA97C1CF6C85CC7BA057CCD35D5010C6D2E8EAD40E021CD1319D557190A1B6514B5E5C1D7F8419C536632EEEC6392940091566A2C1C6628F8E98C
Malicious:	false
Reputation:	low
Preview:	EA06..p4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

C:\Users\user\AppData\Local\Temp\bothsidedness

Download File

Process:	C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
File Type:	ASCII text, with very long lines (28724), with no line terminators
Category:	dropped
Size (bytes):	28724
Entropy (8bit):	3.596683019954131
Encrypted:	false
SSDEEP:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNboE+I026c024vfF3if6D:ViTZ+2QoioGRk6ZklputwjpjBkCiw2Ro
MD5:	C4B4175F215CD0BE78C4CA097024F663
SHA1:	26FBFE6ED1B484874B94C1C721AE1A960F42B9A3
SHA-256:	D3B130920DDFB9FF8C0542AF6D1EE9E0714A2513C2990E0800C97D34E3014432
SHA-512:	09CB1E5E12EB0D0BB93352B11215ACBB12B5C33DA77D00B96C51B2DB72F78B81EA4C1C91256B040000E284A17546468E9990C870DC271E1FAF64393148A77ABD
Malicious:	false
Reputation:	low
Preview:	84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.469482059511776
Encrypted:	false
SSDEEP:	6144:DzZfpi6ceLPx9skLmb0f/ZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:/ZHt/ZWOKnMM6bFppj4
MD5:	01ECE52E8F21D125FEE5954D73D6AF83
SHA1:	AD2ABE3868453F648E405BFDC8D50B93837AE2D6
SHA-256:	4F50B63EA89FFE4CD717ED8B0BF97C936D540CC5A678FD6CC2C4DDA8EB114779
SHA-512:	6B382CD0B83423010796E42D64EF6A896059214C46044FDFF79C1F14EFC4D95725768F894726EEA519266D78F1FFE0B29D072B35D66AB27531DE566FB1ECB104
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.ha..................................................................................................................................................................................................................................................................................................................................................v>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.930650719237883
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
File size:	1'034'240 bytes
MD5:	7cf8781d8b1fa876f7632c568af5d727
SHA1:	7c7feec337fcab7cb9c023ebb41d2c4ef5aa612f
SHA256:	8530534bc175ea24f11da23e49fe1dc2110a9a5ee8e4daa4d0fc25c8cfe70780
SHA512:	5cdae8d6d402e5ec02894e837012f21fb9b653afee951013e73c8af268b615feaeab5bc089fb921cc768ab144195523027bab1625b2aeb94007f8cfb3358bec1
SSDEEP:	24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaCONNrstVyy6y5:oh+ZkldoPK8YaCONNuQyP
TLSH:	A0259C0273D1C036FFABA2739B6AF24556BC79254123852F13982DB9BD701B2273D663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664F778E [Thu May 23 17:06:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FF38C6D347Dh
jmp 00007FF38C6C6234h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FF38C6C63BAh
cmp edi, eax
jc 00007FF38C6C671Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FF38C6C63B9h
rep movsb
jmp 00007FF38C6C66CCh
cmp ecx, 00000080h
jc 00007FF38C6C6584h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FF38C6C63C0h
bt dword ptr [004BF324h], 01h
jc 00007FF38C6C6890h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FF38C6C655Dh
test edi, 00000003h
jne 00007FF38C6C656Eh
test esi, 00000003h
jne 00007FF38C6C654Dh
bt edi, 02h
jnc 00007FF38C6C63BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FF38C6C63C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FF38C6C6415h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x32148	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfb000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x32148	0x32200	59da9c798b331eaec04249907e65a5af	False	0.8689409289276808	data	7.745299676602099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfb000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x2940e	data			1.0003610022843752
RT_GROUP_ICON	0xf9bc8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf9c40	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf9c54	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf9c68	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf9c7c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf9d58	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	01:41:33
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"
Imagebase:	0x5b0000
File size:	1'034'240 bytes
MD5 hash:	7CF8781D8B1FA876F7632C568AF5D727
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2097885790.0000000001ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:41:34
Start date:	24/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe"
Imagebase:	0x440000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3327705717.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:41:35
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 12
Imagebase:	0x380000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exePID: 7100, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 005B3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005B3B7A
IsDebuggerPresent.KERNEL32 ref: 005B3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,006762F8,006762E0,?,?), ref: 005B3BFD

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

Part of subcall function 005C0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005B3C26,006762F8,?,?,?), ref: 005C0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 005B3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006693F0,00000010), ref: 005ED4BC
SetCurrentDirectoryW.KERNEL32(?,006762F8,?,?,?), ref: 005ED4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00665D40,006762F8,?,?,?), ref: 005ED57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 005ED581

Part of subcall function 005B3A58: GetSysColorBrush.USER32(0000000F), ref: 005B3A62
Part of subcall function 005B3A58: LoadCursorW.USER32(00000000,00007F00), ref: 005B3A71
Part of subcall function 005B3A58: LoadIconW.USER32(00000063), ref: 005B3A88
Part of subcall function 005B3A58: LoadIconW.USER32(000000A4), ref: 005B3A9A
Part of subcall function 005B3A58: LoadIconW.USER32(000000A2), ref: 005B3AAC
Part of subcall function 005B3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005B3AD2
Part of subcall function 005B3A58: RegisterClassExW.USER32(?), ref: 005B3B28

Part of subcall function 005B39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005B3A15
Part of subcall function 005B39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005B3A36
Part of subcall function 005B39E7: ShowWindow.USER32(00000000,?,?), ref: 005B3A4A
Part of subcall function 005B39E7: ShowWindow.USER32(00000000,?,?), ref: 005B3A53

Part of subcall function 005B43DB: _memset.LIBCMT ref: 005B4401
Part of subcall function 005B43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005B44A6

Strings

runas, xrefs: 005ED575
This is a third-party compiled AutoIt script., xrefs: 005ED4B4
%d, xrefs: 005B3C56

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%d
API String ID: 529118366-3802031540
Opcode ID: 9ce40f4a002c2ddbb3bdfbdf682fc7cb5c7e0a30f0e763d46f80248305f73d4a
Instruction ID: f293323da75361ab9ee2907dd403a2047e71462a4b64b64d9715eab6e5ea5ba8
Opcode Fuzzy Hash: 9ce40f4a002c2ddbb3bdfbdf682fc7cb5c7e0a30f0e763d46f80248305f73d4a
Instruction Fuzzy Hash: CE51C530D0464AAECF15ABF4DC0AEED7F7ABF84300F045165F469B21A2DA706B45CB61

Function 005B4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005B4EEE,?,?,00000000,00000000), ref: 005B4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005B4EEE,?,?,00000000,00000000), ref: 005B5010
LoadResource.KERNEL32(?,00000000,?,?,005B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005B4F8F), ref: 005EDD60
SizeofResource.KERNEL32(?,00000000,?,?,005B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005B4F8F), ref: 005EDD75
LockResource.KERNEL32(N[,?,?,005B4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005B4F8F,00000000), ref: 005EDD88

Strings

N[, xrefs: 005EDD85
SCRIPT, xrefs: 005B5006

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N[
API String ID: 3051347437-513483360
Opcode ID: 32ba57368a2a96c2c93359d011fb80d16ac6a8227d314591f35b5d2ecf2b0b95
Instruction ID: c1e80ca3df1e5f3ac77349e6d02b6196320c2f8ba8f504d416d3eaf8db30a47f
Opcode Fuzzy Hash: 32ba57368a2a96c2c93359d011fb80d16ac6a8227d314591f35b5d2ecf2b0b95
Instruction Fuzzy Hash: 16115A75600704AFD7259B65DC58F677BBAFBC9B51F204168F40686260EB72E80086A0

Function 005B4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005B4B2B

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

GetCurrentProcess.KERNEL32(?,0063FAEC,00000000,00000000,?), ref: 005B4BF8
IsWow64Process.KERNEL32(00000000), ref: 005B4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 005B4C45
FreeLibrary.KERNEL32(00000000), ref: 005B4C50
GetSystemInfo.KERNEL32(00000000), ref: 005B4C81
GetSystemInfo.KERNEL32(00000000), ref: 005B4C8D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: f637e6a226c60a369542cc8f605f2df22c8cc9eab0898895a237dd28f6ae8afd
Instruction ID: 1bd32fd3204a3b2607ac06e87804e917e5e51b7118bb337f30aac4d2f90f6350
Opcode Fuzzy Hash: f637e6a226c60a369542cc8f605f2df22c8cc9eab0898895a237dd28f6ae8afd
Instruction Fuzzy Hash: 6991C33194ABC4DECB35CB6895551EABFF5BF29300B544D9DD0CB83A42D220F908CB69

Function 005BE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dtg, xrefs: 005BEC1A
Variable must be of type 'Object'., xrefs: 005F428C
Dtg, xrefs: 005F3F1F
Dtg, xrefs: 005F3F58
Dtg, xrefs: 005BEC21

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: Dtg$Dtg$Dtg$Dtg$Variable must be of type 'Object'.
API String ID: 0-1166452062
Opcode ID: 5606cf7515f23ed47de78877fde3877fd4f25a3ac4896def9bca7c28f54632d1
Instruction ID: 2ec7dd15c3bcdab764d71135105773a599ee93a120232df0ab0eb741657b9706
Opcode Fuzzy Hash: 5606cf7515f23ed47de78877fde3877fd4f25a3ac4896def9bca7c28f54632d1
Instruction Fuzzy Hash: E8A26F74A04205CFCB24CF58C885AEABBB6FF58310F288559E916AB351D735FD82CB91

Function 00614696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,005EE7C1), ref: 006146A6
FindFirstFileW.KERNELBASE(?,?), ref: 006146B7
FindClose.KERNEL32(00000000), ref: 006146C7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: cff42f51d7cc7dae9a3992aeb2c19b1b97245bd75c32ba3e9bab08b18ed291ac
Instruction ID: 1f6065f2672863b055ed17ff94b1fc3549fcc4d5102c3c37b31b63938c334ee5
Opcode Fuzzy Hash: cff42f51d7cc7dae9a3992aeb2c19b1b97245bd75c32ba3e9bab08b18ed291ac
Instruction Fuzzy Hash: 24E0D8328104019B57106778EC4D8EB775E9E06339F100715F875C31E0EBB05D9085D5

Function 005C0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005C0BBB
timeGetTime.WINMM ref: 005C0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005C0FB3
TranslateMessage.USER32(?), ref: 005C0FC7
DispatchMessageW.USER32(?), ref: 005C0FD5
Sleep.KERNEL32(0000000A), ref: 005C0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 005C105A
DestroyWindow.USER32 ref: 005C1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005C1080
Sleep.KERNEL32(0000000A,?,?), ref: 005F52AD
TranslateMessage.USER32(?), ref: 005F608A
DispatchMessageW.USER32(?), ref: 005F6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005F60AC

Strings

@GUI_WINHANDLE, xrefs: 005F53B9
prg, xrefs: 005F542D
@TRAY_ID, xrefs: 005F5BB9
prg, xrefs: 005F5BDE
prg, xrefs: 005F53D8
@COM_EVENTOBJ, xrefs: 005F591A
@GUI_CTRLHANDLE, xrefs: 005F540E
prg, xrefs: 005F5383
@GUI_CTRLID, xrefs: 005F5364

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prg$prg$prg$prg
API String ID: 4003667617-104670511
Opcode ID: f193a9174d870dbc6681fbb69a02a4d536cbbce1b1c6992d8e55bcdcb6a55d55
Instruction ID: f1ee5c6f6faaf9691c1d191335ef3587e4683352d7a7bde15738f52912eb62a1
Opcode Fuzzy Hash: f193a9174d870dbc6681fbb69a02a4d536cbbce1b1c6992d8e55bcdcb6a55d55
Instruction Fuzzy Hash: 01B29270608746DFD728DF24C848FAABFE5BF84304F14491DE69997291DB75E884CB82

Function 006193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006191E9: __time64.LIBCMT ref: 006191F3

Part of subcall function 005B5045: _fseek.LIBCMT ref: 005B505D

__wsplitpath.LIBCMT ref: 006194BE

Part of subcall function 005D432E: __wsplitpath_helper.LIBCMT ref: 005D436E

_wcscpy.LIBCMT ref: 006194D1
_wcscat.LIBCMT ref: 006194E4
__wsplitpath.LIBCMT ref: 00619509
_wcscat.LIBCMT ref: 0061951F
_wcscat.LIBCMT ref: 00619532

Part of subcall function 0061922F: _memmove.LIBCMT ref: 00619268
Part of subcall function 0061922F: _memmove.LIBCMT ref: 00619277

_wcscmp.LIBCMT ref: 00619479

Part of subcall function 006199BE: _wcscmp.LIBCMT ref: 00619AAE
Part of subcall function 006199BE: _wcscmp.LIBCMT ref: 00619AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006196DC
_wcsncpy.LIBCMT ref: 0061974F
DeleteFileW.KERNEL32(?,?), ref: 00619785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0061979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006197AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006197BE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 4e90b0a76b954b3e85a472e497547a1a9e434070964e380036f10418b2d4611d
Instruction ID: 50484756e868a758c33692e80e8e8153777fc964dd1d9b274a5b358de22b099d
Opcode Fuzzy Hash: 4e90b0a76b954b3e85a472e497547a1a9e434070964e380036f10418b2d4611d
Instruction Fuzzy Hash: D3C120B1D00119ABDF25DF95CC95EDEBBBDAF45300F0440AAF609E7251EB309A848F65

Function 005B3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005B3074
RegisterClassExW.USER32(00000030), ref: 005B309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B30AF
InitCommonControlsEx.COMCTL32(?), ref: 005B30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B30DC
LoadIconW.USER32(000000A9), ref: 005B30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B3101

Strings

0, xrefs: 005B3056
+, xrefs: 005B305D
TaskbarCreated, xrefs: 005B30A4
AutoIt v3 GUI, xrefs: 005B3090

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f3ee6aabf28273062beccbe6b2f71a04bf8f633ee83fcb7af0ebe009d46afade
Instruction ID: dda794fc403e71bd83f241711c5bba154086c40bba6ddefe1f27735566cca119
Opcode Fuzzy Hash: f3ee6aabf28273062beccbe6b2f71a04bf8f633ee83fcb7af0ebe009d46afade
Instruction Fuzzy Hash: 22316971C01305EFDB40CFA4E884AC9BBF1FB08310F14552AF595E62A1D3B64581CFA1

Function 005B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005B3074
RegisterClassExW.USER32(00000030), ref: 005B309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B30AF
InitCommonControlsEx.COMCTL32(?), ref: 005B30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B30DC
LoadIconW.USER32(000000A9), ref: 005B30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B3101

Strings

0, xrefs: 005B3056
+, xrefs: 005B305D
TaskbarCreated, xrefs: 005B30A4
AutoIt v3 GUI, xrefs: 005B3090

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3ab475715cde7697e9ccb80112586870affbfba347c840aad74b3eb4fbf4b6e8
Instruction ID: 9e904d9bae967c17e9d0cb1a98880b9ba2f96a3764f0c1af43d40c214faea523
Opcode Fuzzy Hash: 3ab475715cde7697e9ccb80112586870affbfba347c840aad74b3eb4fbf4b6e8
Instruction Fuzzy Hash: F021F4B1D11208EFDB04DFA8ED88BDDBBF6FB08700F00512AF915A62A0D7B145848FA1

Function 005B71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005B4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006762F8,?,005B37C0,?), ref: 005B4882

Part of subcall function 005D074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,005B72C5), ref: 005D0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005B7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005EECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005EED32
RegCloseKey.ADVAPI32(?), ref: 005EED70
_wcscat.LIBCMT ref: 005EEDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 005B72FE
\, xrefs: 005EEDEC
Include, xrefs: 005EECE8, 005EED29
\Include\, xrefs: 005B72C5

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 692098b12e66ba61b43bbdb5df968e72c93b7c5bc2a82f45cd13b86c84895711
Instruction ID: 08a2e1abedb8296ade0a788752da4645b1a35689c0eaeff32bd79aee445ca200
Opcode Fuzzy Hash: 692098b12e66ba61b43bbdb5df968e72c93b7c5bc2a82f45cd13b86c84895711
Instruction Fuzzy Hash: 427153714083069EC318EF25DC859ABBFE9FF98350F40552EF469972B1EB709A88CB51

Function 005B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005B36D2
KillTimer.USER32(?,00000001), ref: 005B36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005B371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B372A
CreatePopupMenu.USER32 ref: 005B373E
PostQuitMessage.USER32(00000000), ref: 005B375F

Strings

%d, xrefs: 005ED2D1, 005ED31F
TaskbarCreated, xrefs: 005B3725

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%d
API String ID: 129472671-48470135
Opcode ID: f35fc710ac0921658c9b3a2c4bce7ac811395292526bfc53d8dc24562c80bfaa
Instruction ID: a3f258592f36c76a8c019c9a362b84ae428874291906491f1985d91df55e0a3a
Opcode Fuzzy Hash: f35fc710ac0921658c9b3a2c4bce7ac811395292526bfc53d8dc24562c80bfaa
Instruction Fuzzy Hash: 8B41F9B1100A466BDB285F64EC09BF93F66FB44300F140529F516E62B2DE65BF509772

Function 005B3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005B3A62
LoadCursorW.USER32(00000000,00007F00), ref: 005B3A71
LoadIconW.USER32(00000063), ref: 005B3A88
LoadIconW.USER32(000000A4), ref: 005B3A9A
LoadIconW.USER32(000000A2), ref: 005B3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005B3AD2
RegisterClassExW.USER32(?), ref: 005B3B28

Part of subcall function 005B3041: GetSysColorBrush.USER32(0000000F), ref: 005B3074
Part of subcall function 005B3041: RegisterClassExW.USER32(00000030), ref: 005B309E
Part of subcall function 005B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005B30AF
Part of subcall function 005B3041: InitCommonControlsEx.COMCTL32(?), ref: 005B30CC
Part of subcall function 005B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005B30DC
Part of subcall function 005B3041: LoadIconW.USER32(000000A9), ref: 005B30F2
Part of subcall function 005B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005B3101

Strings

#, xrefs: 005B3B0D
AutoIt v3, xrefs: 005B3B17
0, xrefs: 005B3B06

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 28c5b9d3eb09ec37ce816347c9673ec4fc4ccd8730943b7c657de3a37b27ec90
Instruction ID: ad7134c53c4f292a703aef56f2aaa216a1230160b5516268194f1a6b216271c6
Opcode Fuzzy Hash: 28c5b9d3eb09ec37ce816347c9673ec4fc4ccd8730943b7c657de3a37b27ec90
Instruction Fuzzy Hash: 93215E70D00304AFDB549FA4EC09B9D7FB6FB08710F00122AF618A62A2D7B656948F94

Function 005B3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 005B388F
/AutoIt3ExecuteScript, xrefs: 005B38CE
bg, xrefs: 005ED44E
/AutoIt3OutputDebug, xrefs: 005B38A4
CMDLINERAW, xrefs: 005B380D
CMDLINE, xrefs: 005B3834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005B37C0
/AutoIt3ExecuteLine, xrefs: 005B38B9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bg
API String ID: 1825951767-2571959684
Opcode ID: 0e959b8bd44d78361e5790598d35cfbcdaf3c99ea21b8d41612d2d518dade608
Instruction ID: 6ac2c6abb6f8ef0897f1f6a0f585bc3a410352447aa844091ce7096f3069f412
Opcode Fuzzy Hash: 0e959b8bd44d78361e5790598d35cfbcdaf3c99ea21b8d41612d2d518dade608
Instruction Fuzzy Hash: 01A12171D1022E9ACB14EFA4CC99AEEBB79BF54300F54042AF416B7192DF75A609CB60

Function 005BF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D03D3
Part of subcall function 005D03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 005D03DB
Part of subcall function 005D03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D03E6
Part of subcall function 005D03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D03F1
Part of subcall function 005D03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 005D03F9
Part of subcall function 005D03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 005D0401

Part of subcall function 005C6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005BFA90), ref: 005C62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005BFB2D
OleInitialize.OLE32(00000000), ref: 005BFBAA
CloseHandle.KERNEL32(00000000), ref: 005F49F2

Strings

<gg, xrefs: 005BFA90
\dg, xrefs: 005BF957
%d, xrefs: 005BF8F6, 005BF908, 005BFACE, 005BFBB1
cg, xrefs: 005BF94B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gg$\dg$%d$cg
API String ID: 1986988660-812480285
Opcode ID: f2b2030d0c55d2c6d700d855af95bd1b3464ec1e24db59dda8fb920019f99e93
Instruction ID: 88295e35748d0f1f3a91619be42dce151d35c227499d9c3a30de7edd9a1d0d70
Opcode Fuzzy Hash: f2b2030d0c55d2c6d700d855af95bd1b3464ec1e24db59dda8fb920019f99e93
Instruction Fuzzy Hash: 9981A6B0900A418EC39CDF79E9596557FE7FB98318B10E53AB01DCB26AEB318488CF51

Function 01142640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01142711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01142937

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 9f4c447dc57925b113259c67b0f69b5e9377792dc5dd1edf08bed9da7bb1896a
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 65A12A74E00209EBEB18CFA4D854BEEBBB5BF48705F208159F205BB280D7759A81CF55

Function 005B39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005B3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005B3A36
ShowWindow.USER32(00000000,?,?), ref: 005B3A4A
ShowWindow.USER32(00000000,?,?), ref: 005B3A53

Strings

edit, xrefs: 005B3A30
AutoIt v3, xrefs: 005B3A0D, 005B3A12, 005B3A13

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 98d0e94330f69015903a8f11df6a647beb986cf6e7387f64893a7617d2972222
Instruction ID: 5f3cf85dda6ee64932e74daadcd78ab663a5cb53cae6b68ba8cd736a4ded4bd4
Opcode Fuzzy Hash: 98d0e94330f69015903a8f11df6a647beb986cf6e7387f64893a7617d2972222
Instruction Fuzzy Hash: FFF03070A002907EEB701713AC09E273E7FD7C6F50F001029B918A2271C5A50880DAB0

Function 01142410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01142300: Sleep.KERNELBASE(000001F4), ref: 01142311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0114252A

Strings

8TZP2V2AMLK3, xrefs: 0114258D, 01142590

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateFileSleep
String ID: 8TZP2V2AMLK3
API String ID: 2694422964-1788617610
Opcode ID: c6cee032b2a129745f2d67245b0a2421a37e5b8cf3a1c73c9462c0ce4947ecc7
Instruction ID: e43ac7272ece82890e65a5287487128a8712362483f67a63633f2e6061fd184e
Opcode Fuzzy Hash: c6cee032b2a129745f2d67245b0a2421a37e5b8cf3a1c73c9462c0ce4947ecc7
Instruction Fuzzy Hash: 0D519330D04249EBEF15DBA4D814BEEBB79AF18700F004199F609BB2C0D7B91B85CBA5

Function 005B410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005ED5EC

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

_memset.LIBCMT ref: 005B418D
_wcscpy.LIBCMT ref: 005B41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005B41F1

Strings

Line: , xrefs: 005ED615

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 8d55a66685208c172b952822b9e24e9d4b745d6883aefb43dd533ab2fb382fc6
Instruction ID: b2a8ee380b6276b726c99d7c6822abc8cde0eb6913d49aea6637f0ba192afc70
Opcode Fuzzy Hash: 8d55a66685208c172b952822b9e24e9d4b745d6883aefb43dd533ab2fb382fc6
Instruction Fuzzy Hash: 2F31A6714083066AD775EB64DC4ABEB7BEDBF84300F10491EF199921A2DB70B648CB93

Function 005D564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D56AB
_memcpy_s.LIBCMT ref: 005D571D
__read_nolock.LIBCMT ref: 005D577B
__filbuf.LIBCMT ref: 005D579E
_memset.LIBCMT ref: 005D57E2

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 0b7c72ae47b15ef8aedc1945189c877c17418b6d9fde6dd5519b041799a1ab50
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 04517C30A00B06DBDB349FAD888466E7FA5FF403A0F74862BF825963D0E7709D518B41

Function 005B69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005B4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005B4F6F

_free.LIBCMT ref: 005EE68C
_free.LIBCMT ref: 005EE6D3

Part of subcall function 005B6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005B6D0D

Strings

Bad directive syntax error, xrefs: 005EE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 005EE462

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 1cf20b0fa4137b5f8f94447101846fcc64c8a4b5fb9d6921787f284abeef11e8
Instruction ID: 0170df175765af5f1a1c672eedcfaf5a677a0e5925c0500c358f8adf0113688b
Opcode Fuzzy Hash: 1cf20b0fa4137b5f8f94447101846fcc64c8a4b5fb9d6921787f284abeef11e8
Instruction Fuzzy Hash: 5791AF7191025AEFCF18EFA5C8869EDBFB5FF58300F14442AF855AB291EB30A905CB50

Function 005B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005B35A1,SwapMouseButtons,00000004,?), ref: 005B35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005B35A1,SwapMouseButtons,00000004,?,?,?,?,005B2754), ref: 005B35F5
RegCloseKey.KERNELBASE(00000000,?,?,005B35A1,SwapMouseButtons,00000004,?,?,?,?,005B2754), ref: 005B3617

Strings

Control Panel\Mouse, xrefs: 005B35D2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8123e4023d84d80ed1a699f838711ccaa6a4751aaae19631570e2af3bd195477
Instruction ID: ba62b63d022a9807779b89f69f95397f781ab1e240e0c3d6190e83f702ef37e8
Opcode Fuzzy Hash: 8123e4023d84d80ed1a699f838711ccaa6a4751aaae19631570e2af3bd195477
Instruction Fuzzy Hash: 31112AB5911218BFDB208F68DC84EEEBBB9FF04744F115569F805E7210D671AF5097A0

Function 01141300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01141B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01141B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01141B73

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 56e3ea4f67c65637f97591018991d21d1569502de15278dc14b615530e705756
Instruction ID: 0ee206c47894ea44c9782594a58dafc8b0570a812f6730f3c06267265a697eea
Opcode Fuzzy Hash: 56e3ea4f67c65637f97591018991d21d1569502de15278dc14b615530e705756
Instruction Fuzzy Hash: C8620A34A14258DBEB28CFA4C840BDEB776EF58700F1091A9D20DEB394E7759E81CB59

Function 006197E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 005B5045: _fseek.LIBCMT ref: 005B505D

Part of subcall function 006199BE: _wcscmp.LIBCMT ref: 00619AAE
Part of subcall function 006199BE: _wcscmp.LIBCMT ref: 00619AC1

_free.LIBCMT ref: 0061992C
_free.LIBCMT ref: 00619933
_free.LIBCMT ref: 0061999E

Part of subcall function 005D2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,005D9C64), ref: 005D2FA9
Part of subcall function 005D2F95: GetLastError.KERNEL32(00000000,?,005D9C64), ref: 005D2FBB

_free.LIBCMT ref: 006199A6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 957a392c8a397e82fbd44548b8749c078dcf9a1c1048a50386f07f62e9114626
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: EC515DB1D04219AFDF249F64CC45ADEBB7AFF48300F0404AEB209A7241DB315A80CF58

Function 005D493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005D49D0
__flush.LIBCMT ref: 005D49F0
__write.LIBCMT ref: 005D4A23
__flsbuf.LIBCMT ref: 005D4A51

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 32007749769f9f0c54c3f40273f593be7c3846401dac8cb0033c7cfb804caac4
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 324190716416069BDF388FAEC8949AF7FA6BF80360B24856FE85987790DB709D408F44

Function 005B4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005B4E1A

Strings

AU3!P/d, xrefs: 005B4E14
EA06, xrefs: 005EDCF5

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/d$EA06
API String ID: 4104443479-3375198692
Opcode ID: 392adbb8a157efc1025d55c917f7256a7f4eb869705467ffdc587944980966d1
Instruction ID: dda3b11945f4c5cd395464a87927f4b877257159be15115569d151f3794ffc33
Opcode Fuzzy Hash: 392adbb8a157efc1025d55c917f7256a7f4eb869705467ffdc587944980966d1
Instruction Fuzzy Hash: DC417A21A045586BCF359F6488597FE7FBABF45300F684465F8829B283D621FD448BA2

Function 005B73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005EEE62
GetOpenFileNameW.COMDLG32(?), ref: 005EEEAC

Part of subcall function 005B48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005B48A1,?,?,005B37C0,?), ref: 005B48CE

Part of subcall function 005D09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D09F4

Strings

X, xrefs: 005EEE7A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: c46899e82cad7a3ebb96c0cf9aed563a57261af3be6823264962e55663527b50
Instruction ID: 691781f32aef6cd3617cc9f284c0a8225d27e0e3218ab9c2a1f3678e09b9712e
Opcode Fuzzy Hash: c46899e82cad7a3ebb96c0cf9aed563a57261af3be6823264962e55663527b50
Instruction Fuzzy Hash: 772184719102999BCB159F98C8497EE7FFDAF89310F00405AE409E7281DBB459898BA1

Function 0061901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00619036
__fread_nolock.LIBCMT ref: 0061904B

Strings

EA06, xrefs: 0061907D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3f28fc92d0b17523664fdb2a61445cc76cd2f11c3540b1fcf35b7ed71b19a0d2
Instruction ID: 967f20289205c0a0cd3bf8870d2b3af668aa5c64aeedada4580bef9174cdaa70
Opcode Fuzzy Hash: 3f28fc92d0b17523664fdb2a61445cc76cd2f11c3540b1fcf35b7ed71b19a0d2
Instruction Fuzzy Hash: 0B01B9719042587EDB28D6A8CC5AEFEBFF89B15301F04419FF552D2281E575A6049B60

Function 00619B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00619B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00619B99

Strings

aut, xrefs: 00619B93

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 4d0982da2aae6fd336ecc0d567b456702d813d5bd67bc71a984c5ba4442b137b
Instruction ID: d696d1d94f04b7766b2c578c078b1e7153ed2504ae2c78af30069f612f705fe6
Opcode Fuzzy Hash: 4d0982da2aae6fd336ecc0d567b456702d813d5bd67bc71a984c5ba4442b137b
Instruction Fuzzy Hash: 2ED05E7994030DABDB109BD0DC0EF9BB76DE744700F0042A1BE54910A1DEB056988BD1

Function 0062CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b50173ff0f4d75004bbf7e277f863f24564a26c172771a5fd5e6bc4f416f7a
Instruction ID: cf7d6205d279821f6f618c7c883c891bd8f975745223800e24c59b6a3a2d9a93
Opcode Fuzzy Hash: 17b50173ff0f4d75004bbf7e277f863f24564a26c172771a5fd5e6bc4f416f7a
Instruction Fuzzy Hash: 8DF149706087119FC714DF28D484A6ABBE6FF88314F14892EF9999B351D731E945CF82

Function 005B43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005B44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 005B44C3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5bc489e73cedd27dd0136a30e74b16be92ab06cd748bdaf409fd00e1d48c4301
Instruction ID: bc52b1dc2e3100a8b237d7f581d0c56fae93bc8eaf948f983ad77bf4766bdc53
Opcode Fuzzy Hash: 5bc489e73cedd27dd0136a30e74b16be92ab06cd748bdaf409fd00e1d48c4301
Instruction Fuzzy Hash: AE314F705047018FDB74DF24D88469BBFE9FB49304F00092EF59A82252D775AA54CF92

Function 005D594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005D5963

Part of subcall function 005DA3AB: __NMSG_WRITE.LIBCMT ref: 005DA3D2
Part of subcall function 005DA3AB: __NMSG_WRITE.LIBCMT ref: 005DA3DC

__NMSG_WRITE.LIBCMT ref: 005D596A

Part of subcall function 005DA408: GetModuleFileNameW.KERNEL32(00000000,006743BA,00000104,?,00000001,00000000), ref: 005DA49A
Part of subcall function 005DA408: ___crtMessageBoxW.LIBCMT ref: 005DA548

Part of subcall function 005D32DF: ___crtCorExitProcess.LIBCMT ref: 005D32E5
Part of subcall function 005D32DF: ExitProcess.KERNEL32 ref: 005D32EE

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,005D1013,?), ref: 005D598F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7daa3ab555ae59c2bd3199302ab0449cec73730e0e1b2605915135c3e67ac6fb
Instruction ID: d69ff657f223d5c943a90652da8ba2b33a637237fbd6371889213eac207918fb
Opcode Fuzzy Hash: 7daa3ab555ae59c2bd3199302ab0449cec73730e0e1b2605915135c3e67ac6fb
Instruction Fuzzy Hash: 0E01C431240616DED735372DE86A73A7F49BF91771F100027F404A63D1EE709D41C661

Function 00619B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006197D2,?,?,?,?,?,00000004), ref: 00619B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006197D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00619B5B
CloseHandle.KERNEL32(00000000,?,006197D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00619B62

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 456f3f23d0c08effca7556bfd262c4b6c64363ac9ed300099159c58e76fe1d70
Instruction ID: f531763384903b926cb0b8b480f3a00bc90181a51b830143f82e9038bd0b9924
Opcode Fuzzy Hash: 456f3f23d0c08effca7556bfd262c4b6c64363ac9ed300099159c58e76fe1d70
Instruction Fuzzy Hash: E8E08632580314B7E7211B54FC09FDA7B5AAB05761F144220FB14690E087B1251197D8

Function 00618F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00618FA5

Part of subcall function 005D2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,005D9C64), ref: 005D2FA9
Part of subcall function 005D2F95: GetLastError.KERNEL32(00000000,?,005D9C64), ref: 005D2FBB

_free.LIBCMT ref: 00618FB6
_free.LIBCMT ref: 00618FC8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 02b47782da59d9fc417a76b0ede09ceb2ab246954cf060774e0eec34e2229a9f
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 97E012A16097038ECA34A67CAD45ED75BEF6F88390B1C0C1FB409DB342EF24E8828124

Function 005BAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 005F002B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e3219fb1fab2767d001ddec64100fe5438463a966ab4cf509006556b725dbcb1
Instruction ID: 3a94df2a090844929dbb3806bd6ece30d858c12d7ad3e6a3053888a57aa691f4
Opcode Fuzzy Hash: e3219fb1fab2767d001ddec64100fe5438463a966ab4cf509006556b725dbcb1
Instruction Fuzzy Hash: 62223970508241DFDB24DF14C494BAABFE1BF84300F19895DE99A8B362DB75ED85CB82

Function 005B492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005B4992

Part of subcall function 005D35AC: __lock.LIBCMT ref: 005D35B2
Part of subcall function 005D35AC: DecodePointer.KERNEL32(00000001,?,005B49A7,006081BC), ref: 005D35BE
Part of subcall function 005D35AC: EncodePointer.KERNEL32(?,?,005B49A7,006081BC), ref: 005D35C9

Part of subcall function 005B4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005B4A73
Part of subcall function 005B4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005B4A88

Part of subcall function 005B3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005B3B7A
Part of subcall function 005B3B4C: IsDebuggerPresent.KERNEL32 ref: 005B3B8C
Part of subcall function 005B3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006762F8,006762E0,?,?), ref: 005B3BFD
Part of subcall function 005B3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 005B3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005B49D2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a2311d4c90d7688f71d7688d776d70888284eb4b83299e8d9d56c6ecb1a32d70
Instruction ID: cb27aab8e9607ec87b115a5e6ef2ff1969aee68e1ab838b976219bc2d7c514f5
Opcode Fuzzy Hash: a2311d4c90d7688f71d7688d776d70888284eb4b83299e8d9d56c6ecb1a32d70
Instruction Fuzzy Hash: 1F116A719083129BC714DF28EC0994AFFE9FB95710F00451AF159932B2DB70A684CB92

Function 005B5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,005B5981,?,?,?,?), ref: 005B5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,005B5981,?,?,?,?), ref: 005EE19C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fac872d022cdbce777a3e8575821b1aacf5df29495f204c18c01233d596624be
Instruction ID: ea7d590d70d7aa03b5b3b22e041fea13d6474afecf87ce976d1cbd18678b7d2b
Opcode Fuzzy Hash: fac872d022cdbce777a3e8575821b1aacf5df29495f204c18c01233d596624be
Instruction Fuzzy Hash: 8A019270244708BEF3290E24DC8AFB67E9CBB05768F108358FAE56A1E0D6B06E458B50

Function 005D0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005D594C: __FF_MSGBANNER.LIBCMT ref: 005D5963
Part of subcall function 005D594C: __NMSG_WRITE.LIBCMT ref: 005D596A
Part of subcall function 005D594C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,005D1013,?), ref: 005D598F

std::exception::exception.LIBCMT ref: 005D102C
__CxxThrowException@8.LIBCMT ref: 005D1041

Part of subcall function 005D87DB: RaiseException.KERNEL32(?,?,?,0066BAF8,00000000,?,?,?,?,005D1046,?,0066BAF8,?,00000001), ref: 005D8830

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 41f2bed86e9045f108602cd4e801f1ef02e91982f2e84da1217c8d16e9b8aa5c
Instruction ID: a1acb49ad6cfdd62c33cb4ffd722150e900b51c8e268b13df35b6adcd3761f44
Opcode Fuzzy Hash: 41f2bed86e9045f108602cd4e801f1ef02e91982f2e84da1217c8d16e9b8aa5c
Instruction Fuzzy Hash: B4F0D63450021AA7C730BA5CEC199EE7FA8BF00350F200427F80491381EB718A908294

Function 005D582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D585C
__lock_file.LIBCMT ref: 005D587D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 1f918b375c63d823104b521c6a5d8a7c1d84c1a7f79cbce4183dbdc13d853564
Instruction ID: b77cafd4eea50783b6029815c6b246a570c69b62821f49df7effca5e51c2792c
Opcode Fuzzy Hash: 1f918b375c63d823104b521c6a5d8a7c1d84c1a7f79cbce4183dbdc13d853564
Instruction Fuzzy Hash: 8D01487180060AEBCF32AF6D8C0959F7F61BFC0360F244217B8246A3A1EB31C651EB51

Function 005D55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

__lock_file.LIBCMT ref: 005D561B

Part of subcall function 005D6E4E: __lock.LIBCMT ref: 005D6E71

__fclose_nolock.LIBCMT ref: 005D5626

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 2931b870fc1f245f6f6dd08dcd3a6de3808067c85f951e817e6c0d1b5a55e1f8
Instruction ID: 250515d42d4f1f1fc7aeebe99f0d44fd1cf6e7b54d52e723c35a0da1d76ac8df
Opcode Fuzzy Hash: 2931b870fc1f245f6f6dd08dcd3a6de3808067c85f951e817e6c0d1b5a55e1f8
Instruction Fuzzy Hash: 36F09671801A069AD7317B7D880A76E6FA17F80334F554107A425AB3C1DF7CC941DB55

Function 011412FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01141B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01141B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01141B73

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 173a12e0826a8e6c4648f93c70ec1c3ee5be85605175e636ec777d1d2aec9320
Instruction ID: c6197533d60c825d5bd8906506b99c7af572670208751b125c986db15091dec6
Opcode Fuzzy Hash: 173a12e0826a8e6c4648f93c70ec1c3ee5be85605175e636ec777d1d2aec9320
Instruction Fuzzy Hash: BF12EE24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A5E81CB5A

Function 005C2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d62f5f45c7377d0842b5c40e6172415a24bc43530a92fae1d3f8762c8fd7fc
Instruction ID: 1b7fda97df568d7d31baf90490f2105eb079167851624eaad63fd7a74b359ee3
Opcode Fuzzy Hash: e5d62f5f45c7377d0842b5c40e6172415a24bc43530a92fae1d3f8762c8fd7fc
Instruction Fuzzy Hash: 57517F34600605AFCF14EB58C995FAE7BA6BF85310F14846CF946AB392DB34ED00CB55

Function 005B5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 005B5CF6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 67e5b95ecead2d8beb88da08d3769a9ac1550eba1325dbcfec9a414f1038ca26
Instruction ID: 7117e8bba7c4fa05613ec21b7291bfbf055b5d1995a43d99adbc6b8ea2f21200
Opcode Fuzzy Hash: 67e5b95ecead2d8beb88da08d3769a9ac1550eba1325dbcfec9a414f1038ca26
Instruction Fuzzy Hash: 1F311D71A00B1AAFCB1CDF69C48579DBBB6BF88310F248629D81993750E771BD50DB90

Function 005F00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005F00E1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d7fec566e631a79c8f9716270467b8f874ccc54616e6e3c9b1397ffada34b765
Instruction ID: ab868a5a7d96e7071e3610e9905259587c6750debe91928debc2c9b8f3614e99
Opcode Fuzzy Hash: d7fec566e631a79c8f9716270467b8f874ccc54616e6e3c9b1397ffada34b765
Instruction Fuzzy Hash: AC41E474504351DFDB24DF14C488B5ABBE1BF85318F19889DE9898B362C376F845CB52

Function 005B5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005B5B61

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a9bba91e76ef61bcd67281e601962c3acc83fd757852cc4c4cb38109ab28a57b
Instruction ID: b46a35103299541bb98c065275e48c4e7c85b286a1c3be80fadc78cb2648b985
Opcode Fuzzy Hash: a9bba91e76ef61bcd67281e601962c3acc83fd757852cc4c4cb38109ab28a57b
Instruction Fuzzy Hash: 61212430A10A09EBDF185F52E88A7AA7FB9FF40340F21886AE4C6D1111EBB094E0D745

Function 005B4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B4D13: FreeLibrary.KERNEL32(00000000,?), ref: 005B4D4D

Part of subcall function 005D548B: __wfsopen.LIBCMT ref: 005D5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005B4F6F

Part of subcall function 005B4CC8: FreeLibrary.KERNEL32(00000000), ref: 005B4D02

Part of subcall function 005B4DD0: _memmove.LIBCMT ref: 005B4E1A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 79bb7133eec3c91cf84ebfb10a935add57df6b48b005bb35ffe7f4eb640f0de5
Instruction ID: 324ac4fe5c2bb16462c4e1bd2284e49761801dda3065a24ebcca67f3fed1815a
Opcode Fuzzy Hash: 79bb7133eec3c91cf84ebfb10a935add57df6b48b005bb35ffe7f4eb640f0de5
Instruction Fuzzy Hash: C411983160060AAACF24BF74DC1ABEE7FA5AF84711F108429F54197282DA716A159BA1

Function 005F01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005F01BB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5ea65793e3f796af0b010599b57157bb2a9898b585ae6b85fa52e4a195cc552a
Instruction ID: c47d335b0f4eec1bb1596efdc8fe4ee74bd24a7c1c43b48a17aa5216fd66d60e
Opcode Fuzzy Hash: 5ea65793e3f796af0b010599b57157bb2a9898b585ae6b85fa52e4a195cc552a
Instruction Fuzzy Hash: 7E2155B4508342DFCB24DF24C448B5ABBE5BF84304F04896CE98A47362D731F849CBA2

Function 005B5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,005B5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 005B5D76

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d568261ea6ae70425fb629c0c8692e07f1605519302b12679703396e2710dceb
Instruction ID: ca8656a9430c8ded69ed266bb7043c53342481249092a6758f311c715fe0e6de
Opcode Fuzzy Hash: d568261ea6ae70425fb629c0c8692e07f1605519302b12679703396e2710dceb
Instruction Fuzzy Hash: EB110A31200B059FD3348F15D488BA6BBE5FF45750F14CA2EE5AA86A50E7B1FA45CB60

Function 005B5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005EE141

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1121bf664da75f991e32e032bfa421736e91826d0fd9be36dff8f71044f6e75d
Instruction ID: 0cc5648c31fa86520e3eca302a91420950e368782cc66c2b31fef6acc57c9338
Opcode Fuzzy Hash: 1121bf664da75f991e32e032bfa421736e91826d0fd9be36dff8f71044f6e75d
Instruction Fuzzy Hash: 6A018475600942AFC309EB69C845E66FBA9FF85310714815AF815C7742DB30FC21CBE0

Function 005D4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005D4AD6

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 525035a18f9920015db7ca7c81129798dbf24a1d6c47e9bbde13e50bb07eab13
Instruction ID: ffc870b2715dd64b584d6c8f8994a0328f8dbaffbceabd90c91538b4a16379a6
Opcode Fuzzy Hash: 525035a18f9920015db7ca7c81129798dbf24a1d6c47e9bbde13e50bb07eab13
Instruction Fuzzy Hash: 8BF0813194020A9BDF71AF6D880A3AE3F66BF40325F184517B4149A3D1DB788951DF51

Function 005B4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005B4FDE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1eb18fb232f69c98d808746bfcfb2899c950479c72431de0c85bd4738a9a9f98
Instruction ID: 884ff2d4f591430ce97343c945c292374c45cdcacc198691ff771599d8c20df5
Opcode Fuzzy Hash: 1eb18fb232f69c98d808746bfcfb2899c950479c72431de0c85bd4738a9a9f98
Instruction Fuzzy Hash: 83F03971505712CFCB349F64E4948A2BFE2BF043293208A3EE1D683712C771A840DF40

Function 005D09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D09F4

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b136b64193fa91afe2e5ccd440a302bbe2e82665595ccb67284c7014a9c07eff
Instruction ID: db7560c0ea444289427bd0fe1d988acda2aa0ea782f77359fa0c2c289892820e
Opcode Fuzzy Hash: b136b64193fa91afe2e5ccd440a302bbe2e82665595ccb67284c7014a9c07eff
Instruction Fuzzy Hash: 40E08636D042295BC720D6989C09FFA77ADEFC8690F0401B5FC4CD7244D9A0AD818690

Function 00619129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0061914B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 74a67efd10f08247b32de4cb0793d311c7429050fd522cf8e43da27f0fed91e5
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: C3E092B1104B005FD7348A24D815BE377E1BB06315F04081DF2DA83341EB6278818759

Function 005B5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,005EE16B,?,?,00000000), ref: 005B5DBF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8556c92002ec6932419afde74effe4f0a35729f3c9e7b0e42143a6d4570fd939
Instruction ID: 4f35813a6eea17d58d812d86557254ab56621da3930f8c124d19eeb734040f7a
Opcode Fuzzy Hash: 8556c92002ec6932419afde74effe4f0a35729f3c9e7b0e42143a6d4570fd939
Instruction Fuzzy Hash: 7ED0C77464020CBFE710DB80DC46FA9777DDB05710F100194FD0456290D6F27D508795

Function 005D548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 005D5496

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 88c58f946a9f440bdbc0738d26f1326b3ef66695635384cff8b1019b0c877e62
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 99B0927684020C77DE112E86EC02A593F19AB80679F808022FB0C18262A673A6A0968A

Function 0061D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0061D46A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5b2f3f9f9f235438702d542f964aded594e7868db50b2423135a43ee3ec69130
Instruction ID: 1cabd34df40a5a230300d9141d49017f91cb26c45932c68ca07fe6da9a568758
Opcode Fuzzy Hash: 5b2f3f9f9f235438702d542f964aded594e7868db50b2423135a43ee3ec69130
Instruction Fuzzy Hash: 6A713D302047028FC714EF24D495AEABBE5BF89314F08496DF5969B3A2DB30ED49CB52

Function 005D0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 005D0EF7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4ced026d14a1a0baa52ca5f7fbbc7561a34b34494ed95ecb7ee9438adc33cea6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A531A471A00106DBC728DF5DD480A69FBAAFB99310F649AA7E409CB791D731EDC1CB90

Function 01142300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01142311

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: dc18e6ec9e34a864d9499af9a2bfbd6823d369a7f2a9150f12c193a8b8870804
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1CE0BF7494410D9FDB00EFB4D54969E7BB4EF04701F100561FD0192281D73099508A62

Non-executed Functions

Function 0063CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0063CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0063CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0063CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0063CF00
SendMessageW.USER32 ref: 0063CF29
_wcsncpy.LIBCMT ref: 0063CFA1
GetKeyState.USER32(00000011), ref: 0063CFC2
GetKeyState.USER32(00000009), ref: 0063CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0063CFE5
GetKeyState.USER32(00000010), ref: 0063CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0063D018
SendMessageW.USER32 ref: 0063D03F
SendMessageW.USER32(?,00001030,?,0063B602), ref: 0063D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0063D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0063D16E
SetCapture.USER32(?), ref: 0063D177
ClientToScreen.USER32(?,?), ref: 0063D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0063D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0063D203
ReleaseCapture.USER32 ref: 0063D20E
GetCursorPos.USER32(?), ref: 0063D248
ScreenToClient.USER32(?,?), ref: 0063D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0063D2B1
SendMessageW.USER32 ref: 0063D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0063D31C
SendMessageW.USER32 ref: 0063D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0063D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0063D37B
GetCursorPos.USER32(?), ref: 0063D39B
ScreenToClient.USER32(?,?), ref: 0063D3A8
GetParent.USER32(?), ref: 0063D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0063D431
SendMessageW.USER32 ref: 0063D462
ClientToScreen.USER32(?,?), ref: 0063D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0063D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0063D51A
SendMessageW.USER32 ref: 0063D53D
ClientToScreen.USER32(?,?), ref: 0063D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0063D5C3

Part of subcall function 005B25DB: GetWindowLongW.USER32(?,000000EB), ref: 005B25EC

GetWindowLongW.USER32(?,000000F0), ref: 0063D65F

Strings

F, xrefs: 0063D543
@GUI_DRAGID, xrefs: 0063D1AA
prg, xrefs: 0063D1BD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prg
API String ID: 3977979337-2608799075
Opcode ID: 56dfb688dd24542c41321d9d75a59e2335074984ccf3797354a8c85cc1d5d8bf
Instruction ID: c5ad78e2055c765d7671a3961ce6daf5466d17b6bbaefcbfe051530760992a15
Opcode Fuzzy Hash: 56dfb688dd24542c41321d9d75a59e2335074984ccf3797354a8c85cc1d5d8bf
Instruction Fuzzy Hash: 0B428B70604241AFDB25CF28C848EAABBE6FF49324F14051DF699973A1C731E855DBE2

Function 0063804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0063873F

Strings

%d/%02d/%02d, xrefs: 00638478

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: d08989e3acba3d7d86b89552877fe1537a578a9699d92b31360b6b97acff5c5b
Instruction ID: eafc73803a25c4495c274e74e472f65390d49839f35c1290460d8f0c11ad0def
Opcode Fuzzy Hash: d08989e3acba3d7d86b89552877fe1537a578a9699d92b31360b6b97acff5c5b
Instruction Fuzzy Hash: 32128C71500345AFEB259F28CC49FEE7BBAEB86710F244129F915EB2A1DB709941CB90

Function 005C710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C75C2
_memset.LIBCMT ref: 005C76B1
_memmove.LIBCMT ref: 005C7C4B
_memmove.LIBCMT ref: 005C7E4F

Strings

\b(?=\w), xrefs: 00603C34
\b(?<=\w), xrefs: 00603C41
0wf, xrefs: 00601F5B
[:<:]], xrefs: 005C75F1
[:>:]], xrefs: 005C760A
Oa\, xrefs: 0060287E
Q\E, xrefs: 005C81C1
DEFINE, xrefs: 006025AF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wf$DEFINE$Oa\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1081230984
Opcode ID: 299dfaaf13468d966e8f17fc03512999a68c18e81a062c3e7eb400c730f04bb0
Instruction ID: 17ee94e04d7cb11ac3f77e3a40eb234713e6ad89ad53b7e510e8cc0db3e7f305
Opcode Fuzzy Hash: 299dfaaf13468d966e8f17fc03512999a68c18e81a062c3e7eb400c730f04bb0
Instruction Fuzzy Hash: 75938475A4021A9FDB28CF98C895BEEB7B2FF48710F24855AD945AB3C0E7709D81CB40

Function 005B4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005B4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005EDA8E
IsIconic.USER32(?), ref: 005EDA97
ShowWindow.USER32(?,00000009), ref: 005EDAA4
SetForegroundWindow.USER32(?), ref: 005EDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005EDAC4
GetCurrentThreadId.KERNEL32 ref: 005EDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 005EDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 005EDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 005EDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 005EDAF8
SetForegroundWindow.USER32(?), ref: 005EDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 005EDB10
keybd_event.USER32(00000012,00000000), ref: 005EDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 005EDB25
keybd_event.USER32(00000012,00000000), ref: 005EDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 005EDB33
keybd_event.USER32(00000012,00000000), ref: 005EDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 005EDB42
keybd_event.USER32(00000012,00000000), ref: 005EDB47
SetForegroundWindow.USER32(?), ref: 005EDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 005EDB71

Strings

Shell_TrayWnd, xrefs: 005EDA89

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 27a3a580838fdba2743585afe11e627bfda749940dd75778ae1f3f4bf96f142a
Instruction ID: e1c0deb4319a9e1f53557971f4365238cea4b746e0455548ee41bf5b8ad7e662
Opcode Fuzzy Hash: 27a3a580838fdba2743585afe11e627bfda749940dd75778ae1f3f4bf96f142a
Instruction Fuzzy Hash: C4316071E40318BBEB206FA29C4AF7E3E6DEB44B60F114025FA04AA1D0D6B15900ABE0

Function 00608858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00608CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00608D0D
Part of subcall function 00608CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00608D3A
Part of subcall function 00608CC3: GetLastError.KERNEL32 ref: 00608D47

_memset.LIBCMT ref: 0060889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006088ED
CloseHandle.KERNEL32(?), ref: 006088FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00608915
GetProcessWindowStation.USER32 ref: 0060892E
SetProcessWindowStation.USER32(00000000), ref: 00608938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00608952

Part of subcall function 00608713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00608851), ref: 00608728
Part of subcall function 00608713: CloseHandle.KERNEL32(?,?,00608851), ref: 0060873A

Strings

winsta0, xrefs: 00608910
default, xrefs: 0060894D
, xrefs: 006088AA

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 0e90cbbc2087978025a3f32797994555c76b8d0ee64b02620edd0546cc07eab3
Instruction ID: 65e8c6e9195e7b906a95de773da0008ee5e8290cf0a54c89d6914e8162098688
Opcode Fuzzy Hash: 0e90cbbc2087978025a3f32797994555c76b8d0ee64b02620edd0546cc07eab3
Instruction Fuzzy Hash: B6816A71E40249AFDF15DFA4DC45AEF7BBAEF04304F08412AF950A32A1DB758E149B60

Function 0062425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0063F910), ref: 00624284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00624292
GetClipboardData.USER32(0000000D), ref: 0062429A
CloseClipboard.USER32 ref: 006242A6
GlobalLock.KERNEL32(00000000), ref: 006242C2
CloseClipboard.USER32 ref: 006242CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 006242E1
IsClipboardFormatAvailable.USER32(00000001), ref: 006242EE
GetClipboardData.USER32(00000001), ref: 006242F6
GlobalLock.KERNEL32(00000000), ref: 00624303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00624337
CloseClipboard.USER32 ref: 00624447

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 36ac4245fba95466f9a7dfe259ffee603c18004702164543cb066a0cfdb72be4
Instruction ID: f53652dd1a4571efa187caa7e2510d20b8a4c37c4779e2338ecd5313d2c38f9c
Opcode Fuzzy Hash: 36ac4245fba95466f9a7dfe259ffee603c18004702164543cb066a0cfdb72be4
Instruction Fuzzy Hash: F6518331604712ABD701FF61EC8AFAF77AAAF84B00F105529F555D22E1DF70E9058BA2

Function 0061C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0061C9F8
FindClose.KERNEL32(00000000), ref: 0061CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0061CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0061CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0061CAAF
__swprintf.LIBCMT ref: 0061CAFB
__swprintf.LIBCMT ref: 0061CB3E

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

__swprintf.LIBCMT ref: 0061CB92

Part of subcall function 005D38D8: __woutput_l.LIBCMT ref: 005D3931

__swprintf.LIBCMT ref: 0061CBE0

Part of subcall function 005D38D8: __flsbuf.LIBCMT ref: 005D3953
Part of subcall function 005D38D8: __flsbuf.LIBCMT ref: 005D396B

__swprintf.LIBCMT ref: 0061CC2F
__swprintf.LIBCMT ref: 0061CC7E
__swprintf.LIBCMT ref: 0061CCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0061CAF5
%4d, xrefs: 0061CB38
%02d, xrefs: 0061CB86, 0061CB90, 0061CBDE, 0061CC2D, 0061CC7C, 0061CCCB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 34111784d7fde894e5ba4f4af3dba2bd9cdc113c5b1cb5baa6b769d356d08504
Instruction ID: 48454f427b0e51eb24fb21b8b5c4d96e466ce7199000715665025f633fd5417e
Opcode Fuzzy Hash: 34111784d7fde894e5ba4f4af3dba2bd9cdc113c5b1cb5baa6b769d356d08504
Instruction Fuzzy Hash: DCA12FB1508305ABC714FF54C88ADEFBBEDBFD4700F444919B585D6291EA34EA48CB62

Function 0061F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0061F221
_wcscmp.LIBCMT ref: 0061F236
_wcscmp.LIBCMT ref: 0061F24D
GetFileAttributesW.KERNEL32(?), ref: 0061F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0061F279
FindNextFileW.KERNEL32(00000000,?), ref: 0061F291
FindClose.KERNEL32(00000000), ref: 0061F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0061F2B8
_wcscmp.LIBCMT ref: 0061F2DF
_wcscmp.LIBCMT ref: 0061F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0061F308
SetCurrentDirectoryW.KERNEL32(0066A5A0), ref: 0061F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0061F330
FindClose.KERNEL32(00000000), ref: 0061F33D
FindClose.KERNEL32(00000000), ref: 0061F34F

Strings

*.*, xrefs: 0061F2B3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5de547f421071aac0e6701ce7459afb6c3030b3bb32652ecd6e2415210e89ef9
Instruction ID: 5490da57408dde3fd296518d0e92c64b9878bc33c4713fe31dbd417ab034ac47
Opcode Fuzzy Hash: 5de547f421071aac0e6701ce7459afb6c3030b3bb32652ecd6e2415210e89ef9
Instruction Fuzzy Hash: AA31E8769002196BDB10DBF4DC58ADE77AEAF48360F180176F815E31A0EB71DF85CAA0

Function 00630AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0063F910,00000000,?,00000000,?,?), ref: 00630C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00630C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00630D1D
RegCloseKey.ADVAPI32(?), ref: 0063103D
RegCloseKey.ADVAPI32(00000000), ref: 0063104A

Strings

REG_BINARY, xrefs: 00630FD8
REG_EXPAND_SZ, xrefs: 00630CBA
REG_QWORD, xrefs: 00630F8B
REG_SZ, xrefs: 00630D5B
REG_MULTI_SZ, xrefs: 00630E05
REG_DWORD, xrefs: 00630F0E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: e4b3a5277106d498b71728fff9a0e0cf27a9e7fe699ab04e6c880a111a930a43
Instruction ID: c06245151a4ad4c81f3f7717299b045d9aed8baeffc95309f7f36d5b3c77caf8
Opcode Fuzzy Hash: e4b3a5277106d498b71728fff9a0e0cf27a9e7fe699ab04e6c880a111a930a43
Instruction Fuzzy Hash: 73024C756006029FCB14EF14C895E6ABBE6FF89714F04885DF98A9B362CB31ED45CB81

Function 0061F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0061F37E
_wcscmp.LIBCMT ref: 0061F393
_wcscmp.LIBCMT ref: 0061F3AA

Part of subcall function 006145C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006145DC

FindNextFileW.KERNEL32(00000000,?), ref: 0061F3D9
FindClose.KERNEL32(00000000), ref: 0061F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0061F400
_wcscmp.LIBCMT ref: 0061F427
_wcscmp.LIBCMT ref: 0061F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0061F450
SetCurrentDirectoryW.KERNEL32(0066A5A0), ref: 0061F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0061F478
FindClose.KERNEL32(00000000), ref: 0061F485
FindClose.KERNEL32(00000000), ref: 0061F497

Strings

*.*, xrefs: 0061F3FB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 799be59abcf0cdb339c1eb2743763a0fc93270001f0b293f996b279eecbd987e
Instruction ID: 37addba37cae4ec2d5c9c6696adb4585b38c3c218bc73214ec30a504ba63c941
Opcode Fuzzy Hash: 799be59abcf0cdb339c1eb2743763a0fc93270001f0b293f996b279eecbd987e
Instruction Fuzzy Hash: A5311A7250021A6FCB10DBA4DC88ADF77AE9F49320F180276E810E31A1DB30DF84CAA4

Function 006081F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608766
Part of subcall function 0060874A: GetLastError.KERNEL32(?,0060822A,?,?,?), ref: 00608770
Part of subcall function 0060874A: GetProcessHeap.KERNEL32(00000008,?,?,0060822A,?,?,?), ref: 0060877F
Part of subcall function 0060874A: HeapAlloc.KERNEL32(00000000,?,0060822A,?,?,?), ref: 00608786
Part of subcall function 0060874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0060879D

Part of subcall function 006087E7: GetProcessHeap.KERNEL32(00000008,00608240,00000000,00000000,?,00608240,?), ref: 006087F3
Part of subcall function 006087E7: HeapAlloc.KERNEL32(00000000,?,00608240,?), ref: 006087FA
Part of subcall function 006087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00608240,?), ref: 0060880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0060825B
_memset.LIBCMT ref: 00608270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0060828F
GetLengthSid.ADVAPI32(?), ref: 006082A0
GetAce.ADVAPI32(?,00000000,?), ref: 006082DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006082F9
GetLengthSid.ADVAPI32(?), ref: 00608316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00608325
HeapAlloc.KERNEL32(00000000), ref: 0060832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0060834D
CopySid.ADVAPI32(00000000), ref: 00608354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00608385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006083AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006083BF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 71008d64a57561ec3e7698924ae770ab67e6ec3a4b6387215bf702ce1434176f
Instruction ID: 008156499328cf8aed296e6f27d1853738a7e2500f0bb6953c43d2678f0793c7
Opcode Fuzzy Hash: 71008d64a57561ec3e7698924ae770ab67e6ec3a4b6387215bf702ce1434176f
Instruction Fuzzy Hash: B2617870940219AFCF08CFA4DC85AEEBBBAFF44710F048529F855A7291DB319A05CBA0

Function 005C6843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00601508
ANYCRLF), xrefs: 00601734
BSR_UNICODE), xrefs: 00601771
NO_START_OPT), xrefs: 00601588
BSR_ANYCRLF), xrefs: 00601757
ANY), xrefs: 00601717
NO_AUTO_POSSESS), xrefs: 00601567
LIMIT_RECURSION=, xrefs: 00601635
CR), xrefs: 006016C0
PJe, xrefs: 005C68B3
CRLF), xrefs: 006016FA
UCP), xrefs: 00601546
LF), xrefs: 006016DD
Oa\, xrefs: 00601888, 0060192F, 006019DD
LIMIT_MATCH=, xrefs: 006015A9
UTF), xrefs: 00601533

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa\$PJe$UCP)$UTF)$UTF16)
API String ID: 0-3303266510
Opcode ID: 67fd8f2a8c24b50ad3fa1f8ac23cac75755eefe4c9af8e939f03f914ae6ef95e
Instruction ID: 60f831dbb7a94c56240b053665fea58672bfdff50a21ad980f45388d9c93cb06
Opcode Fuzzy Hash: 67fd8f2a8c24b50ad3fa1f8ac23cac75755eefe4c9af8e939f03f914ae6ef95e
Instruction Fuzzy Hash: 9F725275E402199FDB18CF98C890BEEBBB6FF45710F14816AE855EB290D7709E81CB90

Function 00630665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00630038,?,?), ref: 006310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630737

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006307D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0063086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00630AAD
RegCloseKey.ADVAPI32(00000000), ref: 00630ABA

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 819c6a21f34a57dfdd621dc6f413638c776181268186cce74173793b698e9a5f
Instruction ID: c03e51c157110e7fb91be3fa1d01b7f6c9092dc6a82d7908fc97440912e0f0d5
Opcode Fuzzy Hash: 819c6a21f34a57dfdd621dc6f413638c776181268186cce74173793b698e9a5f
Instruction Fuzzy Hash: 64E15D31604201AFDB14DF28C895E6ABBF9FF89714F04856DF44ADB2A2DB30E905CB91

Function 00610219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00610241
GetAsyncKeyState.USER32(000000A0), ref: 006102C2
GetKeyState.USER32(000000A0), ref: 006102DD
GetAsyncKeyState.USER32(000000A1), ref: 006102F7
GetKeyState.USER32(000000A1), ref: 0061030C
GetAsyncKeyState.USER32(00000011), ref: 00610324
GetKeyState.USER32(00000011), ref: 00610336
GetAsyncKeyState.USER32(00000012), ref: 0061034E
GetKeyState.USER32(00000012), ref: 00610360
GetAsyncKeyState.USER32(0000005B), ref: 00610378
GetKeyState.USER32(0000005B), ref: 0061038A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fa78e412b9e576eca02aa2ec860807547a86c9171cdb3390d8ced6a6147735d6
Instruction ID: daf0f5ed4fb6b2d8f1701706aa83837829d2f8aac6e6f49b31af819bc9b40b41
Opcode Fuzzy Hash: fa78e412b9e576eca02aa2ec860807547a86c9171cdb3390d8ced6a6147735d6
Instruction Fuzzy Hash: 1341BC349047CAAEFF715B6484083F5BEE26F16340F1C405DD5D5463C2D7E45AC48792

Function 00624458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0062447F
EmptyClipboard.USER32 ref: 00624485
GlobalAlloc.KERNEL32(00000002,?), ref: 0062449A
CloseClipboard.USER32 ref: 00624539

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a83cf9206210386fb9e0bac54ed520103f112ffd8e23ff6ee17045ccf96a834a
Instruction ID: f3afa8b5dcd46aac345bdbb1783d054758f6966a946196d4215d17a16d28d6f4
Opcode Fuzzy Hash: a83cf9206210386fb9e0bac54ed520103f112ffd8e23ff6ee17045ccf96a834a
Instruction Fuzzy Hash: 222191357006219FDB10AF64EC09BAA7BAAEF55710F10901AF946DB2B1CB30AD01CF94

Function 00613A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005B48A1,?,?,005B37C0,?), ref: 005B48CE

Part of subcall function 00614CD3: GetFileAttributesW.KERNEL32(?,00613947), ref: 00614CD4

FindFirstFileW.KERNEL32(?,?), ref: 00613ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00613B87
MoveFileW.KERNEL32(?,?), ref: 00613B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00613BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00613BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00613BF5

Strings

\*.*, xrefs: 00613A8A, 00613A93, 00613AA8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 14c4f1ef112693407c7e2ba9d37a8c84c70019203b196e0bb58781f58f8850c9
Instruction ID: f2d09cf4f2f3afb8996b386dcff62704493da3b87d48164a3640947167010ad5
Opcode Fuzzy Hash: 14c4f1ef112693407c7e2ba9d37a8c84c70019203b196e0bb58781f58f8850c9
Instruction Fuzzy Hash: E251A53180515D9ACF15EFA0CD969EDBB7AAF54300F284169E44277291EF316F4DCBA0

Function 005C4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005F7B0C
VUUU, xrefs: 005C4520
ERCP, xrefs: 005C421F
Oa\, xrefs: 005C4984, 005F8173
VUUU, xrefs: 005C44DB
VUUU, xrefs: 005C44ED

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: ERCP$Oa\$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3019714729
Opcode ID: c4e63b6d49a90936f8066b686ca2433675775bc7b5e03f65fd9ce6563693df25
Instruction ID: 65b28129f09d2147a0560219fc6723a924656086eba7406abd2d320fdae03b9c
Opcode Fuzzy Hash: c4e63b6d49a90936f8066b686ca2433675775bc7b5e03f65fd9ce6563693df25
Instruction Fuzzy Hash: 91A26C74A0421E8FDF24CF98C9A0FBDBBB1BB54314F2485AAD956A7284D7749E81CF40

Function 0061F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0061F6AB
Sleep.KERNEL32(0000000A), ref: 0061F6DB
_wcscmp.LIBCMT ref: 0061F6EF
_wcscmp.LIBCMT ref: 0061F70A
FindNextFileW.KERNEL32(?,?), ref: 0061F7A8
FindClose.KERNEL32(00000000), ref: 0061F7BE

Strings

*.*, xrefs: 0061F690

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b21fc7326bd681cc3f4e14353eba554cde71f0035d6486828898da02583efab7
Instruction ID: 18bd3334ce2c2eed4d8669795f737b3d2967ed11d659720dae3b5aa71a89256c
Opcode Fuzzy Hash: b21fc7326bd681cc3f4e14353eba554cde71f0035d6486828898da02583efab7
Instruction Fuzzy Hash: AC41767190021A9FDF15DF64DC49AEEBBBAFF45310F184566E815A32A1DB30AE84CF90

Function 005C58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C5A05
_memmove.LIBCMT ref: 005C5A55
_memmove.LIBCMT ref: 005C5ABB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3a8e92b15c5b02355a28431e0af5007eb026c772918237b8161f67788d1feede
Instruction ID: a3710ce7224c590e823540b7c1b74c65cbb579e69a2044d2568e382e47dd3b38
Opcode Fuzzy Hash: 3a8e92b15c5b02355a28431e0af5007eb026c772918237b8161f67788d1feede
Instruction Fuzzy Hash: 99128C70A0060ADFDF18DFA5D985BEEBBB6FF88300F104569E406A7291EB35AD51CB50

Function 005C5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FF6: std::exception::exception.LIBCMT ref: 005D102C
Part of subcall function 005D0FF6: __CxxThrowException@8.LIBCMT ref: 005D1041

_memmove.LIBCMT ref: 0060062F
_memmove.LIBCMT ref: 00600744
_memmove.LIBCMT ref: 006007EB

Strings

yZ\, xrefs: 00600881, 006007FF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ\
API String ID: 1300846289-2263360204
Opcode ID: bd8c4ad0a3da59edb8a5b4c04de911ab43f79369d3794bf98fb65471fdf72117
Instruction ID: 39ca079a29c0e651b8bcb72744114d35f4ab11f1b80b42c2485d3368d3692ad6
Opcode Fuzzy Hash: bd8c4ad0a3da59edb8a5b4c04de911ab43f79369d3794bf98fb65471fdf72117
Instruction Fuzzy Hash: 4B027370A00105DFDF18DFA8D985AAE7BB6FF84300F248069E806DB395EB35E955CB91

Function 0061545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00608CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00608D0D
Part of subcall function 00608CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00608D3A
Part of subcall function 00608CC3: GetLastError.KERNEL32 ref: 00608D47

ExitWindowsEx.USER32(?,00000000), ref: 0061549B

Strings

SeShutdownPrivilege, xrefs: 0061546B
, xrefs: 00615489
@, xrefs: 0061548E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ada8da73283122112b1558aab1f63027ea8762c54e16bf4c0050db1609de41f1
Instruction ID: e7374860213af5eff37be96cea48cb8662a4ff7cad6c7f8032301a4cc16423af
Opcode Fuzzy Hash: ada8da73283122112b1558aab1f63027ea8762c54e16bf4c0050db1609de41f1
Instruction Fuzzy Hash: C6012831654B11AAE76853789C4ABFBB29AAB80352F280434FC07D22D2DA701CC041D4

Function 005C3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa\, xrefs: 005C3482

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa\
API String ID: 674341424-2596033750
Opcode ID: 5d3c9b47c4b01a959bb792c046c8c96eb5fddc7ccc6e7b4cfd473eb512fd794c
Instruction ID: 4c2e31c0e6e38a29c41fc53b66e318e01dccdc3aca95d179a06d429aa1654a56
Opcode Fuzzy Hash: 5d3c9b47c4b01a959bb792c046c8c96eb5fddc7ccc6e7b4cfd473eb512fd794c
Instruction Fuzzy Hash: 72229A7160830A9FC724DF64C885BAFBBE5BF88700F10891DF59697291DB35EA44CB92

Function 00626596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006265EF
WSAGetLastError.WSOCK32(00000000), ref: 006265FE
bind.WSOCK32(00000000,?,00000010), ref: 0062661A
listen.WSOCK32(00000000,00000005), ref: 00626629
WSAGetLastError.WSOCK32(00000000), ref: 00626643
closesocket.WSOCK32(00000000,00000000), ref: 00626657

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: a2b047cee09995404b1dd6a9bd6ac04764de04ad44e988ed2d3b38b1f101c85d
Instruction ID: b55107a49558643b734e61b9ca6d74940d6f92aa74d8bd2a7788c24622baf3cd
Opcode Fuzzy Hash: a2b047cee09995404b1dd6a9bd6ac04764de04ad44e988ed2d3b38b1f101c85d
Instruction Fuzzy Hash: 87219E30600611AFCB10AF24E849AAEB7BAEF49720F148159F956A73D2CB70AD418B91

Function 005B1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005B19FA
GetSysColor.USER32(0000000F), ref: 005B1A4E
SetBkColor.GDI32(?,00000000), ref: 005B1A61

Part of subcall function 005B1290: DefDlgProcW.USER32(?,00000020,?), ref: 005B12D8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: eff383c60601730fae66c8023a54716e35a81e5f9f606ef939e9d4038dd460a8
Instruction ID: aeed1c15f5b55a846670e3d65b0dabd9a84774500f897fe5353598bff5dda032
Opcode Fuzzy Hash: eff383c60601730fae66c8023a54716e35a81e5f9f606ef939e9d4038dd460a8
Instruction Fuzzy Hash: A3A15970105D85BAE7ACAB399C78DFB3E5EFB41352FA40519F442E6191CA10BD0092FD

Function 00626A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006280CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00626AB1
WSAGetLastError.WSOCK32(00000000), ref: 00626ADA
bind.WSOCK32(00000000,?,00000010), ref: 00626B13
WSAGetLastError.WSOCK32(00000000), ref: 00626B20
closesocket.WSOCK32(00000000,00000000), ref: 00626B34

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 44197e6e05df188315500ffd88f347e066bd295d519da997af521a498697bf92
Instruction ID: 9d5b47413c4611ebd0b53bb6d514c38e301aef211bf9778ff09a99d883da925f
Opcode Fuzzy Hash: 44197e6e05df188315500ffd88f347e066bd295d519da997af521a498697bf92
Instruction Fuzzy Hash: D141BB75B00611AFDB10AF24DC8AFBE7BA9EB44710F44805CFA15AB3D2DA70AD018B91

Function 006355FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0063564C
IsWindowEnabled.USER32 ref: 0063565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00635667
IsIconic.USER32 ref: 00635675
IsZoomed.USER32 ref: 00635683

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7fa85a25a30ad5af5577a6d07b77df0e1148d0ced5c041a45c7d52f0514b8af6
Instruction ID: 77e72be1adaaaa1a2bdf46c024cf8f57db5faeb311b3bc9c0eddc35fda153a99
Opcode Fuzzy Hash: 7fa85a25a30ad5af5577a6d07b77df0e1148d0ced5c041a45c7d52f0514b8af6
Instruction Fuzzy Hash: 5811C8317009115FE7111F26DC45AAFBB9AFF96721F404429F407D7261CB70E90186D5

Function 0061C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0061C69D
CoCreateInstance.OLE32(00642D6C,00000000,00000001,00642BDC,?), ref: 0061C6B5

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

CoUninitialize.OLE32 ref: 0061C922

Strings

.lnk, xrefs: 0061C631, 0061C659, 0061C663

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8a2582a36cafe81a48eaf279a2953cc8d94530fc470d9c56be2bf4c0d9520ce6
Instruction ID: f43bf0bb1671d3159198577d03fdec026dc15c3aa1bfd428341fcf0a3a9597c0
Opcode Fuzzy Hash: 8a2582a36cafe81a48eaf279a2953cc8d94530fc470d9c56be2bf4c0d9520ce6
Instruction Fuzzy Hash: 94A12A71104206AFD704EF54C895EABBBEDFFC9314F04491CF156972A2EB70AA49CB92

Function 0062C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005F1D88,?), ref: 0062C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0062C324

Strings

GetSystemWow64DirectoryW, xrefs: 0062C31E
kernel32.dll, xrefs: 0062C30D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5d6cf6f2c655ece5d018b0c80dfda0e9ccff6f2df49361f4e00f1d36f0e7d7c3
Instruction ID: cac00fc4012c8f5ba13cecf911e78916fa3c15c626b6b59acef3fc19c1538b16
Opcode Fuzzy Hash: 5d6cf6f2c655ece5d018b0c80dfda0e9ccff6f2df49361f4e00f1d36f0e7d7c3
Instruction Fuzzy Hash: 5CE0E674600713DFDB208B65E814A8A76D5EB09755F419839D495D2650D770D840CAD0

Function 0062F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0062F151
Process32FirstW.KERNEL32(00000000,?), ref: 0062F15F

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Process32NextW.KERNEL32(00000000,?), ref: 0062F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0062F22E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6f43d623a69cc3c87a79c62c5bb16b0609ee19cbb5948527e9a5ee2aff038a22
Instruction ID: 1fe89d2b4c0de19b158c6a03e7e973b1cf0a696e3c27c1c0e44e6b9230366a48
Opcode Fuzzy Hash: 6f43d623a69cc3c87a79c62c5bb16b0609ee19cbb5948527e9a5ee2aff038a22
Instruction Fuzzy Hash: B5517E715047119FD310EF20DC89AABBBE9FFD8710F50492DF59597251EB70A908CB92

Function 0060EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0060EB19

Strings

|, xrefs: 0060EB49
(, xrefs: 0060EB5F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 91d7f40e33420ebe73e0506ebba4ba81686c91c28f2c834ba8c868184d2df20d
Instruction ID: ca28b09790e49dc42bcc2fb5328a9f4c9bb73ba9da69086751571c96fb92e86d
Opcode Fuzzy Hash: 91d7f40e33420ebe73e0506ebba4ba81686c91c28f2c834ba8c868184d2df20d
Instruction Fuzzy Hash: 05324675A407059FD728CF19C481AAAB7F1FF48310B15C96EE89ACB7A1E771E941CB40

Function 006225E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 006226D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0062270C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f8e8c6dcc80dbd4f168fdbd8c952c79990ad830b964336d33bbb25fe1596dada
Instruction ID: 2745c0164a446b23d07734628073980bfa85050580df67e454974d9e6ee7964c
Opcode Fuzzy Hash: f8e8c6dcc80dbd4f168fdbd8c952c79990ad830b964336d33bbb25fe1596dada
Instruction Fuzzy Hash: 8741D872504A1BBFEB20DF54EC95EFB77BEEB40714F10406EFA01A6240EA719E419E54

Function 0061B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0061B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0061B655

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cc5162ec55d4a5e02b75416690af33c1d8a93f13bc1753db3ed25b7e716a1e8d
Instruction ID: bed5e4bac313276c408af83a8c7d9584c9d59b4287918cca5ae06e981f8f3725
Opcode Fuzzy Hash: cc5162ec55d4a5e02b75416690af33c1d8a93f13bc1753db3ed25b7e716a1e8d
Instruction Fuzzy Hash: 69215135A00118EFCB00EF95D884EEDBBB9FF49310F1480A9E905AB351DB31A955CB51

Function 00608CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FF6: std::exception::exception.LIBCMT ref: 005D102C
Part of subcall function 005D0FF6: __CxxThrowException@8.LIBCMT ref: 005D1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00608D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00608D3A
GetLastError.KERNEL32 ref: 00608D47

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: f268ce656a8a84c1ea7b6b6dfa6fe9779ab165bf9dc9455f6c6acbb09f114714
Instruction ID: 9ea0c919eb1268e2e3676fa4d8973e43e8aeb11b6184b6cb27074733608d9dc0
Opcode Fuzzy Hash: f268ce656a8a84c1ea7b6b6dfa6fe9779ab165bf9dc9455f6c6acbb09f114714
Instruction Fuzzy Hash: A91194B1954205AFE728EF58EC85D6BBBBDFF44710B20852EF49593291DF30AC418B60

Function 00614021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0061404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00614088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00614091

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4c4d00d9a907921e3ac55db8b1b4c4b3ac622fe9ad8f3f08a8bed5fd06f565ff
Instruction ID: da1641a07b4ce4bf36695b5129ae48af682bcb6d1af36417c2da098e94d7620e
Opcode Fuzzy Hash: 4c4d00d9a907921e3ac55db8b1b4c4b3ac622fe9ad8f3f08a8bed5fd06f565ff
Instruction Fuzzy Hash: 1D117CB1D00228BEE7109BE9DC44FEBBBBDEB08710F140656BA08E7290C6B45A4587E1

Function 00614C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00614C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00614C43
FreeSid.ADVAPI32(?), ref: 00614C53

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9bb4929ad412248d9567ffd6dfc5069ddb116035cc4a3ba486006a30f48a5c2c
Instruction ID: d744929e44148367b471dfe03ff8ee5f9c30a957ab69128e02b9925c3f59c757
Opcode Fuzzy Hash: 9bb4929ad412248d9567ffd6dfc5069ddb116035cc4a3ba486006a30f48a5c2c
Instruction Fuzzy Hash: A5F04975E1130CBFDF04DFF4DD99AAEBBBDEF08201F0044A9A905E2281E7706A448B90

Function 00618B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00618B25

Part of subcall function 005D543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006191F8,00000000,?,?,?,?,006193A9,00000000,?), ref: 005D5443
Part of subcall function 005D543A: __aulldiv.LIBCMT ref: 005D5463

Strings

0ug, xrefs: 00618B1C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0ug
API String ID: 2893107130-1521763786
Opcode ID: 79788f04d07aef0e410530b799b1c9ad13b56a24c8db578c89b2b977ec0ef69e
Instruction ID: 0c1b151f3bb8c22e264a215ae9b0e0eab02d2910c080281ee475664416b23a71
Opcode Fuzzy Hash: 79788f04d07aef0e410530b799b1c9ad13b56a24c8db578c89b2b977ec0ef69e
Instruction Fuzzy Hash: E321D5726295108FD729CF25D441A92B3E2EBA4311B288E6CD0E9CB2D0CE34B945CB54

Function 005BE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26a21aa3252412446afe2ca5395115148c1dc985eea9a2254bddfe9e8c7afd5
Instruction ID: f97ea413d4f84718bf65d49c3b590c79398f25cf1753874744c45b3dacc694b4
Opcode Fuzzy Hash: e26a21aa3252412446afe2ca5395115148c1dc985eea9a2254bddfe9e8c7afd5
Instruction Fuzzy Hash: BF229D7490021ACFDB24DF58C486AEABFF0FF44300F288469E956AB341D734B985CB91

Function 0061C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0061C966
FindClose.KERNEL32(00000000), ref: 0061C996

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c5d91e4cab1bf1cf3c054fd8e547e77ad3d935c79869b6f0836efc351235778
Instruction ID: 261ea02397320b67411ff5a11af9ae33371a2b8acca552f6a625c6a17ec02ef5
Opcode Fuzzy Hash: 7c5d91e4cab1bf1cf3c054fd8e547e77ad3d935c79869b6f0836efc351235778
Instruction Fuzzy Hash: 891165726106019FD710EF29D849A6AF7E5FF85324F04891EF9A5D7291DB70AD01CB81

Function 0061A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0062977D,?,0063FB84,?), ref: 0061A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0062977D,?,0063FB84,?), ref: 0061A314

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0fac13d4dd8bfa991835393c81a535e168fd7f0fbae3ec6dd61320a89f846c54
Instruction ID: 4c99454467b5a880d30074ca0aa7d08c90d3e23b97f0cc765e05eccdf9dd13df
Opcode Fuzzy Hash: 0fac13d4dd8bfa991835393c81a535e168fd7f0fbae3ec6dd61320a89f846c54
Instruction Fuzzy Hash: 4FF0823554522DABEB109FA4CC49FEA776EBF08761F004165F919D6191D6309940CBE1

Function 00608713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00608851), ref: 00608728
CloseHandle.KERNEL32(?,?,00608851), ref: 0060873A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: baf5ef0a8061ef0215a22a9995e14142a9ebdd83dcf393b1b69a0ece8ba6bcde
Instruction ID: 656266a90800397982a3d4ae183edbdfcc9b66a6cfc70de240c39c1e4f3a80c0
Opcode Fuzzy Hash: baf5ef0a8061ef0215a22a9995e14142a9ebdd83dcf393b1b69a0ece8ba6bcde
Instruction Fuzzy Hash: 0AE0B676010A11EFE7393B65FD09D777BAAFB44350B24882AF49681570DB62AC90DB50

Function 005DA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,005D8F97,?,?,?,00000001), ref: 005DA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005DA3A3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 37e4c61e89133a4089a251a97890fe17b702446c87b53798e9f654cc1fcc4621
Instruction ID: 58e7ea5cc71739c8c9c0ed67264f3a4be136a351e2411cc5a0773a5c8e773590
Opcode Fuzzy Hash: 37e4c61e89133a4089a251a97890fe17b702446c87b53798e9f654cc1fcc4621
Instruction Fuzzy Hash: 78B09231454208ABEB002B91EC09B8A3F6AEB45AA2F405020F60D85060CF6254508AD1

Function 005DF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523ae07e0172de72a04da2cab51b35229d5d2256a29febc71dfa0c50fa14b8af
Instruction ID: 306eed7fd8604b3d7e8d6e96a0b910ccfb455094bce30668f25aad588b5f3f63
Opcode Fuzzy Hash: 523ae07e0172de72a04da2cab51b35229d5d2256a29febc71dfa0c50fa14b8af
Instruction Fuzzy Hash: 7232F825D69F414DD7239A38D8323356649FFB73D4F15EB37E81AB5AA6DB28C4834200

Function 005E267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfebc666d4d8733c9dd6e43ec451b9dc01ef6784d79cb6db982dd6dbe8b17c9f
Instruction ID: 4c3f30a1988ebc085bce37cefedf59cbefdfb8ed4476ef8d94b656a6a77ba817
Opcode Fuzzy Hash: cfebc666d4d8733c9dd6e43ec451b9dc01ef6784d79cb6db982dd6dbe8b17c9f
Instruction Fuzzy Hash: BCB10034D6AF414DD323AA398831336BA8DAFBB2C5F51E71BFC5670D22EB2185834141

Function 006241FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00624218

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: b9c6f1b570178251e104cb2788bf17b86c8cd5697eab30e9e3d7c958625fcf47
Instruction ID: f25da52060845b09b3084f570480bafe9d83acfb93cc5421c616905cc344e841
Opcode Fuzzy Hash: b9c6f1b570178251e104cb2788bf17b86c8cd5697eab30e9e3d7c958625fcf47
Instruction Fuzzy Hash: 51E04F312402159FC710EF5AE845A9AFBE9AF95760F008026FD49D7352DA71FD418BA0

Function 00614EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00614F18

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 815a58ef121429170309919ed5e74f3f2f6e33dadfe73a756ef75166476d1c0a
Instruction ID: e92b02dcfe8dad5584953fd9d754a616c42414ddc08529848c9fb4e5de6d7c31
Opcode Fuzzy Hash: 815a58ef121429170309919ed5e74f3f2f6e33dadfe73a756ef75166476d1c0a
Instruction Fuzzy Hash: 4DD017E02642053CE8184B20AC0BBF6011BA3C0B91F9C59893201C77C19CA16882A034

Function 00608C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006088D1), ref: 00608CB3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 3a0de3fd8173689c1aefb4b039c62d2a6364997cc2bf7b5b9c9215c72df3e205
Instruction ID: 5a60bda63085d17c9de5a78170b540b72dd44577116545ee82206c252f09a916
Opcode Fuzzy Hash: 3a0de3fd8173689c1aefb4b039c62d2a6364997cc2bf7b5b9c9215c72df3e205
Instruction Fuzzy Hash: FED09E3226450EABEF019FA8DD05EAE3B6AEB04B01F408511FE15D51A1C775D935AB60

Function 005F2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005F2242

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c74164553816ecaaef1c647e2ffb69d3f10b9a14468656b1514d7aa0d1da85dc
Instruction ID: fd18eb4ef73e26d9a965acb2e82cebe4460e4808a94f0e1a63d6d43adfa0e221
Opcode Fuzzy Hash: c74164553816ecaaef1c647e2ffb69d3f10b9a14468656b1514d7aa0d1da85dc
Instruction Fuzzy Hash: C1C002B1804109DBDB05DB90D9989EA77BCAB04304F104455A501A2100D7749B448A61

Function 005DA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005DA36A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f00232c76ebbd6f9ff8f3535748e7e7426c0e7b984980deb6cb624bd4a0048e5
Instruction ID: 4bd9b341db87a3872f23293706fa6c2da9f4341f9101fa738fe16bdcda7ffde6
Opcode Fuzzy Hash: f00232c76ebbd6f9ff8f3535748e7e7426c0e7b984980deb6cb624bd4a0048e5
Instruction Fuzzy Hash: 93A0113000020CAB8B002B82EC0888ABFAEEA022A0B008020F80C820228F32A8208AC0

Function 005C8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c4d9aa16d7df2c644f0c0a7eff5219361950042f363d46d4713b86a69869e4
Instruction ID: 3b7e8765d7cb52bd4939d114b7dc06be7b16e6a3800e267e8add533cdaa65e04
Opcode Fuzzy Hash: 46c4d9aa16d7df2c644f0c0a7eff5219361950042f363d46d4713b86a69869e4
Instruction Fuzzy Hash: F622E4305056269FDF2C8A94C4D4BBF7BA2FB41304F68846ED8538B2D1DB349D81DB61

Function 005D2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: f7050eded966d88e092abe141e08ea9f0385e3dbb9eef64a7789503313f9c24c
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 40C1713220559309DF3D463D947453EBEE17AA27B171A0B5FE8B2CB6C4EF20D564E620

Function 005D283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 71b1b17170e125c67e7e3abdeb77f8a50d182780b014a5100cc7079984c3a71f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 0DC1833220559309DB3D473E847403EBFE16AA27B171A0B6FE4B2DB6D4EF20D564E620

Function 01143660 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e2979321b48a39a7a566e5d2c7d94f5ef8b7f5bf9c2862311d414054b9849b41
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 5541D371D1091CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40

Function 01143550 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 8347d3062becb1102cd2528d030a8be1b426690f691730018f6dd75e557a04bb
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 00019278A14209EFCB48DF98C5909AEFBF5FF48710F208599D819AB701D730AE41DB80

Function 011434F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 96033285d2f856a220c3144fac495656a8a88a5456727e25d332f6be4a0bb038
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 74019279A14109EFCB49DF98C5909AEF7B5FB48710F208599D819AB701D731AE41DB80

Function 01141ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2096891884.0000000001140000.00000040.00001000.00020000.00000000.sdmp, Offset: 01140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1140000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00627B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00627B70
DeleteObject.GDI32(00000000), ref: 00627B82
DestroyWindow.USER32 ref: 00627B90
GetDesktopWindow.USER32 ref: 00627BAA
GetWindowRect.USER32(00000000), ref: 00627BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00627CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00627D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627D4A
GetClientRect.USER32(00000000,?), ref: 00627D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00627D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627DF8
GlobalFree.KERNEL32(00000000), ref: 00627E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00642CAC,00000000), ref: 00627E2B
GlobalFree.KERNEL32(00000000), ref: 00627E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00627E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00627E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00627EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0062808F

Strings

AutoIt v3, xrefs: 00627D42
static, xrefs: 00627D8A, 00627EE1
, xrefs: 00628015
DISPLAY, xrefs: 00627EF2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a0b36fb44b11b3f0c005a3b7585e3ac938a1187916d045fd5eb16887c2cbdb72
Instruction ID: 12c98e682dc5aba73e4550173db66122f234b050b885747dea9bb026601f4454
Opcode Fuzzy Hash: a0b36fb44b11b3f0c005a3b7585e3ac938a1187916d045fd5eb16887c2cbdb72
Instruction Fuzzy Hash: 7C026C71A00515EFDB14DFA4DD89EAE7BBAFB48310F148158F915AB2A1CB70AD41CFA0

Function 006337F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0063F910), ref: 006338AF
IsWindowVisible.USER32(?), ref: 006338D3

Strings

GETLINECOUNT, xrefs: 00633B4E
ADDSTRING, xrefs: 0063399E
SHOWDROPDOWN, xrefs: 00633968
GETCURRENTSELECTION, xrefs: 00633A6B
SETCURRENTSELECTION, xrefs: 00633A3E
SELECTSTRING, xrefs: 00633A8E
GETCURRENTLINE, xrefs: 00633B75
CURRENTTAB, xrefs: 00633945
TABLEFT, xrefs: 0063390F
GETSELECTED, xrefs: 00633B2B
ISENABLED, xrefs: 006338F3
ISVISIBLE, xrefs: 006338BF
HIDEDROPDOWN, xrefs: 00633988
UNCHECK, xrefs: 00633B0B
SENDCOMMANDID, xrefs: 00633C62
TABRIGHT, xrefs: 00633925
GETLINE, xrefs: 00633C23
FINDSTRING, xrefs: 006339FE
GETCURRENTCOL, xrefs: 00633BB0
DELSTRING, xrefs: 006339D1
ISCHECKED, xrefs: 00633AC1
CHECK, xrefs: 00633AF5
EDITPASTE, xrefs: 00633BE7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0b8596ef7ada03ea090d95710b0d2d50c8f738b5d3207b09256bac5586448e95
Instruction ID: 12a55afea8f044439cf2322bd857c1f84c88729e0a5170b989ba8f20128d6241
Opcode Fuzzy Hash: 0b8596ef7ada03ea090d95710b0d2d50c8f738b5d3207b09256bac5586448e95
Instruction Fuzzy Hash: 9AD15330204316DBCB14EF24C455AAABBA7BF94354F10545DB8869B3E3DB31EE4ACB91

Function 0063A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0063A89F
GetSysColorBrush.USER32(0000000F), ref: 0063A8D0
GetSysColor.USER32(0000000F), ref: 0063A8DC
SetBkColor.GDI32(?,000000FF), ref: 0063A8F6
SelectObject.GDI32(?,?), ref: 0063A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0063A930
GetSysColor.USER32(00000010), ref: 0063A938
CreateSolidBrush.GDI32(00000000), ref: 0063A93F
FrameRect.USER32(?,?,00000000), ref: 0063A94E
DeleteObject.GDI32(00000000), ref: 0063A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0063A9A0
FillRect.USER32(?,?,?), ref: 0063A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0063A9FD

Part of subcall function 0063AB60: GetSysColor.USER32(00000012), ref: 0063AB99
Part of subcall function 0063AB60: SetTextColor.GDI32(?,?), ref: 0063AB9D
Part of subcall function 0063AB60: GetSysColorBrush.USER32(0000000F), ref: 0063ABB3
Part of subcall function 0063AB60: GetSysColor.USER32(0000000F), ref: 0063ABBE
Part of subcall function 0063AB60: GetSysColor.USER32(00000011), ref: 0063ABDB
Part of subcall function 0063AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0063ABE9
Part of subcall function 0063AB60: SelectObject.GDI32(?,00000000), ref: 0063ABFA
Part of subcall function 0063AB60: SetBkColor.GDI32(?,00000000), ref: 0063AC03
Part of subcall function 0063AB60: SelectObject.GDI32(?,?), ref: 0063AC10
Part of subcall function 0063AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0063AC2F
Part of subcall function 0063AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0063AC46
Part of subcall function 0063AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0063AC5B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: feb1467e33ce06d4b9c443e194b2200b2c8ba18ee561c20de05c31b9a758f9ac
Instruction ID: 5894c1da562b1156dbc4b150c76eb715dbdbf220146dcaa501ab1fd877243e88
Opcode Fuzzy Hash: feb1467e33ce06d4b9c443e194b2200b2c8ba18ee561c20de05c31b9a758f9ac
Instruction Fuzzy Hash: E8A19072808301BFD7109F64DC08E6B7BAAFF89331F105A29F9A2961E1D771D845DB92

Function 006277BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006277F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006278B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006278EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00627900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00627946
GetClientRect.USER32(00000000,?), ref: 00627952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00627996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006279A5
GetStockObject.GDI32(00000011), ref: 006279B5
SelectObject.GDI32(00000000,00000000), ref: 006279B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006279C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006279D2
DeleteDC.GDI32(00000000), ref: 006279DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00627A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00627A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00627A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00627A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00627A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00627AAE
GetStockObject.GDI32(00000011), ref: 00627AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00627AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00627ACE

Strings

msctls_progress32, xrefs: 00627A4F
AutoIt v3, xrefs: 0062793E
static, xrefs: 00627990, 00627AA8
DISPLAY, xrefs: 0062799B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c9e13f6314906887c769860e6fd24965925b09d1f537364452ab47b6fcf7f319
Instruction ID: 3fac6a3b6cd0e49d3749fb89bda1020515a3ebf7a05f6f589535b98c3094f4de
Opcode Fuzzy Hash: c9e13f6314906887c769860e6fd24965925b09d1f537364452ab47b6fcf7f319
Instruction Fuzzy Hash: C0A170B1A40615BFEB14DBA4DC4AFAE7BBAEB44714F004114FA15A72E1DB74AD40CFA0

Function 0061AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061AF89
GetDriveTypeW.KERNEL32(?,0063FAC0,?,\\.\,0063F910), ref: 0061B066
SetErrorMode.KERNEL32(00000000,0063FAC0,?,\\.\,0063F910), ref: 0061B1C4

Strings

SATA, xrefs: 0061B177
RAMDisk, xrefs: 0061B090
SSA, xrefs: 0061B14D
FileBackedVirtual, xrefs: 0061B193
SCSI, xrefs: 0061B131
\\.\, xrefs: 0061AFDB
1394, xrefs: 0061B146
Network, xrefs: 0061B0A4
Removable, xrefs: 0061B0B8
RAID, xrefs: 0061B162
ATA, xrefs: 0061B13F
ATAPI, xrefs: 0061B138
SSD, xrefs: 0061B0F1
CDROM, xrefs: 0061B09A
Virtual, xrefs: 0061B18C
SAS, xrefs: 0061B170
Fibre, xrefs: 0061B154
USB, xrefs: 0061B15B
Unknown, xrefs: 0061B086, 0061B12A
Fixed, xrefs: 0061B0AE
PhysicalDrive, xrefs: 0061B012
MMC, xrefs: 0061B185
iSCSI, xrefs: 0061B169

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 81f4de4db02cc266ef4516631a50528e442635b037489369f36eca338a43f2a9
Instruction ID: c82846ed5096bcb3090794b0361e106563ddf36e7d0a010b6a103df3b6382c73
Opcode Fuzzy Hash: 81f4de4db02cc266ef4516631a50528e442635b037489369f36eca338a43f2a9
Instruction Fuzzy Hash: A5518334684345FB8B04DB90C993DFD7BB3BB58342B2A5015E80AB7291C775AD86DF42

Function 005B6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005B6A91
__wcsnicmp.LIBCMT ref: 005B6AA9
__wcsnicmp.LIBCMT ref: 005B6AC1
__wcsnicmp.LIBCMT ref: 005B6AD9
__wcsnicmp.LIBCMT ref: 005B6AF1
__wcsnicmp.LIBCMT ref: 005B6B09
__wcsnicmp.LIBCMT ref: 005B6B21
__wcsnicmp.LIBCMT ref: 005B6B35
__wcsnicmp.LIBCMT ref: 005B6B76
__wcsnicmp.LIBCMT ref: 005B6B8A
__wcsnicmp.LIBCMT ref: 005B6B9E
__wcsnicmp.LIBCMT ref: 005B6BB2

Strings

#notrayicon, xrefs: 005B6AA3
Bad directive syntax error, xrefs: 005EE743
#comments-start, xrefs: 005B6B1B, 005B6B70
#include-once, xrefs: 005B6AEB
Cannot parse #include, xrefs: 005EE819
#include, xrefs: 005B6B03
Unterminated group of comments, xrefs: 005EE82C
#comments-end, xrefs: 005B6B98
#pragma compile, xrefs: 005B6A8B
#OnAutoItStartRegister, xrefs: 005B6AD3
#requireadmin, xrefs: 005B6ABB
#cs, xrefs: 005B6B2F, 005B6B84
#ce, xrefs: 005B6BAC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ffc40e0ae0524db2118978c88e273b66e85bf158288d6b61c44b94ec590c72ba
Instruction ID: db299230efd1af982538f790aa6ea2a2a6b43e62d430164c59e1e506b998277b
Opcode Fuzzy Hash: ffc40e0ae0524db2118978c88e273b66e85bf158288d6b61c44b94ec590c72ba
Instruction Fuzzy Hash: DF812570700246BBCB24BB65CC87FEB7F69FF54700F044026F945AA296EB64FA45C6A1

Function 0063AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0063AB99
SetTextColor.GDI32(?,?), ref: 0063AB9D
GetSysColorBrush.USER32(0000000F), ref: 0063ABB3
GetSysColor.USER32(0000000F), ref: 0063ABBE
CreateSolidBrush.GDI32(?), ref: 0063ABC3
GetSysColor.USER32(00000011), ref: 0063ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0063ABE9
SelectObject.GDI32(?,00000000), ref: 0063ABFA
SetBkColor.GDI32(?,00000000), ref: 0063AC03
SelectObject.GDI32(?,?), ref: 0063AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0063AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0063AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0063AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0063ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0063ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0063ACEC
DrawFocusRect.USER32(?,?), ref: 0063ACF7
GetSysColor.USER32(00000011), ref: 0063AD05
SetTextColor.GDI32(?,00000000), ref: 0063AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0063AD21
SelectObject.GDI32(?,0063A869), ref: 0063AD38
DeleteObject.GDI32(?), ref: 0063AD43
SelectObject.GDI32(?,?), ref: 0063AD49
DeleteObject.GDI32(?), ref: 0063AD4E
SetTextColor.GDI32(?,?), ref: 0063AD54
SetBkColor.GDI32(?,?), ref: 0063AD5E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1640b3b27d89a2bb6d755bf4867482a9bfd2c6a42be545798dcb586343ae5251
Instruction ID: ddd9bf5b20c7f90b78a3337835893074fb61c8672f18bed7e3083f668e4eea25
Opcode Fuzzy Hash: 1640b3b27d89a2bb6d755bf4867482a9bfd2c6a42be545798dcb586343ae5251
Instruction Fuzzy Hash: 0A612C71D00218BFDB119FA8DC49EAEBBBAEB08320F105126F915AB2A1D7759940DB90

Function 00638C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00638D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00638D45
CharNextW.USER32(0000014E), ref: 00638D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00638DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00638DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00638DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00638DF9
SetWindowTextW.USER32(?,0000014E), ref: 00638E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00638E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00638E8C
_memset.LIBCMT ref: 00638EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00638EFA
_memset.LIBCMT ref: 00638F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00638F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00638FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00639088
InvalidateRect.USER32(?,00000000,00000001), ref: 006390AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006390F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00639121
DrawMenuBar.USER32(?), ref: 00639130
SetWindowTextW.USER32(?,0000014E), ref: 00639158

Strings

0, xrefs: 006390C2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 7957e7b4c76f1a5c634095425f8bd4e9e7c3a90f73d663ffdd26c4db88b67f24
Instruction ID: 859f955f8e164182658322bef8b8170f8438822aa6f72a8bc602fe8053141112
Opcode Fuzzy Hash: 7957e7b4c76f1a5c634095425f8bd4e9e7c3a90f73d663ffdd26c4db88b67f24
Instruction Fuzzy Hash: D1E17474900219AFDF209F54CC89EEE7B7AFF05750F10815AF915A7290DB709A85DFA0

Function 00634B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00634C51
GetDesktopWindow.USER32 ref: 00634C66
GetWindowRect.USER32(00000000), ref: 00634C6D
GetWindowLongW.USER32(?,000000F0), ref: 00634CCF
DestroyWindow.USER32(?), ref: 00634CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00634D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00634D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00634D68
SendMessageW.USER32(?,00000421,?,?), ref: 00634D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00634D90
IsWindowVisible.USER32(?), ref: 00634DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00634DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00634DDF
GetWindowRect.USER32(?,?), ref: 00634DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00634E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00634E37
CopyRect.USER32(?,?), ref: 00634E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00634EB9

Strings

(, xrefs: 00634E2A
0, xrefs: 00634BFC
tooltips_class32, xrefs: 00634D1D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d9d498c4de694fa3fc4372b0aa63642d1978f82296a7705e3fce2d68858bd254
Instruction ID: bdd420d54da6b444c8364977b0badfad8ee4232f32ea8481414029ae5224dd59
Opcode Fuzzy Hash: d9d498c4de694fa3fc4372b0aa63642d1978f82296a7705e3fce2d68858bd254
Instruction Fuzzy Hash: 8AB15A71608341AFDB04DF24C849BAAFBE6BF85714F00891CF5999B2A1DB71EC05CB91

Function 006146D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006146E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0061470E
_wcscpy.LIBCMT ref: 0061473C
_wcscmp.LIBCMT ref: 00614747
_wcscat.LIBCMT ref: 0061475D
_wcsstr.LIBCMT ref: 00614768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00614784
_wcscat.LIBCMT ref: 006147CD
_wcscat.LIBCMT ref: 006147D4
_wcsncpy.LIBCMT ref: 006147FF

Strings

%u.%u.%u.%u, xrefs: 00614862
\VarFileInfo\Translation, xrefs: 0061477C
04090000, xrefs: 006147BA
StringFileInfo\, xrefs: 00614757
DefaultLangCodepage, xrefs: 006147E7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 8396f8fb883cc1f381c0f3b98fd101704ad3ea0b5de8ac81a4ee945f86538d7a
Instruction ID: 4ffb1f46103115cd61afa0e0fd9586557c6870d34eccd871c4b8501e1f5d53da
Opcode Fuzzy Hash: 8396f8fb883cc1f381c0f3b98fd101704ad3ea0b5de8ac81a4ee945f86538d7a
Instruction Fuzzy Hash: 5141F571A00202BBD720B7699C4BEFF7B7DEF81710F04006BF905E6282EF719A4196A5

Function 005B27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005B28BC
GetSystemMetrics.USER32(00000007), ref: 005B28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005B28EF
GetSystemMetrics.USER32(00000008), ref: 005B28F7
GetSystemMetrics.USER32(00000004), ref: 005B291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005B2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005B2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005B297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005B2990
GetClientRect.USER32(00000000,000000FF), ref: 005B29AE
GetStockObject.GDI32(00000011), ref: 005B29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005B29D5

Part of subcall function 005B2344: GetCursorPos.USER32(?), ref: 005B2357
Part of subcall function 005B2344: ScreenToClient.USER32(006767B0,?), ref: 005B2374
Part of subcall function 005B2344: GetAsyncKeyState.USER32(00000001), ref: 005B2399
Part of subcall function 005B2344: GetAsyncKeyState.USER32(00000002), ref: 005B23A7

SetTimer.USER32(00000000,00000000,00000028,005B1256), ref: 005B29FC

Strings

AutoIt v3 GUI, xrefs: 005B2974

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f49cb6046c6716e2e1acb3c9a3cb39ee05a39710fcc8bf08f44287bcfc387b2b
Instruction ID: c3914d120e8fc5c0c315bbf55d8afa4de02d05e7efd989c11b8a2634147d453b
Opcode Fuzzy Hash: f49cb6046c6716e2e1acb3c9a3cb39ee05a39710fcc8bf08f44287bcfc387b2b
Instruction Fuzzy Hash: 12B15F71A0020ADFDB18DF68DC45BED7FB5FB48315F108529FA15A62A0DB74E841CB61

Function 00634069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006340F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006341B6

Strings

VIEWCHANGE, xrefs: 00634375
SELECTALL, xrefs: 0063421D
GETSUBITEMCOUNT, xrefs: 00634141
ISSELECTED, xrefs: 006341C1
DESELECT, xrefs: 006342A4
GETSELECTED, xrefs: 006342E4
FINDITEM, xrefs: 00634329
SELECTINVERT, xrefs: 00634286
GETSELECTEDCOUNT, xrefs: 00634199
GETITEMCOUNT, xrefs: 00634128
SELECT, xrefs: 00634250
GETTEXT, xrefs: 0063415F
SELECTCLEAR, xrefs: 00634235

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d5f9bc094422ad0f592b8bef314bec16eec31178c1f98e2a6ba021edd82bb627
Instruction ID: 3f7838f99d7f284c55ca50b7da8aabe8b0eb398581dd96e16aadb271c1428740
Opcode Fuzzy Hash: d5f9bc094422ad0f592b8bef314bec16eec31178c1f98e2a6ba021edd82bb627
Instruction Fuzzy Hash: F4A183302143029BCB14EF24C955AAABBA7BF85314F14496DB8969B3D2DF30FD06CB91

Function 006252F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00625309
LoadCursorW.USER32(00000000,00007F8A), ref: 00625314
LoadCursorW.USER32(00000000,00007F00), ref: 0062531F
LoadCursorW.USER32(00000000,00007F03), ref: 0062532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00625335
LoadCursorW.USER32(00000000,00007F01), ref: 00625340
LoadCursorW.USER32(00000000,00007F81), ref: 0062534B
LoadCursorW.USER32(00000000,00007F88), ref: 00625356
LoadCursorW.USER32(00000000,00007F80), ref: 00625361
LoadCursorW.USER32(00000000,00007F86), ref: 0062536C
LoadCursorW.USER32(00000000,00007F83), ref: 00625377
LoadCursorW.USER32(00000000,00007F85), ref: 00625382
LoadCursorW.USER32(00000000,00007F82), ref: 0062538D
LoadCursorW.USER32(00000000,00007F84), ref: 00625398
LoadCursorW.USER32(00000000,00007F04), ref: 006253A3
LoadCursorW.USER32(00000000,00007F02), ref: 006253AE
GetCursorInfo.USER32(?), ref: 006253BE
GetLastError.KERNEL32(00000001,00000000), ref: 006253E9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8334ec87f7749e644d0d9bb0c80afb35f8402fdd1f3af14b989d162c1a7b0683
Instruction ID: ef438ed749496a296288b01bc73e54ea98748feda913f1548ed7077253c1fa83
Opcode Fuzzy Hash: 8334ec87f7749e644d0d9bb0c80afb35f8402fdd1f3af14b989d162c1a7b0683
Instruction Fuzzy Hash: AB418470E043296ADB209FB69C4986FFFF9EF51B10B10452FA509E7291DAB8A4018E91

Function 0060AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0060AAA5
__swprintf.LIBCMT ref: 0060AB46
_wcscmp.LIBCMT ref: 0060AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0060ABAE
_wcscmp.LIBCMT ref: 0060ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0060AC21
GetDlgCtrlID.USER32(?), ref: 0060AC73
GetWindowRect.USER32(?,?), ref: 0060ACA9
GetParent.USER32(?), ref: 0060ACC7
ScreenToClient.USER32(00000000), ref: 0060ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0060AD48
_wcscmp.LIBCMT ref: 0060AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0060AD82
_wcscmp.LIBCMT ref: 0060AD96

Part of subcall function 005D386C: _iswctype.LIBCMT ref: 005D3874

Strings

%s%u, xrefs: 0060AB40

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6b612c3de70bc7d25f2743c7fa09d9f036e8e7efc28f9778a95bc0ce18387ed1
Instruction ID: 82d9d03d33f8ebd921297f8f90dc8a95a8767dd8e501c0871be2389b3055d596
Opcode Fuzzy Hash: 6b612c3de70bc7d25f2743c7fa09d9f036e8e7efc28f9778a95bc0ce18387ed1
Instruction Fuzzy Hash: A0A1AF71244706AFD718DFA4C884BEBB7AAFF44395F00462AF999922D0D730E945CB92

Function 0060B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0060B3DB
_wcscmp.LIBCMT ref: 0060B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0060B414
CharUpperBuffW.USER32(?,00000000), ref: 0060B431
_wcscmp.LIBCMT ref: 0060B44F
_wcsstr.LIBCMT ref: 0060B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0060B498
_wcscmp.LIBCMT ref: 0060B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0060B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0060B518
_wcscmp.LIBCMT ref: 0060B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0060B550
GetWindowRect.USER32(00000004,?), ref: 0060B5B9

Strings

@, xrefs: 0060B3BC
ThumbnailClass, xrefs: 0060B4A3, 0060B523

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: fb58a9b81d67fdb60140b09d84735daf169faa734a891b225af0babd013d9926
Instruction ID: 2c14b8b96ea5be7a79f826456b2029f1b2b8472496644ed9b7ac7ec1e928aca6
Opcode Fuzzy Hash: fb58a9b81d67fdb60140b09d84735daf169faa734a891b225af0babd013d9926
Instruction Fuzzy Hash: 7381D0710442069BDB19CF10C885FAB7BEAFF84314F08946AFD859A2D6DB30DE45CBA1

Function 0063C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

DragQueryPoint.SHELL32(?,?), ref: 0063C917

Part of subcall function 0063ADF1: ClientToScreen.USER32(?,?), ref: 0063AE1A
Part of subcall function 0063ADF1: GetWindowRect.USER32(?,?), ref: 0063AE90
Part of subcall function 0063ADF1: PtInRect.USER32(?,?,0063C304), ref: 0063AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0063C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0063C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0063C9AE
_wcscat.LIBCMT ref: 0063C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0063C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0063CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0063CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0063CA47
DragFinish.SHELL32(?), ref: 0063CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0063CB41

Strings

@GUI_DRAGFILE, xrefs: 0063CAF0
@GUI_DRAGID, xrefs: 0063CAB9
prg, xrefs: 0063CA8B
@GUI_DROPID, xrefs: 0063CA6E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prg
API String ID: 169749273-4175027
Opcode ID: 8f997393a5ac4dfe3ee7869cc641f7ae9e772b0432518f9ad964a5b0f95d74e0
Instruction ID: 20a49fe229cadbd395e2a81d1eb9fdf451796bfdd2e50a18bcb13018694abef9
Opcode Fuzzy Hash: 8f997393a5ac4dfe3ee7869cc641f7ae9e772b0432518f9ad964a5b0f95d74e0
Instruction Fuzzy Hash: 3E615B71508301AFC701EF64DC89D9BBBEAFFC9710F00092EF595961A1DB70AA49CB92

Function 0060B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0060B23F

Strings

[ACTIVE, xrefs: 0060B22C
[ALL, xrefs: 0060B2E5
REGEXP=, xrefs: 0060B254
CLASSNAME=, xrefs: 0060B27C
[CLASS:, xrefs: 0060B28F
ACTIVE, xrefs: 0060B21A
[REGEXPTITLE:, xrefs: 0060B267
HANDLE=, xrefs: 0060B238
[LAST, xrefs: 0060B2EC
ALL, xrefs: 0060B2D3
[HANDLE:, xrefs: 0060B24B
LAST, xrefs: 0060B204

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e2fe656d8f935bc516d9cd9742c03573d3be38179800e5655ff4ad5c4e104500
Instruction ID: 81368e6d71d96e0cbc29a10f0cae9cf45bb6d3b0220ba88a738e2fbff8c21114
Opcode Fuzzy Hash: e2fe656d8f935bc516d9cd9742c03573d3be38179800e5655ff4ad5c4e104500
Instruction Fuzzy Hash: CC319031A8430AA6DB18FA60CD47EFE7FAAAF64750F60402AB851B11D5EF616F04C5A1

Function 0060C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0060C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0060C4E6
SetWindowTextW.USER32(?,?), ref: 0060C4FD
GetDlgItem.USER32(?,000003EA), ref: 0060C512
SetWindowTextW.USER32(00000000,?), ref: 0060C518
GetDlgItem.USER32(?,000003E9), ref: 0060C528
SetWindowTextW.USER32(00000000,?), ref: 0060C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0060C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0060C569
GetWindowRect.USER32(?,?), ref: 0060C572
SetWindowTextW.USER32(?,?), ref: 0060C5DD
GetDesktopWindow.USER32 ref: 0060C5E3
GetWindowRect.USER32(00000000), ref: 0060C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0060C636
GetClientRect.USER32(?,?), ref: 0060C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0060C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0060C693

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: fe0410f540a115d13e62ed1a9f1bcc6475c1634eb141e38d12e38559bbc66deb
Instruction ID: 5d47db2c7a81eaf603f301340b3bd76f32c1a3693b01087f2dcd0aad67d6c328
Opcode Fuzzy Hash: fe0410f540a115d13e62ed1a9f1bcc6475c1634eb141e38d12e38559bbc66deb
Instruction Fuzzy Hash: 01518130900709AFDB25DFA8DD85BAFBBF6FF04715F004628E682A26E0C775A914CB50

Function 0063A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063A4C8
DestroyWindow.USER32(?,?), ref: 0063A542

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0063A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0063A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0063A5F1
DestroyWindow.USER32(00000000), ref: 0063A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005B0000,00000000), ref: 0063A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0063A663
GetDesktopWindow.USER32 ref: 0063A67C
GetWindowRect.USER32(00000000), ref: 0063A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0063A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0063A6B3

Part of subcall function 005B25DB: GetWindowLongW.USER32(?,000000EB), ref: 005B25EC

Strings

0, xrefs: 0063A4DE
tooltips_class32, xrefs: 0063A5B5, 0063A643

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f03b1a3d80dfbc72d04a1ff188c4ce2024c97bb2586efbd4bab222d2efdf6c57
Instruction ID: bb646bf4d5ea6e745f2add642ea25b46a253c2d50bbc86a1196e7c2ac649f685
Opcode Fuzzy Hash: f03b1a3d80dfbc72d04a1ff188c4ce2024c97bb2586efbd4bab222d2efdf6c57
Instruction Fuzzy Hash: 2D719E71540205AFD724CF68CC4AFAA7BE6FB89304F08452DF985873A0D771E946DBA2

Function 00634619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006346AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006346F6

Strings

GETSELECTED, xrefs: 00634806
COLLAPSE, xrefs: 0063473C
GETITEMCOUNT, xrefs: 006347D8
SELECT, xrefs: 006348A7
UNCHECK, xrefs: 006348D2
EXPAND, xrefs: 006347A8
GETTEXT, xrefs: 00634849
ISCHECKED, xrefs: 00634879
EXISTS, xrefs: 0063475F
CHECK, xrefs: 00634716
GETTOTALCOUNT, xrefs: 006346DD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: aa15f13ffb3c0ff1cdadfc85f073e8bb2ac22f2a8d64dff8c3c01c923ebd0684
Instruction ID: 9b2ce7a5742f01cb87dde98191eec866dcd3d747c1b0858d1c7c21f341f485a6
Opcode Fuzzy Hash: aa15f13ffb3c0ff1cdadfc85f073e8bb2ac22f2a8d64dff8c3c01c923ebd0684
Instruction Fuzzy Hash: 91916D346043029BCB14EF24C455AAABBA3BF85354F04546DF8969B3A2CF30FD4ACB81

Function 0063BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0063BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00639431), ref: 0063BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0063BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0063BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0063BC7D
FreeLibrary.KERNEL32(?), ref: 0063BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063BC99
DestroyIcon.USER32(?,?,?,?,?,00639431), ref: 0063BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0063BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0063BCD1

Part of subcall function 005D313D: __wcsicmp_l.LIBCMT ref: 005D31C6

Strings

.dll, xrefs: 0063BB27
.icl, xrefs: 0063BAE4
.exe, xrefs: 0063BB04

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3800c0226ba3ec8bad3d81430e6c9eb27824852e3d416a8ec8d911a14e394834
Instruction ID: 0d26368f6b97851d9ad8b8d6f3475a05d3602edefa14c5cb51f600d8a8620c04
Opcode Fuzzy Hash: 3800c0226ba3ec8bad3d81430e6c9eb27824852e3d416a8ec8d911a14e394834
Instruction Fuzzy Hash: C461D171900219BAEB24DF64CC46FFE7BA9FB08711F106116FA15D62D0DF74A980CBA0

Function 0061A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0063FB78), ref: 0061A0FC

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0061A11E
__swprintf.LIBCMT ref: 0061A177
__swprintf.LIBCMT ref: 0061A190
_wprintf.LIBCMT ref: 0061A246
_wprintf.LIBCMT ref: 0061A264

Strings

^ ERROR, xrefs: 0061A1E8
Line %d (File "%s"):, xrefs: 0061A171, 0061A18A
%d, xrefs: 0061A0C9
Error: , xrefs: 0061A20E
"%s" (%d) : ==> %s:, xrefs: 0061A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 0061A241

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%d
API String ID: 311963372-790387708
Opcode ID: 3030dbfca31c821b1b7bbf438237cdfe58b8a212e7bdb7588afab894a0843bb6
Instruction ID: 198261b9b16269a1e2a7eeb4ae9d9b0c12ca3f5c0f315d82b4fe01f72408845b
Opcode Fuzzy Hash: 3030dbfca31c821b1b7bbf438237cdfe58b8a212e7bdb7588afab894a0843bb6
Instruction Fuzzy Hash: 2E51437190510AABCF15EBE0CD4AEEEBB7ABF48300F140165F515721A1EB316F98DB61

Function 0061A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

CharLowerBuffW.USER32(?,?), ref: 0061A636
GetDriveTypeW.KERNEL32 ref: 0061A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0061A730

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

Strings

close, xrefs: 0061A63C
open , xrefs: 0061A692
close cd wait, xrefs: 0061A71B
type cdaudio alias cd wait, xrefs: 0061A6AE
wait, xrefs: 0061A6ED
open, xrefs: 0061A65D
closed, xrefs: 0061A64A, 0061A653
set cd door , xrefs: 0061A6D1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 4086d8366224b9d6d2fc6b6a257e7580a5760ec5531758f029246a9952e01c41
Instruction ID: 57593f480639639206d633f146b506a60ceb7f5660a0ef8273f8569f8a3ff7eb
Opcode Fuzzy Hash: 4086d8366224b9d6d2fc6b6a257e7580a5760ec5531758f029246a9952e01c41
Instruction Fuzzy Hash: ED5160751043059FC700EF20C8859AABBF5FF88718F04495DF895A72A1DB31EE0ACB52

Function 0061A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0061A47A
__swprintf.LIBCMT ref: 0061A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0061A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0061A4FE
_memset.LIBCMT ref: 0061A51D
_wcsncpy.LIBCMT ref: 0061A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0061A58E
CloseHandle.KERNEL32(00000000), ref: 0061A599
RemoveDirectoryW.KERNEL32(?), ref: 0061A5A2
CloseHandle.KERNEL32(00000000), ref: 0061A5AC

Strings

\, xrefs: 0061A4B2
:, xrefs: 0061A4BD
\??\%s, xrefs: 0061A496

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 833c2201df79cffd8ca840e8e1e7ae821ce2d53c98dd6e459aec536b8cb848a3
Instruction ID: 9c35e8f941cf1a326ef7068cb4dcdc2ce6a9150cc77c2effbf7081424ff0df92
Opcode Fuzzy Hash: 833c2201df79cffd8ca840e8e1e7ae821ce2d53c98dd6e459aec536b8cb848a3
Instruction Fuzzy Hash: 9931A1B590010AABDB21DFA1DC49FEB77BEEF88701F1441B6F908D2260E77097848B65

Function 0061DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0061DC7B
_wcscat.LIBCMT ref: 0061DC93
_wcscat.LIBCMT ref: 0061DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0061DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0061DCCE
GetFileAttributesW.KERNEL32(?), ref: 0061DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0061DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0061DD12

Strings

*.*, xrefs: 0061DD51

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: eb20396404d7a44f239fac9c8b99ffe970bfe57e84c76ee9a516dd079827ca0f
Instruction ID: f83ea4e3bea8d3fc1ea40788e7b7d1bb6ea3a29b1ba1291c214f33b575f54aa1
Opcode Fuzzy Hash: eb20396404d7a44f239fac9c8b99ffe970bfe57e84c76ee9a516dd079827ca0f
Instruction Fuzzy Hash: 008174B55082419FC724DF64C8859EAB7EABF88350F198C2EF486C7351E670E985CB91

Function 0063C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0063C4EC
GetFocus.USER32 ref: 0063C4FC
GetDlgCtrlID.USER32(00000000), ref: 0063C507
_memset.LIBCMT ref: 0063C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0063C65D
GetMenuItemCount.USER32(?), ref: 0063C67D
GetMenuItemID.USER32(?,00000000), ref: 0063C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0063C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0063C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0063C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0063C779

Strings

0, xrefs: 0063C62A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 427116f98d9ba9bb462bbd8ae834fbaf97b0f213944970d25cb9b48f40d7ba34
Instruction ID: 1d2e26ed82d70af6108305b7ddabe41c9e66c35e384d67b542253681c265c07a
Opcode Fuzzy Hash: 427116f98d9ba9bb462bbd8ae834fbaf97b0f213944970d25cb9b48f40d7ba34
Instruction Fuzzy Hash: D2817D706083019FD710DF24C985EABBBE6FB89364F10552EF999A7291D730E905CBE2

Function 006083F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608766
Part of subcall function 0060874A: GetLastError.KERNEL32(?,0060822A,?,?,?), ref: 00608770
Part of subcall function 0060874A: GetProcessHeap.KERNEL32(00000008,?,?,0060822A,?,?,?), ref: 0060877F
Part of subcall function 0060874A: HeapAlloc.KERNEL32(00000000,?,0060822A,?,?,?), ref: 00608786
Part of subcall function 0060874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0060879D

Part of subcall function 006087E7: GetProcessHeap.KERNEL32(00000008,00608240,00000000,00000000,?,00608240,?), ref: 006087F3
Part of subcall function 006087E7: HeapAlloc.KERNEL32(00000000,?,00608240,?), ref: 006087FA
Part of subcall function 006087E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00608240,?), ref: 0060880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00608458
_memset.LIBCMT ref: 0060846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0060848C
GetLengthSid.ADVAPI32(?), ref: 0060849D
GetAce.ADVAPI32(?,00000000,?), ref: 006084DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006084F6
GetLengthSid.ADVAPI32(?), ref: 00608513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00608522
HeapAlloc.KERNEL32(00000000), ref: 00608529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0060854A
CopySid.ADVAPI32(00000000), ref: 00608551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00608582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006085A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006085BC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 2581ba2d2e714e841fe190c318c5b1ec9be147e958632b300dd3fe601c93ae5b
Instruction ID: e6e516ed2748b5e46ce234c2a34a2ebc95e6208794983007be53f026ac23d954
Opcode Fuzzy Hash: 2581ba2d2e714e841fe190c318c5b1ec9be147e958632b300dd3fe601c93ae5b
Instruction Fuzzy Hash: 4861477194020AAFDF19DFA4DC45AEEBBBAFF04300F148569F855A7291DB319A05CFA0

Function 0062762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006276A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006276AE
CreateCompatibleDC.GDI32(?), ref: 006276BA
SelectObject.GDI32(00000000,?), ref: 006276C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0062771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00627757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0062777B
SelectObject.GDI32(00000006,?), ref: 00627783
DeleteObject.GDI32(?), ref: 0062778C
DeleteDC.GDI32(00000006), ref: 00627793
ReleaseDC.USER32(00000000,?), ref: 0062779E

Strings

(, xrefs: 00627723

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 324bbedb55c8ee71928b2a03222fe9be6bf168237555638c76e49d3350d003be
Instruction ID: 5bab2cb820f7c5325c6779dc2009e844402476b2e123fdaa2d561b9da8d29e12
Opcode Fuzzy Hash: 324bbedb55c8ee71928b2a03222fe9be6bf168237555638c76e49d3350d003be
Instruction Fuzzy Hash: DA514975904619EFCB15CFA8DC85EAEBBBAEF48310F14842DF94997310D731A9408FA0

Function 005B6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 005D0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005B6C6C,?,00008000), ref: 005D0BB7

Part of subcall function 005B48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005B48A1,?,?,005B37C0,?), ref: 005B48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005B6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 005B6E5A

Part of subcall function 005B59CD: _wcscpy.LIBCMT ref: 005B5A05

Part of subcall function 005D387D: _iswctype.LIBCMT ref: 005D3885

Strings

Error opening the file, xrefs: 005EE866, 005EE8E1
EA06, xrefs: 005EE87B
Unterminated string, xrefs: 005EEC0D
Bad directive syntax error, xrefs: 005EEBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005EE84A
>>>AUTOIT SCRIPT<<<, xrefs: 005EE8BF
AU3!, xrefs: 005B6CC1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 781da2325cb914822097e40518ba402df9bb346d394332f37576e9f998055d9f
Instruction ID: 25a638bc2ac473e5b5ecd55907098611fd276e78da1982b2c7abbff4d0f0cfef
Opcode Fuzzy Hash: 781da2325cb914822097e40518ba402df9bb346d394332f37576e9f998055d9f
Instruction Fuzzy Hash: 4E0239711083829FC728EF25C896AAFBBE5BFD8314F14491DF485972A1DB30E949CB52

Function 005B45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B45F9
GetMenuItemCount.USER32(00676890), ref: 005ED7CD
GetMenuItemCount.USER32(00676890), ref: 005ED87D
GetCursorPos.USER32(?), ref: 005ED8C1
SetForegroundWindow.USER32(00000000), ref: 005ED8CA
TrackPopupMenuEx.USER32(00676890,00000000,?,00000000,00000000,00000000), ref: 005ED8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005ED8E9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 26cd4d47b08603623f23e57f34c8529f92c6637d96c925e083736697fec0e6ad
Instruction ID: 9223ab361c584b0349e901b589c56a7df71c70a1efb084d5b5e91beb6a41c08f
Opcode Fuzzy Hash: 26cd4d47b08603623f23e57f34c8529f92c6637d96c925e083736697fec0e6ad
Instruction Fuzzy Hash: 53710371A00246BBEB348F25DC89FEABF75FF05364F200216F564A61E1C7B16860DBA0

Function 00628BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00628BEC
CoInitialize.OLE32(00000000), ref: 00628C19
CoUninitialize.OLE32 ref: 00628C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00628D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00628E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00642C0C), ref: 00628E84
CoGetObject.OLE32(?,00000000,00642C0C,?), ref: 00628EA7
SetErrorMode.KERNEL32(00000000), ref: 00628EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00628F3A
VariantClear.OLEAUT32(?), ref: 00628F4A

Strings

,,d, xrefs: 00628BD6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,d
API String ID: 2395222682-3187189881
Opcode ID: 1efe95f12316bd50da96a6c6cc9b7f04edc99585e61c501767d52b0df7f31285
Instruction ID: 9f71de0348088c03918009ae7f09cf50c9c23e44d4001035add0a4b05260e69c
Opcode Fuzzy Hash: 1efe95f12316bd50da96a6c6cc9b7f04edc99585e61c501767d52b0df7f31285
Instruction Fuzzy Hash: 05C135B1608715AFD700DF64D88496BBBEAFF88348F10492DF5899B261DB31ED05CB52

Function 006310A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00630038,?,?), ref: 006310BC

Strings

HKEY_USERS, xrefs: 006311BD
HKLM, xrefs: 0063113A
HKU, xrefs: 006311CE
HKCR, xrefs: 00631164
HKCU, xrefs: 006311AC
HKEY_CLASSES_ROOT, xrefs: 0063114F
HKEY_LOCAL_MACHINE, xrefs: 00631125
HKCC, xrefs: 0063118A
HKEY_CURRENT_CONFIG, xrefs: 00631179
HKEY_CURRENT_USER, xrefs: 0063119B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 63d0226b3f702c8520f54205e913099b7ea00929887feadb9911581673791f19
Instruction ID: 4e4462caf913858cb8baa7e5bab7597c10e38ee543a9ff79dddb7a34a9cde418
Opcode Fuzzy Hash: 63d0226b3f702c8520f54205e913099b7ea00929887feadb9911581673791f19
Instruction Fuzzy Hash: 1941313015024FDBCF20EFA4D8956EB3B26BF56340F505456FC519B391DB31AA5AC7A0

Function 00615569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

Part of subcall function 005B7A84: _memmove.LIBCMT ref: 005B7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006155D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006155E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006155F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0061560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0061561C

Strings

close PlayMe, xrefs: 006155E3, 00615610
open , xrefs: 00615581
play PlayMe wait, xrefs: 00615606
alias PlayMe, xrefs: 006155AB
play PlayMe, xrefs: 00615617
status PlayMe mode, xrefs: 006155CD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b3d25fa38ddcc3524bd3176033ba97a96b5c8c044ff296a86b53462153070358
Instruction ID: bf36157fa07e8278586f1f162af20c831db9bc44864d2b288eea36f909bf2534
Opcode Fuzzy Hash: b3d25fa38ddcc3524bd3176033ba97a96b5c8c044ff296a86b53462153070358
Instruction Fuzzy Hash: 07112E3195016EB9D720A6A2DC8ADFFBE7EFFD5B00F440469B401B21D1EEA06D45C9E1

Function 00615217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0061521C

Part of subcall function 005D0719: timeGetTime.WINMM(?,7694B400,005C0FF9), ref: 005D071D

Sleep.KERNEL32(0000000A), ref: 00615248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0061526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0061528E
SetActiveWindow.USER32 ref: 006152AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006152BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 006152DA
Sleep.KERNEL32(000000FA), ref: 006152E5
IsWindow.USER32 ref: 006152F1
EndDialog.USER32(00000000), ref: 00615302

Strings

BUTTON, xrefs: 00615280

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 28d6b541e040d8dc2481caebd9c9e314e16e1d62410b2613f14aef4b871567ec
Instruction ID: 4b52856914784aaeba80ae743fdcf64defe7ee046fef8029d8b5e4c226ba34e2
Opcode Fuzzy Hash: 28d6b541e040d8dc2481caebd9c9e314e16e1d62410b2613f14aef4b871567ec
Instruction Fuzzy Hash: 1F218471604704EFE7055F60ED89AA57B6BEB95356F083429F01A822B1EF719DC08A61

Function 0061D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

CoInitialize.OLE32(00000000), ref: 0061D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0061D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0061D8FC
CoCreateInstance.OLE32(00642D7C,00000000,00000001,0066A89C,?), ref: 0061D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0061D9B7
CoTaskMemFree.OLE32(?,?), ref: 0061DA0F
_memset.LIBCMT ref: 0061DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0061DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0061DAAB
CoTaskMemFree.OLE32(00000000), ref: 0061DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0061DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0061DAEB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 8ed063aa2d0da1d917632a0bef902c62ce50ba4d5e697473615d660156277f06
Instruction ID: ba770e815c79ffb7e27692a94d80df9a892be608cfbacaefa469fb2b2f8f9cb9
Opcode Fuzzy Hash: 8ed063aa2d0da1d917632a0bef902c62ce50ba4d5e697473615d660156277f06
Instruction Fuzzy Hash: 6AB1CA75A00119AFDB14DFA5C888EAEBBF9FF88314B148469F505EB261DB30AD45CB50

Function 0061052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006105A7
SetKeyboardState.USER32(?), ref: 00610612
GetAsyncKeyState.USER32(000000A0), ref: 00610632
GetKeyState.USER32(000000A0), ref: 00610649
GetAsyncKeyState.USER32(000000A1), ref: 00610678
GetKeyState.USER32(000000A1), ref: 00610689
GetAsyncKeyState.USER32(00000011), ref: 006106B5
GetKeyState.USER32(00000011), ref: 006106C3
GetAsyncKeyState.USER32(00000012), ref: 006106EC
GetKeyState.USER32(00000012), ref: 006106FA
GetAsyncKeyState.USER32(0000005B), ref: 00610723
GetKeyState.USER32(0000005B), ref: 00610731

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 87567afa2e7a370743630f950dacffb8f2199714bd0236a2aa3204ac63fe4978
Instruction ID: 162f4211b3dd479d83af1472fd9f3082bd1d22c2174e7ce1dc37205fcf56a0cb
Opcode Fuzzy Hash: 87567afa2e7a370743630f950dacffb8f2199714bd0236a2aa3204ac63fe4978
Instruction Fuzzy Hash: E251FD24A0478829FF34DBB085557EABFB79F12340F0C859ED5C25A2C2DAD49ACCCB95

Function 0060C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0060C746
GetWindowRect.USER32(00000000,?), ref: 0060C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0060C7B6
GetDlgItem.USER32(?,00000002), ref: 0060C7C1
GetWindowRect.USER32(00000000,?), ref: 0060C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0060C827
GetDlgItem.USER32(?,000003E9), ref: 0060C835
GetWindowRect.USER32(00000000,?), ref: 0060C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0060C889
GetDlgItem.USER32(?,000003EA), ref: 0060C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0060C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0060C8C1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dd876219bd7a792b9d895d5389acf181993aecde5693b5ab05cbffacbbc9bc4e
Instruction ID: d27ff240af0822ec4a500c27218b0a510dc09271837cce500677955a4e424c4f
Opcode Fuzzy Hash: dd876219bd7a792b9d895d5389acf181993aecde5693b5ab05cbffacbbc9bc4e
Instruction Fuzzy Hash: 55512171F40205AFDB18CFA9DD99AAEBBB6EB89311F14822DF515D72D0D7709D008B50

Function 005B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005B2036,?,00000000,?,?,?,?,005B16CB,00000000,?), ref: 005B1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005B20D3
KillTimer.USER32(-00000001,?,?,?,?,005B16CB,00000000,?,?,005B1AE2,?,?), ref: 005B216E
DestroyAcceleratorTable.USER32(00000000), ref: 005EBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B16CB,00000000,?,?,005B1AE2,?,?), ref: 005EBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B16CB,00000000,?,?,005B1AE2,?,?), ref: 005EBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005B16CB,00000000,?,?,005B1AE2,?,?), ref: 005EBF5A
DeleteObject.GDI32(00000000), ref: 005EBF6C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 9ddcc7deae49f7ba427675800d06b677fea19cc9c07ffc8c0e642a92b4f2d2bc
Instruction ID: d3ed52a39726e8170debe20c135150b4e54d5ba96ef14e38294a63b3a43cf52e
Opcode Fuzzy Hash: 9ddcc7deae49f7ba427675800d06b677fea19cc9c07ffc8c0e642a92b4f2d2bc
Instruction Fuzzy Hash: 24619930500A14DFDB2DAF19DD48B6ABFF2FB40312F10992DE1A696960C771B881DFA1

Function 005B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005B25DB: GetWindowLongW.USER32(?,000000EB), ref: 005B25EC

GetSysColor.USER32(0000000F), ref: 005B21D3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1e6d5d54f45c82baca90b9f94938e12ca1c23a2b484777957b0a143d5fdf0e8d
Instruction ID: 5ead1e6a848fc9aad3947106408ada427c29df7671ce747489644cfda5ef0006
Opcode Fuzzy Hash: 1e6d5d54f45c82baca90b9f94938e12ca1c23a2b484777957b0a143d5fdf0e8d
Instruction Fuzzy Hash: 15419B35400144AFDB295F28EC89BB97F66FB06331F284265FDA5CA1E6C7319C82DB61

Function 0061AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0063F910), ref: 0061AB76
GetDriveTypeW.KERNEL32(00000061,0066A620,00000061), ref: 0061AC40
_wcscpy.LIBCMT ref: 0061AC6A

Strings

ramdisk, xrefs: 0061ABEA
network, xrefs: 0061ABD4
unknown, xrefs: 0061AC01
removable, xrefs: 0061ABA8
all, xrefs: 0061AB7C
cdrom, xrefs: 0061AB92
fixed, xrefs: 0061ABBE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 287dc2e05279cce5172f0ed6dba1922b0e488512ce2b22fb7f70a6276a240392
Instruction ID: d510bfd80e1d63e9d842b1e8578708065e920c74a00648b7f2103d2f78e89920
Opcode Fuzzy Hash: 287dc2e05279cce5172f0ed6dba1922b0e488512ce2b22fb7f70a6276a240392
Instruction Fuzzy Hash: F451A1301083429BC710EF54C895AEABBA7FFC4700F18481EF596572A2DB31AD89CA53

Function 0063C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

Part of subcall function 005B2344: GetCursorPos.USER32(?), ref: 005B2357
Part of subcall function 005B2344: ScreenToClient.USER32(006767B0,?), ref: 005B2374
Part of subcall function 005B2344: GetAsyncKeyState.USER32(00000001), ref: 005B2399
Part of subcall function 005B2344: GetAsyncKeyState.USER32(00000002), ref: 005B23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0063C2E4
ImageList_EndDrag.COMCTL32 ref: 0063C2EA
ReleaseCapture.USER32 ref: 0063C2F0
SetWindowTextW.USER32(?,00000000), ref: 0063C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0063C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0063C48F

Strings

@GUI_DRAGFILE, xrefs: 0063C424
prg, xrefs: 0063C438
prg, xrefs: 0063C3FD
@GUI_DROPID, xrefs: 0063C3E1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prg$prg
API String ID: 1924731296-914680665
Opcode ID: 07ebdebd650a62f9385dcd44014e869806a4a8097b63b54fd09169f51d5e433b
Instruction ID: e34b19bd092b6e8b7fb95e0d678b922efad8fd4cb19760557fd3509653dc6ed7
Opcode Fuzzy Hash: 07ebdebd650a62f9385dcd44014e869806a4a8097b63b54fd09169f51d5e433b
Instruction Fuzzy Hash: 04517F70204305AFD704EF24CC5AFAA7BE6FB88310F10852DF565972E2DB71A944CB92

Function 005B9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 005B99C2
__swprintf.LIBCMT ref: 005B9A0C
__i64tow.LIBCMT ref: 005EFA0F

Strings

False, xrefs: 005EF9D7
%.15g, xrefs: 005B9A06
0x%p, xrefs: 005EF9F1
True, xrefs: 005EF9D0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 1bfcccfe390427f04b4a1e0e592e2688a048550860c95fe7828d76a797715de4
Instruction ID: 0d41b3cfa8e865c9968e3bfa21f9cd1527a544413f5336fa26f7b6023ccf0310
Opcode Fuzzy Hash: 1bfcccfe390427f04b4a1e0e592e2688a048550860c95fe7828d76a797715de4
Instruction Fuzzy Hash: D741E671504206AFDB289F39DC46FB67FE8FB44300F24486FE589D7292EE31A9418B11

Function 006373C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006373D9
CreateMenu.USER32 ref: 006373F4
SetMenu.USER32(?,00000000), ref: 00637403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00637490
IsMenu.USER32(?), ref: 006374A6
CreatePopupMenu.USER32 ref: 006374B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006374DD
DrawMenuBar.USER32 ref: 006374E5

Strings

0, xrefs: 006373CF
F, xrefs: 006374D1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 9a33480c6e8cdfa0223256e08cbcbfd855bde2f6c1c51a77869f64bd5ce03495
Instruction ID: 81c44002ca07254f4d773d85069e0decd5b9d539173d5d77c315d6547d053986
Opcode Fuzzy Hash: 9a33480c6e8cdfa0223256e08cbcbfd855bde2f6c1c51a77869f64bd5ce03495
Instruction Fuzzy Hash: 834136B5A00209EFDB20DF64D888EDABBFAFF49310F144029F95597361D731A914CBA0

Function 0063772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006377CD
CreateCompatibleDC.GDI32(00000000), ref: 006377D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006377E7
SelectObject.GDI32(00000000,00000000), ref: 006377EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 006377FA
DeleteDC.GDI32(00000000), ref: 00637803
GetWindowLongW.USER32(?,000000EC), ref: 0063780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00637821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0063782D

Strings

static, xrefs: 00637765

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: e0dc4ad200dc6c02029f20372d52c3c39db3d439072c35ccce6e85081b113359
Instruction ID: 2b40ceeafd0d295fb13ad7207eaf15a9b5e9e15a35bdf27bffb31b6de59330f5
Opcode Fuzzy Hash: e0dc4ad200dc6c02029f20372d52c3c39db3d439072c35ccce6e85081b113359
Instruction Fuzzy Hash: 1C319A72505215BBDF229FA4DC09FDA3B6AFF0A321F111228FA15A61A0C771D821DBE4

Function 005D7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005D707B

Part of subcall function 005D8D68: __getptd_noexit.LIBCMT ref: 005D8D68

__gmtime64_s.LIBCMT ref: 005D7114
__gmtime64_s.LIBCMT ref: 005D714A
__gmtime64_s.LIBCMT ref: 005D7167
__allrem.LIBCMT ref: 005D71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D71D9
__allrem.LIBCMT ref: 005D71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D720E
__allrem.LIBCMT ref: 005D7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005D7243
__invoke_watson.LIBCMT ref: 005D72B4

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 71ec4d49f2348a637eca77919410a6284c113e8aaeee0383952e78fd23fc597e
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 3A71B375A0475BABD724AE6DCC86B6ABBA8BF58320F14422BF414D73C1F770D9408B90

Function 00612A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612A31
GetMenuItemInfoW.USER32(00676890,000000FF,00000000,00000030), ref: 00612A92
SetMenuItemInfoW.USER32(00676890,00000004,00000000,00000030), ref: 00612AC8
Sleep.KERNEL32(000001F4), ref: 00612ADA
GetMenuItemCount.USER32(?), ref: 00612B1E
GetMenuItemID.USER32(?,00000000), ref: 00612B3A
GetMenuItemID.USER32(?,-00000001), ref: 00612B64
GetMenuItemID.USER32(?,?), ref: 00612BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00612BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612C24

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b7bc59932c68fb45c61408a4c0f7ce1298ed65fd6cba8ef6c2896defc4f85207
Instruction ID: 0f8bc3cc24a669acf95e8961f967965e9e969fa583c9e9283e80657266aef693
Opcode Fuzzy Hash: b7bc59932c68fb45c61408a4c0f7ce1298ed65fd6cba8ef6c2896defc4f85207
Instruction Fuzzy Hash: 5761A0B090424AAFDB21CF64DDA8EEE7BBAFB41308F180459F94193251D731ADA5DB60

Function 00637192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00637214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00637217
GetWindowLongW.USER32(?,000000F0), ref: 0063723B
_memset.LIBCMT ref: 0063724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0063725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006372D6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 72f7eaa12d4215ee69791b8562bb4a1157cb0d84940daeaf487a36b69afc30c7
Instruction ID: 9cccf2156743611c107fce3dba12f299fb5ed445fafe6d571d58d936a5a544a2
Opcode Fuzzy Hash: 72f7eaa12d4215ee69791b8562bb4a1157cb0d84940daeaf487a36b69afc30c7
Instruction Fuzzy Hash: C7613BB5900248AFDB20DFA4CC81EEE77FAEB09710F144159FA15A73A1D770AE45DBA0

Function 0060710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00607135
SafeArrayAllocData.OLEAUT32(?), ref: 0060718E
VariantInit.OLEAUT32(?), ref: 006071A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 006071C0
VariantCopy.OLEAUT32(?,?), ref: 00607213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00607227
VariantClear.OLEAUT32(?), ref: 0060723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00607249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00607252
VariantClear.OLEAUT32(?), ref: 00607264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0060726F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 03b7a009bc01a750926c2cdd6c979720c760af047690357d762c46ff3da6f944
Instruction ID: 7902e7933fe356b8bc792a5d615ddcb1962f525c0352b9d8e0963b2b5dc50b56
Opcode Fuzzy Hash: 03b7a009bc01a750926c2cdd6c979720c760af047690357d762c46ff3da6f944
Instruction Fuzzy Hash: 0E413F75E44219AFCF04DF64D8489EEBBBAFF48354F008069F955A7262CB31AA45CB90

Function 006286D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

CoInitialize.OLE32 ref: 00628718
CoUninitialize.OLE32 ref: 00628723
CoCreateInstance.OLE32(?,00000000,00000017,00642BEC,?), ref: 00628783
IIDFromString.OLE32(?,?), ref: 006287F6
VariantInit.OLEAUT32(?), ref: 00628890
VariantClear.OLEAUT32(?), ref: 006288F1

Strings

Failed to create object, xrefs: 0062878E, 00628844
Invalid parameter, xrefs: 0062880F
NULL Pointer assignment, xrefs: 006287C8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 54f910ab0ef84729a22fe5651d41592ddce3f14a64fb3bd4e418b21203b7a9d1
Instruction ID: 3fd08122f4024615dd9f595c9b0d75fc4bc5f10910ccf47323b0bf5c2974d47f
Opcode Fuzzy Hash: 54f910ab0ef84729a22fe5651d41592ddce3f14a64fb3bd4e418b21203b7a9d1
Instruction Fuzzy Hash: 1F61CF70609B229FD710DF64D848B9EBBEAAF84714F14481DF9859B291CB34ED48CF92

Function 00625A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00625AA6
inet_addr.WSOCK32(?,?,?), ref: 00625AEB
gethostbyname.WSOCK32(?), ref: 00625AF7
IcmpCreateFile.IPHLPAPI ref: 00625B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00625B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00625B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00625C00
WSACleanup.WSOCK32 ref: 00625C06

Strings

Ping, xrefs: 00625B29

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 1533bdcf31bb6eca2049c1c49fe4bc993785506a92c12751a18d0a8911b68eda
Instruction ID: 67cda175a41eb21d6c80c77c29edd1b524dbfa1d1a008fa97d717d683e4b8dde
Opcode Fuzzy Hash: 1533bdcf31bb6eca2049c1c49fe4bc993785506a92c12751a18d0a8911b68eda
Instruction Fuzzy Hash: 22519F31604B119FDB20AF24EC59B6ABBE6EF48711F148929F956DB2E1DB70EC008F45

Function 0061B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0061B7B1
GetLastError.KERNEL32 ref: 0061B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0061B828

Strings

UNKNOWN, xrefs: 0061B7E0
NOTREADY, xrefs: 0061B7E7
INVALID, xrefs: 0061B7FA
READONLY, xrefs: 0061B7F3
READY, xrefs: 0061B801

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e092c54a28fad74fc6237531d72d5f77a00bb03584d6ced4bba679cc33ce15dd
Instruction ID: 4cd01351161d5b0ec8e6e46639285ae43ee8d041fa9d837ae581df8846e2769c
Opcode Fuzzy Hash: e092c54a28fad74fc6237531d72d5f77a00bb03584d6ced4bba679cc33ce15dd
Instruction Fuzzy Hash: 6F318435A0020A9FDB10EFA4C885AFE7BBAFF84710F185029F501E72D1DB719986CB91

Function 00609471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006094F6
GetDlgCtrlID.USER32 ref: 00609501
GetParent.USER32 ref: 0060951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00609520
GetDlgCtrlID.USER32(?), ref: 00609529
GetParent.USER32(?), ref: 00609545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00609548

Strings

ListBox, xrefs: 006094B3
ComboBox, xrefs: 0060947E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8212e8e6263435279d28e77952c407a4c8725887c941a5cd8ef9a24b684c1937
Instruction ID: 7a063deab28d05314607276d631232a4a94186767cd28a04e5addd3e3e7e138f
Opcode Fuzzy Hash: 8212e8e6263435279d28e77952c407a4c8725887c941a5cd8ef9a24b684c1937
Instruction Fuzzy Hash: 3921B570D40104ABCF05AF65CC95DFEBB7AEF8A300F104119F962572E2DB755919DA60

Function 0060955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006095DF
GetDlgCtrlID.USER32 ref: 006095EA
GetParent.USER32 ref: 00609606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00609609
GetDlgCtrlID.USER32(?), ref: 00609612
GetParent.USER32(?), ref: 0060962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00609631

Strings

ListBox, xrefs: 0060959E
ComboBox, xrefs: 00609569

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a1431f64f7716637b0247b10dab8240a26b1eccc65bfad04b10ae6ef6260e71c
Instruction ID: e7d08f8f496c7ce53140699a1ef58da1f9a2b7a37f552b10e044ef90c2701098
Opcode Fuzzy Hash: a1431f64f7716637b0247b10dab8240a26b1eccc65bfad04b10ae6ef6260e71c
Instruction Fuzzy Hash: 7321B374D40208BBDF05AB60CC96EFEBB7AEF49300F104015F912972E2DB759919DA30

Function 00609645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00609651
GetClassNameW.USER32(00000000,?,00000100), ref: 00609666
_wcscmp.LIBCMT ref: 00609678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006096F3

Strings

largeicons, xrefs: 00609687
list, xrefs: 006096D5
SHELLDLL_DefView, xrefs: 00609672
details, xrefs: 006096A1
smallicons, xrefs: 006096BB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 5af2863f00bd5a4505e78719599a2509206a97c009a2defad5109e7beec92f87
Instruction ID: 2e634082536232e62872a3c848dabdad055a561a3c1c5d64d681e8d9e4c83aa7
Opcode Fuzzy Hash: 5af2863f00bd5a4505e78719599a2509206a97c009a2defad5109e7beec92f87
Instruction Fuzzy Hash: 13113A366C8303BAFB192624DC0BDE7779F9B01320F200027FD01A01E2FE63690189B9

Function 00614189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0061419D
__swprintf.LIBCMT ref: 006141AA

Part of subcall function 005D38D8: __woutput_l.LIBCMT ref: 005D3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 006141D4
LoadResource.KERNEL32(?,00000000), ref: 006141E0
LockResource.KERNEL32(00000000), ref: 006141ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0061420D
LoadResource.KERNEL32(?,00000000), ref: 0061421F
SizeofResource.KERNEL32(?,00000000), ref: 0061422E
LockResource.KERNEL32(?), ref: 0061423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0061429B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 6a18dca869044eeae188bd04bf907d4abf050475868afd8956c36280677bc589
Instruction ID: 63d15111126c6d529148f58ba2d19029275b7926990b44134387a98b3a725041
Opcode Fuzzy Hash: 6a18dca869044eeae188bd04bf907d4abf050475868afd8956c36280677bc589
Instruction Fuzzy Hash: 8E316D71A0521AABDB119FA0DD59EFB7BAAEF04301F084526F905D3250DB70DA91DBA0

Function 00629428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062947C
VariantInit.OLEAUT32(?), ref: 0062954D
VariantInit.OLEAUT32(?), ref: 0062964E
VariantClear.OLEAUT32(?), ref: 00629658
VariantClear.OLEAUT32(?), ref: 006296B5

Strings

,,d, xrefs: 006294FA
Incorrect Object type in FOR..IN loop, xrefs: 00629631
Null Object assignment in FOR..IN loop, xrefs: 006294DD, 0062960B, 006296C3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,d$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-804281361
Opcode ID: ef22ebba70ea65e86c366623812893ca8f5b75be172d0a9ab07e96bd3e944c48
Instruction ID: 8cab0781ff36a17038169461d7fa92f63e6ba13c7aee051a1835340f2ba736f3
Opcode Fuzzy Hash: ef22ebba70ea65e86c366623812893ca8f5b75be172d0a9ab07e96bd3e944c48
Instruction Fuzzy Hash: 1D91BE70A00625ABDF24DFA5E848FEEBBBAEF85710F108159F515AB280D7709945CFB0

Function 0060A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0060AA64), ref: 0060A9A2

Strings

CLASSNN, xrefs: 0060A744
REGEXPCLASS, xrefs: 0060A767
CLASS, xrefs: 0060A721
NAME, xrefs: 0060A7D4
INSTANCE, xrefs: 0060A8B0
TEXT, xrefs: 0060A8D9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 46cf209607ac720f1ca5b881e09a41a598004d87ec4f2b6707d6e8a8ea1d7072
Instruction ID: 041520c3e7bdf8cb622fd4befa81c98bc840afe7df16d6a38e6c6d51ccaf22ca
Opcode Fuzzy Hash: 46cf209607ac720f1ca5b881e09a41a598004d87ec4f2b6707d6e8a8ea1d7072
Instruction Fuzzy Hash: CA916430A407069ADB1CDFB4C485BEAFF7ABF44344F50811AD859A72D1DF306A5ACBA1

Function 005B2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005B2EAE

Part of subcall function 005B1DB3: GetClientRect.USER32(?,?), ref: 005B1DDC
Part of subcall function 005B1DB3: GetWindowRect.USER32(?,?), ref: 005B1E1D
Part of subcall function 005B1DB3: ScreenToClient.USER32(?,?), ref: 005B1E45

GetDC.USER32 ref: 005ECF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005ECF95
SelectObject.GDI32(00000000,00000000), ref: 005ECFA3
SelectObject.GDI32(00000000,00000000), ref: 005ECFB8
ReleaseDC.USER32(?,00000000), ref: 005ECFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005ED04B

Strings

U, xrefs: 005ECF20

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a6d0312876b337441fd056dc41c91e5ac8542d3cccc052e6e5b01d28a2b9c133
Instruction ID: 1ddd60b6387aef545ab89f0006ab3a6291b0d218a432c049d75870cefd60e247
Opcode Fuzzy Hash: a6d0312876b337441fd056dc41c91e5ac8542d3cccc052e6e5b01d28a2b9c133
Instruction Fuzzy Hash: 1371D030400245DFCF298F65C884AFA3FB6FF49360F184669EDA59A1A6D731D882DB60

Function 00628F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0063F910), ref: 0062903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0063F910), ref: 00629071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006291EB
SysFreeString.OLEAUT32(?), ref: 00629215

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: b157f402925efc79be6d870f2865ae3d49ad15110567a14441489cba794a924b
Instruction ID: 25557247bcf4635958f5fba20e5824321cae694c47f0af8c1008fd425c5794f2
Opcode Fuzzy Hash: b157f402925efc79be6d870f2865ae3d49ad15110567a14441489cba794a924b
Instruction Fuzzy Hash: E6F10971A00519EFDB04DF94D888EEEB7BABF89314F108059F515AB291DB31AE46CF60

Function 0062F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0062FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0062FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0062FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0062FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0062FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0062FD90
CloseHandle.KERNEL32(?), ref: 0062FDBF
CloseHandle.KERNEL32(?), ref: 0062FE36

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 54bcb64b6bac379797a7268b3ee59f4bc890343fa7d46e558a43c0c9d43e3750
Instruction ID: 79280be24bede1aa349f4f91ac9a9905cab64fd18963161be6f1cf59ed143820
Opcode Fuzzy Hash: 54bcb64b6bac379797a7268b3ee59f4bc890343fa7d46e558a43c0c9d43e3750
Instruction Fuzzy Hash: EFE1A0312046129FC714EF24D485AAABBF6BF84354F14896DF8998B3A2CB31EC45CF52

Function 00614F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006138D3,?), ref: 006148C7

Part of subcall function 006148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006138D3,?), ref: 006148E0

Part of subcall function 00614CD3: GetFileAttributesW.KERNEL32(?,00613947), ref: 00614CD4

lstrcmpiW.KERNEL32(?,?), ref: 00614FE2
_wcscmp.LIBCMT ref: 00614FFC
MoveFileW.KERNEL32(?,?), ref: 00615017

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 0e9895971dd5211740174fc7fe18960a4ffbdf57c7cfc6fa1e383e53c7152bb9
Instruction ID: b528358a1d9cb030311f47f3fb8b039e1d51c3c85d7a52413915da25358c4f5d
Opcode Fuzzy Hash: 0e9895971dd5211740174fc7fe18960a4ffbdf57c7cfc6fa1e383e53c7152bb9
Instruction Fuzzy Hash: 545184B24087859BC764EBA4C8859DFB7EDAFC4301F14092FB189D3191EF74A6888766

Function 006388B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0063896E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f45508ae6f0f49aeb5c0018ab46e08df7eb36c4e34f6a8353743d6e9b56f4a2b
Instruction ID: a7aef403156881b493d47a23b20e5b27704f2dff4e5fc6735a2070987b969552
Opcode Fuzzy Hash: f45508ae6f0f49aeb5c0018ab46e08df7eb36c4e34f6a8353743d6e9b56f4a2b
Instruction Fuzzy Hash: B5515C30A00309BEEB259F28CC8ABE97B66BF05360F604116F515E72A1DF71A9849BD1

Function 005B2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005EC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005EC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005EC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005EC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005EC5C0
DestroyIcon.USER32(00000000), ref: 005EC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005EC5EC
DestroyIcon.USER32(?), ref: 005EC5FB

Part of subcall function 0063A71E: DeleteObject.GDI32(00000000), ref: 0063A757

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 22d3d32bf3762aec4c25505d1f432984671a5d69b213cfad410caf3beb3c698f
Instruction ID: 901d56d0637d8c82166b05ac01cce1d93e5bac62efe20914d8bdbd4b4de7124b
Opcode Fuzzy Hash: 22d3d32bf3762aec4c25505d1f432984671a5d69b213cfad410caf3beb3c698f
Instruction Fuzzy Hash: A6516970A00609AFDB28DF25CC45FAA3FB6FB48350F104529F956972A0DB70ED91DBA0

Function 00609B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0060AE77
Part of subcall function 0060AE57: GetCurrentThreadId.KERNEL32 ref: 0060AE7E
Part of subcall function 0060AE57: AttachThreadInput.USER32(00000000,?,00609B65,?,00000001), ref: 0060AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00609B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00609B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00609B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00609B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00609BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00609BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00609BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00609BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00609BDD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 435a4b318dc270889329f874deb4890b01a13a4c22198c8cc79c0662b456820c
Instruction ID: 24ff6ae451662566d90e8233fa2579562fa2ba524e23febeeb8994a9b7fe84c4
Opcode Fuzzy Hash: 435a4b318dc270889329f874deb4890b01a13a4c22198c8cc79c0662b456820c
Instruction Fuzzy Hash: 5611E571950618BEF7106B60EC4AF6B3B1EDB4D751F101429F244AB0E0CAF25C10DAE4

Function 00608E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00608A84,00000B00,?,?), ref: 00608E0C
HeapAlloc.KERNEL32(00000000,?,00608A84,00000B00,?,?), ref: 00608E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00608A84,00000B00,?,?), ref: 00608E28
GetCurrentProcess.KERNEL32(?,00000000,?,00608A84,00000B00,?,?), ref: 00608E30
DuplicateHandle.KERNEL32(00000000,?,00608A84,00000B00,?,?), ref: 00608E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00608A84,00000B00,?,?), ref: 00608E43
GetCurrentProcess.KERNEL32(00608A84,00000000,?,00608A84,00000B00,?,?), ref: 00608E4B
DuplicateHandle.KERNEL32(00000000,?,00608A84,00000B00,?,?), ref: 00608E4E
CreateThread.KERNEL32(00000000,00000000,00608E74,00000000,00000000,00000000), ref: 00608E68

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e637471bab4636d299f6f5060598f1131c038e4a40dee911a2260ffe01a758ec
Instruction ID: ce01cdff8b0628510ed5c8f9bf7c3a64843b2887f719ce698ca9277e94f5792b
Opcode Fuzzy Hash: e637471bab4636d299f6f5060598f1131c038e4a40dee911a2260ffe01a758ec
Instruction Fuzzy Hash: 1D01B6B5640308FFE710ABA5EC4DF6B3BADEB89711F015421FA05DB2A1CAB09804DB60

Function 00629A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00607652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?,?,0060799D), ref: 0060766F
Part of subcall function 00607652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?), ref: 0060768A
Part of subcall function 00607652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?), ref: 00607698
Part of subcall function 00607652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?), ref: 006076A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00629B1B
_memset.LIBCMT ref: 00629B28
_memset.LIBCMT ref: 00629C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00629C97
CoTaskMemFree.OLE32(?), ref: 00629CA2

Strings

NULL Pointer assignment, xrefs: 00629CF0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f9655742e4ad61086f5dc3f7d132ae3c50e7085048faad3c9f05bf9be6b996e6
Instruction ID: e5766078db5658e6c3951c8ea61e30715ee0df5530b4255f92940e17a9735063
Opcode Fuzzy Hash: f9655742e4ad61086f5dc3f7d132ae3c50e7085048faad3c9f05bf9be6b996e6
Instruction Fuzzy Hash: 3B914971D00629EBDB10DFA4DC85ADEBBB9FF88310F20415AF419A7281DB316A45CFA0

Function 00636FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00637093
SendMessageW.USER32(?,00001036,00000000,?), ref: 006370A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006370C1
_wcscat.LIBCMT ref: 0063711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00637133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00637161

Strings

SysListView32, xrefs: 00637065

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 96b9bc65f27eb7d38b10dd9a35862ffa29897e3f0de1778956884dfcd52714b3
Instruction ID: a51f8d759a60f58cf8cfae347066bd75b84ef5abfddc3a5bc9be75c50bc3183d
Opcode Fuzzy Hash: 96b9bc65f27eb7d38b10dd9a35862ffa29897e3f0de1778956884dfcd52714b3
Instruction Fuzzy Hash: 9941A5B1904309AFDB359F64CC85BEE77EAEF08350F10152AF584E7292D7719D848BA0

Function 0062EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00613E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00613EB6
Part of subcall function 00613E91: Process32FirstW.KERNEL32(00000000,?), ref: 00613EC4
Part of subcall function 00613E91: CloseHandle.KERNEL32(00000000), ref: 00613F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0062ECB8
GetLastError.KERNEL32 ref: 0062ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0062ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0062ED77
GetLastError.KERNEL32(00000000), ref: 0062ED82
CloseHandle.KERNEL32(00000000), ref: 0062EDB7

Strings

SeDebugPrivilege, xrefs: 0062ECD6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5846e656b7e78aea812188a305f9533ec0ad0a832b48a9c5033708ae59abb1b8
Instruction ID: fe11d29bd529448636fcb0b0cddd273a92bf426f89eec6dba9bc8604880b040f
Opcode Fuzzy Hash: 5846e656b7e78aea812188a305f9533ec0ad0a832b48a9c5033708ae59abb1b8
Instruction Fuzzy Hash: 1C41CF316006119FDB14EF24DC95FAEBBA2AF80710F08842DF9469B3D2CB75A844CF95

Function 00613226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006132C5

Strings

warning, xrefs: 006132AE
question, xrefs: 0061327E
blank, xrefs: 00613247
stop, xrefs: 00613296
info, xrefs: 00613266

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9fbc0b2e76eff202060fa7e602e231878aa9702da2a960a9a752328f56b6e82a
Instruction ID: 046ed958716be975b3994874c3726fea2db55778db79e4755e9758a2f7e5cc6d
Opcode Fuzzy Hash: 9fbc0b2e76eff202060fa7e602e231878aa9702da2a960a9a752328f56b6e82a
Instruction Fuzzy Hash: D3116D316483677BE7116B95DC43CEAB79EEF19370F14002BF50276381D6725F8149A5

Function 00614534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0061454E
LoadStringW.USER32(00000000), ref: 00614555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0061456B
LoadStringW.USER32(00000000), ref: 00614572
_wprintf.LIBCMT ref: 00614598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006145B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00614593

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 368b37c0b95bfa2cc19063bfcca54bc9082c8e3a6ed79b7c67b70235dfa6d110
Instruction ID: 0d42ca987a0d23053cec4c82ee6383db25747866e092a88844563ecbfb88b577
Opcode Fuzzy Hash: 368b37c0b95bfa2cc19063bfcca54bc9082c8e3a6ed79b7c67b70235dfa6d110
Instruction Fuzzy Hash: B10186F2D00208BFE750EBA5DD89EF7776EEB08301F0005A6BB45D2151EA749E858BB1

Function 0063D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

GetSystemMetrics.USER32(0000000F), ref: 0063D78A
GetSystemMetrics.USER32(0000000F), ref: 0063D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0063D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0063DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0063DA24
ShowWindow.USER32(00000003,00000000), ref: 0063DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0063DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0063DA8B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 5730da16b53f789d9d6055f7c2bf888a3f1db6a3dcd9af201e4c9ded6261182d
Instruction ID: 3a9c168d843df01ac47e4c9d6de72fc49241507acb1f9457fe3f3db611292ff4
Opcode Fuzzy Hash: 5730da16b53f789d9d6055f7c2bf888a3f1db6a3dcd9af201e4c9ded6261182d
Instruction Fuzzy Hash: 09B16971A00215EFDF18CF69DA857FD7BB2FF44711F088169EC489A295DB34A950CBA0

Function 005B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005EC417,00000004,00000000,00000000,00000000), ref: 005B2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,005EC417,00000004,00000000,00000000,00000000,000000FF), ref: 005B2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,005EC417,00000004,00000000,00000000,00000000), ref: 005EC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005EC417,00000004,00000000,00000000,00000000), ref: 005EC4D6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b96331699dccd251fda8bb28efc62ee57e6ea74c00c8a2c3458f4ad3162586bd
Instruction ID: 718beec9cba5c4de453b6fd38d8f8bde221cd64955206a0ac8e51abd6fd2a7d7
Opcode Fuzzy Hash: b96331699dccd251fda8bb28efc62ee57e6ea74c00c8a2c3458f4ad3162586bd
Instruction Fuzzy Hash: B6410C316046C09ACB399B29DC9CBFB7F93BB85301F24881DE087865A1C6B5F842D771

Function 00617368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0061737F

Part of subcall function 005D0FF6: std::exception::exception.LIBCMT ref: 005D102C
Part of subcall function 005D0FF6: __CxxThrowException@8.LIBCMT ref: 005D1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006173B6
EnterCriticalSection.KERNEL32(?), ref: 006173D2
_memmove.LIBCMT ref: 00617420
_memmove.LIBCMT ref: 0061743D
LeaveCriticalSection.KERNEL32(?), ref: 0061744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00617461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00617480

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 7978229302b678dacdb761eb0387bb8ca567d7c1faaa4a81626ad0eb781d2013
Instruction ID: d00bb00f63220ba95fe625ca468b719917df94a4a1069e8eae6262dfbee77d20
Opcode Fuzzy Hash: 7978229302b678dacdb761eb0387bb8ca567d7c1faaa4a81626ad0eb781d2013
Instruction Fuzzy Hash: DA318131904206EBCF10EF98DC89AAF7BB9FF84710F1441A6F9049B256DB709A54CBA4

Function 00636442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0063645A
GetDC.USER32(00000000), ref: 00636462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0063646D
ReleaseDC.USER32(00000000,00000000), ref: 00636479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006364B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006364C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00639299,?,?,000000FF,00000000,?,000000FF,?), ref: 00636500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00636520

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d60170cc6bf3d79b8cc6d7fd18043c558e56780a315ce51b6bd4458d8137723e
Instruction ID: 4e0e6fcfbc1c0b1dac13cbc501b4f4b6d7367a19ba5804ba44ac93c5ed50efcb
Opcode Fuzzy Hash: d60170cc6bf3d79b8cc6d7fd18043c558e56780a315ce51b6bd4458d8137723e
Instruction Fuzzy Hash: 09319F72601210BFEB108F10DC8AFEA3FAAEF0A765F045065FE089A291C7759C41CBB4

Function 0060C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0060C087
_memcmp.LIBCMT ref: 0060C0A9
_memcmp.LIBCMT ref: 0060C0C1
_memcmp.LIBCMT ref: 0060C0D4
_memcmp.LIBCMT ref: 0060C0EE
_memcmp.LIBCMT ref: 0060C101
_memcmp.LIBCMT ref: 0060C119
_memcmp.LIBCMT ref: 0060C134

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7dc0b900779f8b2cbd26d7d10b252392bbcd0bc5f8be8cea9eb5309ffe06ad6d
Instruction ID: da7f110887be772a9f238fe314af892e4494cf741c05b1420427968a2b17294c
Opcode Fuzzy Hash: 7dc0b900779f8b2cbd26d7d10b252392bbcd0bc5f8be8cea9eb5309ffe06ad6d
Instruction Fuzzy Hash: 0321C571680606B7D328AB258C56FEB2B9FEF503B4B540122FD06967C3E752DD11C1A9

Function 0061ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

Part of subcall function 005CFEC6: _wcscpy.LIBCMT ref: 005CFEE9

_wcstok.LIBCMT ref: 0061EEFF
_wcscpy.LIBCMT ref: 0061EF8E
_memset.LIBCMT ref: 0061EFC1

Strings

X, xrefs: 0061EFFE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7c4d87a8d61266d71e8bc33e22acc7eb52e4dc6da73067ba5a6294e923025ea0
Instruction ID: 948da1f711daa9c75d93d8f72f7c807b316df75524f10364fa1736d3a7500f34
Opcode Fuzzy Hash: 7c4d87a8d61266d71e8bc33e22acc7eb52e4dc6da73067ba5a6294e923025ea0
Instruction Fuzzy Hash: 04C14F715087429FC724EF24C885A9ABBE5FFC8310F04496DF999972A2DB30ED45CB92

Function 00626E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00626F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00626F35
WSAGetLastError.WSOCK32(00000000), ref: 00626F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00626FFE
inet_ntoa.WSOCK32(?), ref: 00626FBB

Part of subcall function 0060AE14: _strlen.LIBCMT ref: 0060AE1E
Part of subcall function 0060AE14: _memmove.LIBCMT ref: 0060AE40

_strlen.LIBCMT ref: 00627058
_memmove.LIBCMT ref: 006270C1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 58b1d8cde7080e31ff1e63ae3a920116d5c348dd7b0f001d9f119df8778f75bf
Instruction ID: afdc893a77dee533b54fd0b31c65012af79c12659566d501fc428f06b3adb533
Opcode Fuzzy Hash: 58b1d8cde7080e31ff1e63ae3a920116d5c348dd7b0f001d9f119df8778f75bf
Instruction Fuzzy Hash: FF810E71508711ABC710EF24DC8AEABBBAABFC4714F10491CF5559B2A2DA70AD05CB92

Function 005B1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a6401355686ee007e8d25695007ff15061ac89fb332935e4ce64e369af20f5
Instruction ID: 04363ed299ad95479749375e2c64c13aa1cdf2f92ee4315f9379a8d9028bf2a4
Opcode Fuzzy Hash: 79a6401355686ee007e8d25695007ff15061ac89fb332935e4ce64e369af20f5
Instruction Fuzzy Hash: AC716830900909EFDF548F99CC99AEFBFB9FF85310F508159F915AA251C730AA51CBA8

Function 0063B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01175FB8), ref: 0063B6A5
IsWindowEnabled.USER32(01175FB8), ref: 0063B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0063B795
SendMessageW.USER32(01175FB8,000000B0,?,?), ref: 0063B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0063B809
GetWindowLongW.USER32(01175FB8,000000EC), ref: 0063B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0063B843

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d0ca8eb5a9c6a61eb853331153badeb58c5d504cfcb477ee446503548075d702
Instruction ID: 096cd5a72f5d2c12501a1c0e434c0c04feaed83386f95a6b3057835f8337d306
Opcode Fuzzy Hash: d0ca8eb5a9c6a61eb853331153badeb58c5d504cfcb477ee446503548075d702
Instruction Fuzzy Hash: 7F716F34A00204AFDB249F64C896FFA7BBBEF4A340F146459FA5697362C771A941CB90

Function 0062F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062F75C
_memset.LIBCMT ref: 0062F825
ShellExecuteExW.SHELL32(?), ref: 0062F86A

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

Part of subcall function 005CFEC6: _wcscpy.LIBCMT ref: 005CFEE9

GetProcessId.KERNEL32(00000000), ref: 0062F8E1
CloseHandle.KERNEL32(00000000), ref: 0062F910

Strings

@, xrefs: 0062F839

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a277ced2b1464dc032a35cacb56e76f614401e8dc8c6a28f18afb57f455a45bc
Instruction ID: 99399a002865a0ad0629271e2fe2abb9c599b7a30b9b66f07db0c1cd3be93ec9
Opcode Fuzzy Hash: a277ced2b1464dc032a35cacb56e76f614401e8dc8c6a28f18afb57f455a45bc
Instruction Fuzzy Hash: 37617E75A0062ADFCB14EF54D5859AEFBF6FF88310B148469E856AB351CB30AD41CF90

Function 0061145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0061149C
GetKeyboardState.USER32(?), ref: 006114B1
SetKeyboardState.USER32(?), ref: 00611512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00611540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0061155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006115A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006115C8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ce86c76237ec0981275b9380ac3e5cccd7a7d1b8d0f19162c39e932bcc07e468
Instruction ID: bf02950e442a222f65d91078ea998978c796a7a95c521c68a108e980cd2f29fb
Opcode Fuzzy Hash: ce86c76237ec0981275b9380ac3e5cccd7a7d1b8d0f19162c39e932bcc07e468
Instruction Fuzzy Hash: 1951C1A0A047D53EFB3646748C45BFABEEB5B47304F0C4489E2D5499D2D2999CC4D790

Function 00611276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006112B5
GetKeyboardState.USER32(?), ref: 006112CA
SetKeyboardState.USER32(?), ref: 0061132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00611357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00611374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006113B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006113D9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8d46ff90d88aa4865eb9549e604afd47882011de67df4cb49722f03fa36ea71c
Instruction ID: ee9a3fe7b59dc70dfe17da94d242680743d35980c785cfc4fa2370d5a00e9b8a
Opcode Fuzzy Hash: 8d46ff90d88aa4865eb9549e604afd47882011de67df4cb49722f03fa36ea71c
Instruction Fuzzy Hash: C751D1A09047D53DFB3287248C45BFABEAB5B07300F0C8589E2E58EEC2D295ACD4D755

Function 0061589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006158AC
_wcsncpy.LIBCMT ref: 006158E1
_wcsncpy.LIBCMT ref: 00615913
_wcsncpy.LIBCMT ref: 00615946
_wcsncpy.LIBCMT ref: 00615988
_wcsncpy.LIBCMT ref: 006159C2
_wcsncpy.LIBCMT ref: 006159F1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: fcbd626c7067f0e44fcd7ad28746b3604b43720fb42f1ac25cf69994b81b9e54
Instruction ID: 73dee4974f5a672203c9c118e15dadab3807806bc5e8584ea2e5b54c4e3d75b3
Opcode Fuzzy Hash: fcbd626c7067f0e44fcd7ad28746b3604b43720fb42f1ac25cf69994b81b9e54
Instruction Fuzzy Hash: FE41A7A9C20515B6CB20E7B8888A9CFB7BDEF44310F508563F915E3221E734D755C7A6

Function 0060DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0060DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0060DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0060DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0060DB8E

Strings

DllGetClassObject, xrefs: 0060DB01
,,d, xrefs: 0060DA69

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,d$DllGetClassObject
API String ID: 753597075-1978686297
Opcode ID: 39efde442433e36fa4a0acc05fdd94573e6cb697e1c3ea3993815588b56c2bea
Instruction ID: 2256b4632e8dcf15fdfcc76765106a32b24c59cbe00556b6a1c233cff4ef6e29
Opcode Fuzzy Hash: 39efde442433e36fa4a0acc05fdd94573e6cb697e1c3ea3993815588b56c2bea
Instruction Fuzzy Hash: 6A418FB1640209EFDB19CF94C884A9BBBBAEF44310F1582ADED059F285D7B1DD44DBA0

Function 006138AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006148AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006138D3,?), ref: 006148C7

Part of subcall function 006148AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006138D3,?), ref: 006148E0

lstrcmpiW.KERNEL32(?,?), ref: 006138F3
_wcscmp.LIBCMT ref: 0061390F
MoveFileW.KERNEL32(?,?), ref: 00613927
_wcscat.LIBCMT ref: 0061396F
SHFileOperationW.SHELL32(?), ref: 006139DB

Strings

\*.*, xrefs: 00613969

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 6972004c1175273996bb525933fff78a99806bb65822645692e1b1ff6c761dd9
Instruction ID: bd8e36e9ad597b8a1302565d6d2c3a7228e6a3ce1ad330139e3d3087afdb6829
Opcode Fuzzy Hash: 6972004c1175273996bb525933fff78a99806bb65822645692e1b1ff6c761dd9
Instruction Fuzzy Hash: C34162B15083859AC751EF64C4859EFB7EDEF88340F04092EB48AD3251EA74D688C796

Function 00637500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00637519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006375C0
IsMenu.USER32(?), ref: 006375D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00637620
DrawMenuBar.USER32 ref: 00637633

Strings

0, xrefs: 0063750D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: cea4b36562e764dd1a6c3f15e5951bb1d86adc555d0a4c923c8520b4bb7d0be9
Instruction ID: b8e6f9322ac1ec2ad0de9099e85dddd2d2dbc955f14ecd9ccfdaf1a74cb842c5
Opcode Fuzzy Hash: cea4b36562e764dd1a6c3f15e5951bb1d86adc555d0a4c923c8520b4bb7d0be9
Instruction Fuzzy Hash: 1F4116B5A04609EFDB20DF54D895EDABBBAFB05320F048129F915A7361D730AD50CFA0

Function 0063122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0063125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00631286
FreeLibrary.KERNEL32(00000000), ref: 0063133D

Part of subcall function 0063122D: RegCloseKey.ADVAPI32(?), ref: 006312A3
Part of subcall function 0063122D: FreeLibrary.KERNEL32(?), ref: 006312F5
Part of subcall function 0063122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00631318

RegDeleteKeyW.ADVAPI32(?,?), ref: 006312E0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: fba16fc11921d4bb664a8098953aa422bce4dec91fe49ebf7e7497540a114172
Instruction ID: 9dd7d785ad8b57965e8efd3e7d38eb0e2c0cd1624dbc7a2835efa9ee5948bfa6
Opcode Fuzzy Hash: fba16fc11921d4bb664a8098953aa422bce4dec91fe49ebf7e7497540a114172
Instruction Fuzzy Hash: 31312BB1D01119BFEB149B94DC89AFFB7BDEF09300F00016AE511E6251EB749F859AE0

Function 0063653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0063655B
GetWindowLongW.USER32(01175FB8,000000F0), ref: 0063658E
GetWindowLongW.USER32(01175FB8,000000F0), ref: 006365C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006365F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0063661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00636630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0063664A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 51be134056797a8cee61aa1196c856461a20f79c746d9735397429b81499a71a
Instruction ID: b3a2bbbacbb172dca7c64366b12c05634ecacffa83abf52f51d86505e53b1f60
Opcode Fuzzy Hash: 51be134056797a8cee61aa1196c856461a20f79c746d9735397429b81499a71a
Instruction Fuzzy Hash: 6A310631604150AFDB21CF18DC85F953BE2FB4A760F195178F5158B2B6CB71AC84DBA2

Function 00626486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006280A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006280CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006264D9
WSAGetLastError.WSOCK32(00000000), ref: 006264E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00626521
connect.WSOCK32(00000000,?,00000010), ref: 0062652A
WSAGetLastError.WSOCK32 ref: 00626534
closesocket.WSOCK32(00000000), ref: 0062655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00626576

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: f29fb1d2e3030175d84c679214309f4886f30646bdb739c7ec44e8b8b6820a8a
Instruction ID: 0607b4095430f04c88c46946bcb3df14f3c9d5971122003e6c10d06d51077db0
Opcode Fuzzy Hash: f29fb1d2e3030175d84c679214309f4886f30646bdb739c7ec44e8b8b6820a8a
Instruction Fuzzy Hash: 6B31B331600529AFDB10AF24EC89FBE7BBAEB44714F008029FD45A7291CB74AD44CFA1

Function 0060E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0060E120
SysAllocString.OLEAUT32(00000000), ref: 0060E123
SysAllocString.OLEAUT32 ref: 0060E144
SysFreeString.OLEAUT32 ref: 0060E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0060E167
SysAllocString.OLEAUT32(?), ref: 0060E175

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: afb0198774b0872c32149194ab66364d30e19e3011d6d7dfb4357b771550f7d2
Instruction ID: ac6ae05525fa6057537c5eae36ac1229b707cba154004cb823ef13d2fdf2b979
Opcode Fuzzy Hash: afb0198774b0872c32149194ab66364d30e19e3011d6d7dfb4357b771550f7d2
Instruction Fuzzy Hash: 4621D335604118AFDB14AFA8DC88CAB77EEEF09760B008175F955CB2A1DA71DC418BA0

Function 0060FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0060FB81
__wcsnicmp.LIBCMT ref: 0060FBA2
__wcsnicmp.LIBCMT ref: 0060FBBC

Strings

#notrayicon, xrefs: 0060FB79
#OnAutoItStartRegister, xrefs: 0060FBB6
#requireadmin, xrefs: 0060FB9C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a27ea4b17ad3080b0980a08d5219eeeeead7f135f9cadebdba8a8e9e05805c3b
Instruction ID: 1394a10365af5c7ab4cd4958c1c5ea8834646f44cfce5d7ceed96d0c1dae9c27
Opcode Fuzzy Hash: a27ea4b17ad3080b0980a08d5219eeeeead7f135f9cadebdba8a8e9e05805c3b
Instruction Fuzzy Hash: D3214532284116A6E338B728DC16EE7779AFFA5300F104037F885866C1EB91A982D2A5

Function 0063783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B1D73
Part of subcall function 005B1D35: GetStockObject.GDI32(00000011), ref: 005B1D87
Part of subcall function 005B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006378A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006378AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006378B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006378C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006378D4

Strings

Msctls_Progress32, xrefs: 00637872

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 95bc1d9a167e5186cef032e606a3f00a71a696ddba706b91768f05e2a0425f20
Instruction ID: 658816f45f128e358550ed1212bcf08a616358f6d1d6d3ecb7a23af94b4f45ee
Opcode Fuzzy Hash: 95bc1d9a167e5186cef032e606a3f00a71a696ddba706b91768f05e2a0425f20
Instruction Fuzzy Hash: 381190B2510219BFEF159F60CC85EE77F6EEF08798F015124FA08A2090C772AC21DBA4

Function 005D41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005D4292,?), ref: 005D41E3
GetProcAddress.KERNEL32(00000000), ref: 005D41EA
EncodePointer.KERNEL32(00000000), ref: 005D41F6
DecodePointer.KERNEL32(00000001,005D4292,?), ref: 005D4213

Strings

RoInitialize, xrefs: 005D41D2
combase.dll, xrefs: 005D41DE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 335a017c4560677636c343c1ef2cf3491f19a788b07586ce3b655af7d9e90fee
Instruction ID: 6046ae51850374d3bdf81802288f167ceb4d649d83dbc709f292ca88bcb40e59
Opcode Fuzzy Hash: 335a017c4560677636c343c1ef2cf3491f19a788b07586ce3b655af7d9e90fee
Instruction Fuzzy Hash: F5E01AB4A90301AFEB206BB4EC4DB243AA7BB20702FA06425F415D51A0DBB540D5CF80

Function 005D429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005D41B8), ref: 005D42B8
GetProcAddress.KERNEL32(00000000), ref: 005D42BF
EncodePointer.KERNEL32(00000000), ref: 005D42CA
DecodePointer.KERNEL32(005D41B8), ref: 005D42E5

Strings

RoUninitialize, xrefs: 005D42A7
combase.dll, xrefs: 005D42B3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 5520b5b8d6e90064b0a6c059e23609e47817d77d7f981fe70dfc691f31963725
Instruction ID: ddc71245d437dafc90aa519dbc42f55f16a7e6a787233e3b10fb49050857aa69
Opcode Fuzzy Hash: 5520b5b8d6e90064b0a6c059e23609e47817d77d7f981fe70dfc691f31963725
Instruction Fuzzy Hash: 9AE0B67CA81311EBEB14AB74EC8DB153BA7BB24743FA16036F005E19A0CFB44584CA94

Function 0061675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006168AD
_memmove.LIBCMT ref: 006167E8

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

_memmove.LIBCMT ref: 0061685B
_memmove.LIBCMT ref: 00616942
_memmove.LIBCMT ref: 0061695B
_memmove.LIBCMT ref: 00616977

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 443bcbea03257af6778d6f137f86389caba87f09aab181fa486d5aa69778a124
Instruction ID: c58319a667238c57df6eca62fa512796a8122ca050d23f2114dc376adf0f52da
Opcode Fuzzy Hash: 443bcbea03257af6778d6f137f86389caba87f09aab181fa486d5aa69778a124
Instruction Fuzzy Hash: DA61CE3450065BABCF11FF64CC89EFE7BA5BF84308F08455AF95A5B292DB30A881CB51

Function 0063046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 006310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00630038,?,?), ref: 006310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00630588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006305AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006305D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00630617
RegCloseKey.ADVAPI32(00000000), ref: 00630624

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7789183ded0f6e9bbf995b2f58d2eefdf617674e6c9c808236bf7ef5126fa0e5
Instruction ID: 640fc76e734f15baf0b81c09a98436395c31abc4e46608b38df9c82b8f11bf41
Opcode Fuzzy Hash: 7789183ded0f6e9bbf995b2f58d2eefdf617674e6c9c808236bf7ef5126fa0e5
Instruction Fuzzy Hash: 60515D31508201AFDB14EF64C899EAFBBEAFF89314F04491DF545972A1DB31E909CB92

Function 00635A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00635A82
GetMenuItemCount.USER32(00000000), ref: 00635AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00635AE1
GetMenuItemID.USER32(?,?), ref: 00635B50
GetSubMenu.USER32(?,?), ref: 00635B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00635BAF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: e3aa6bdc9bb40da5fb78f11d4a8dab399687a462dd6bfe74eb6af36ee0af76b6
Instruction ID: df973a5d4c534326d229da96df56873ad80386a7f46d2ce1a33a09ac12c6adec
Opcode Fuzzy Hash: e3aa6bdc9bb40da5fb78f11d4a8dab399687a462dd6bfe74eb6af36ee0af76b6
Instruction Fuzzy Hash: 21516E31E00616AFCB11EF64C855AEEBBB6FF48310F10446AE902B7351CB70AE418BD0

Function 0060F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0060F3F7
VariantClear.OLEAUT32(00000013), ref: 0060F469
VariantClear.OLEAUT32(00000000), ref: 0060F4C4
_memmove.LIBCMT ref: 0060F4EE
VariantClear.OLEAUT32(?), ref: 0060F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0060F569

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9f26771c5833f2d5f0112d967f3cbc384f7cc7e92ca1e8198ff58dbc6fd1e3a2
Instruction ID: f508373058386acab9b7258756f76c00f287a7d8d747a370cb3e1df339412323
Opcode Fuzzy Hash: 9f26771c5833f2d5f0112d967f3cbc384f7cc7e92ca1e8198ff58dbc6fd1e3a2
Instruction Fuzzy Hash: 36515AB5A00209AFCB24CF58D884AAAB7F9FF4C314B158569ED59DB341D730E912CBA0

Function 006126F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00612792
IsMenu.USER32(00000000), ref: 006127B2
CreatePopupMenu.USER32 ref: 006127E6
GetMenuItemCount.USER32(000000FF), ref: 00612844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00612875

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 328ed41166450b144938b3ccb1515b5cb26ebfb7881efaab399c9dd9265268be
Instruction ID: 8a338f1fe73a5e8b83e1aae43168a38eac620d6d8fb226f7dc5e4fbb330f1de9
Opcode Fuzzy Hash: 328ed41166450b144938b3ccb1515b5cb26ebfb7881efaab399c9dd9265268be
Instruction Fuzzy Hash: 1351C070A00247DFDF64CF68D898BEEBBF6AF44314F184169E4119B290D77089A9CB51

Function 005B1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 005B179A
GetWindowRect.USER32(?,?), ref: 005B17FE
ScreenToClient.USER32(?,?), ref: 005B181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005B182C
EndPaint.USER32(?,?), ref: 005B1876

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: cb972497d5093ae424dc538ff116e25d6b8b462a6b67662e19fc6c38b0a4dff6
Instruction ID: 6b165b19d6d3320530d4ab01a68516479ccffa6896f5ca21d77b8c436247d528
Opcode Fuzzy Hash: cb972497d5093ae424dc538ff116e25d6b8b462a6b67662e19fc6c38b0a4dff6
Instruction Fuzzy Hash: B341AE70500B01AFDB10DF25CC98FBA7FE9FB4A724F140669F9A8871A1D731A845DB62

Function 0063B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006767B0,00000000,01175FB8,?,?,006767B0,?,0063B862,?,?), ref: 0063B9CC
EnableWindow.USER32(00000000,00000000), ref: 0063B9F0
ShowWindow.USER32(006767B0,00000000,01175FB8,?,?,006767B0,?,0063B862,?,?), ref: 0063BA50
ShowWindow.USER32(00000000,00000004,?,0063B862,?,?), ref: 0063BA62
EnableWindow.USER32(00000000,00000001), ref: 0063BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0063BAA9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 39c36d9a166401332a6d1b3bec39e90293addccedf90cb9cef191522fda9ac33
Instruction ID: 44a4acb939a939165ee3dbbbb0fcdf7bdff8f752c96302f6f4d0731b59d27db1
Opcode Fuzzy Hash: 39c36d9a166401332a6d1b3bec39e90293addccedf90cb9cef191522fda9ac33
Instruction Fuzzy Hash: 19413C34600641AFDB26CF28D499BD57BE2FB06315F1852B9FB488F6A2C731A845CB91

Function 006273B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00625134,?,?,00000000,00000001), ref: 006273BF

Part of subcall function 00623C94: GetWindowRect.USER32(?,?), ref: 00623CA7

GetDesktopWindow.USER32 ref: 006273E9
GetWindowRect.USER32(00000000), ref: 006273F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00627422

Part of subcall function 006154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0061555E

GetCursorPos.USER32(?), ref: 0062744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006274AC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 4aaaa6f0af2f91e6908480e830f377028533ddfc4e5c83c99e88826a0ce1ee40
Instruction ID: f10db4b5fae5478aa30ff273ec7711078d893e46c2481a0117c445f686f07a21
Opcode Fuzzy Hash: 4aaaa6f0af2f91e6908480e830f377028533ddfc4e5c83c99e88826a0ce1ee40
Instruction Fuzzy Hash: 4731C472508315ABD720EF54D849F9BBBEAFF88314F000919F58997191DB30E949CBD2

Function 00608D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006085F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00608608
Part of subcall function 006085F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00608612
Part of subcall function 006085F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00608621
Part of subcall function 006085F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00608628
Part of subcall function 006085F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0060863E

GetLengthSid.ADVAPI32(?,00000000,00608977), ref: 00608DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00608DB8
HeapAlloc.KERNEL32(00000000), ref: 00608DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00608DD8
GetProcessHeap.KERNEL32(00000000,00000000,00608977), ref: 00608DEC
HeapFree.KERNEL32(00000000), ref: 00608DF3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0f6e81b3d9ef3eff5428cb82c9b93945f301bd8725df1ab4fc61f5b8e68f1cd6
Instruction ID: 11c2494f5fdee26a4d18f5d8b73bb576b815748b41d57ff06c699fbf224eb21d
Opcode Fuzzy Hash: 0f6e81b3d9ef3eff5428cb82c9b93945f301bd8725df1ab4fc61f5b8e68f1cd6
Instruction Fuzzy Hash: CB11AC31980605FFDB18DFA4DC19BEFBBAAEF55315F104229E885972D0DB329904DBA0

Function 00608AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00608B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00608B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00608B40
CloseHandle.KERNEL32(00000004), ref: 00608B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00608B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00608B8E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6a67be2754bcfc52b1c7b13b35be4607e947ad6f3dd9bf7d2595e748a49e51a0
Instruction ID: eb84cf484c704de5de37c48deeb6fb7c0f227ea1cb43136a1c33ab3ad9f6cb5c
Opcode Fuzzy Hash: 6a67be2754bcfc52b1c7b13b35be4607e947ad6f3dd9bf7d2595e748a49e51a0
Instruction Fuzzy Hash: 02111AB2541209EFDF11CFA8ED49FDA7BAAEB08304F045065FA44A21A0C7759D659BA0

Function 0063C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 005B12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B134D
Part of subcall function 005B12F3: SelectObject.GDI32(?,00000000), ref: 005B135C
Part of subcall function 005B12F3: BeginPath.GDI32(?), ref: 005B1373
Part of subcall function 005B12F3: SelectObject.GDI32(?,00000000), ref: 005B139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0063C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0063C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0063C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0063C1F6
EndPath.GDI32(00000000), ref: 0063C206
StrokePath.GDI32(00000000), ref: 0063C216

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2f186e48e98cadb26df19f9afab21793d095c1057ba3ddc37869364a58fb4225
Instruction ID: adeb8710673c6c0770ffc3a1f57d08c79cb8c970e540456443a9ced56eeda962
Opcode Fuzzy Hash: 2f186e48e98cadb26df19f9afab21793d095c1057ba3ddc37869364a58fb4225
Instruction Fuzzy Hash: F911097640010DBFDB119F94DC88EEA7FAEEB08364F048021BA185A161D7729E95DBA0

Function 005D03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 005D03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005D03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005D0401

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1f12752255ac83cc6fe90135f346dcc56fa55739582579ae585f31492509dcbe
Instruction ID: 97b96d0d9328455108a4724225437f8ce059892f2e5377f2f3224ac66e4ce836
Opcode Fuzzy Hash: 1f12752255ac83cc6fe90135f346dcc56fa55739582579ae585f31492509dcbe
Instruction Fuzzy Hash: 210148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5

Function 0061568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0061569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006156B1
GetWindowThreadProcessId.USER32(?,?), ref: 006156C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006156CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006156D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006156E0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c10a4a919f2202262b79f9f74c814eb114a9bbb3915746922482429b86120f8f
Instruction ID: f0cd1f1a2bd2865a2cdc0da4a94ef13bfa9c5eec73c6ec4ec40c199f4da37a84
Opcode Fuzzy Hash: c10a4a919f2202262b79f9f74c814eb114a9bbb3915746922482429b86120f8f
Instruction Fuzzy Hash: F3F03032A41558BBE7215BA2EC0EEEF7B7DEFC7B11F001169FA05D1060DBA11A0186F5

Function 006174D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006174E5
EnterCriticalSection.KERNEL32(?,?,005C1044,?,?), ref: 006174F6
TerminateThread.KERNEL32(00000000,000001F6,?,005C1044,?,?), ref: 00617503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,005C1044,?,?), ref: 00617510

Part of subcall function 00616ED7: CloseHandle.KERNEL32(00000000,?,0061751D,?,005C1044,?,?), ref: 00616EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00617523
LeaveCriticalSection.KERNEL32(?,?,005C1044,?,?), ref: 0061752A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1dff944a57fb63bb2aaf23cb9c5361c38b4865b2bd0fffc940f54c287328bba0
Instruction ID: 02d0e6f419edefcfe47e2dd56e0ebf91126691beb2e7f78edd167a7f162e6bcf
Opcode Fuzzy Hash: 1dff944a57fb63bb2aaf23cb9c5361c38b4865b2bd0fffc940f54c287328bba0
Instruction Fuzzy Hash: CFF05E3A944612EBDB111BA4FD8CDEB773BEF45302F041531F602910B1CBB55A45CB90

Function 00608E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00608E7F
UnloadUserProfile.USERENV(?,?), ref: 00608E8B
CloseHandle.KERNEL32(?), ref: 00608E94
CloseHandle.KERNEL32(?), ref: 00608E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00608EA5
HeapFree.KERNEL32(00000000), ref: 00608EAC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f98abe645a4b62e0680782c1e00663d21b59adcfa5217c0b03810641f0149fec
Instruction ID: a0db95e114e70d0995ccb42ed104183bdb57778305c382c8afcb20755f955963
Opcode Fuzzy Hash: f98abe645a4b62e0680782c1e00663d21b59adcfa5217c0b03810641f0149fec
Instruction Fuzzy Hash: ECE0C236404001FBDB011FE2EC0CD0ABB7AFB89322B109230F21981070CB329424DBD0

Function 00607A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00642C7C,?), ref: 00607C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00642C7C,?), ref: 00607C4A
CLSIDFromProgID.OLE32(?,?,00000000,0063FB80,000000FF,?,00000000,00000800,00000000,?,00642C7C,?), ref: 00607C6F
_memcmp.LIBCMT ref: 00607C90

Strings

,,d, xrefs: 00607A85

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,d
API String ID: 314563124-3187189881
Opcode ID: 54ef22a3f485a500cfe12c23b02c9efada31249536a1d58dc69083612c527752
Instruction ID: 7e67a65eb2853f115236db7f65996ff4e9c419cb3fb5f3153a10dc074544474a
Opcode Fuzzy Hash: 54ef22a3f485a500cfe12c23b02c9efada31249536a1d58dc69083612c527752
Instruction Fuzzy Hash: 3581FC75E00109EFCB04DF94C984DEEB7BAFF89315F204599E516AB250DB71AE05CB60

Function 00628902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00628928
CharUpperBuffW.USER32(?,?), ref: 00628A37
VariantClear.OLEAUT32(?), ref: 00628BAF

Part of subcall function 00617804: VariantInit.OLEAUT32(00000000), ref: 00617844
Part of subcall function 00617804: VariantCopy.OLEAUT32(00000000,?), ref: 0061784D
Part of subcall function 00617804: VariantClear.OLEAUT32(00000000), ref: 00617859

Strings

Incorrect Parameter format, xrefs: 00628960, 00628B22
AUTOIT.ERROR, xrefs: 00628A3D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 24053d3f8b80334bdb2681617712e445eeea9476ec98ad5a611463c7ada07d80
Instruction ID: aeca77a27f1515c93df85b813f9648b4a807c3106da2d9b01ea57150bd281da7
Opcode Fuzzy Hash: 24053d3f8b80334bdb2681617712e445eeea9476ec98ad5a611463c7ada07d80
Instruction Fuzzy Hash: 9E917C716087029FC714DF28D88499ABBE5BFC9314F14896EF89A8B361DB30E945CF52

Function 00612F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005CFEC6: _wcscpy.LIBCMT ref: 005CFEE9

_memset.LIBCMT ref: 00613077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006130A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00613159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00613187

Strings

0, xrefs: 00613063

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b80af6e9f4676c892b71c2180d3e088298cf709f5967380016787e4882d4f5dd
Instruction ID: 0d4ae754e1018eb3b2ac3cdeff5985a93650e3b2f3aeea11f7c386f7befdb485
Opcode Fuzzy Hash: b80af6e9f4676c892b71c2180d3e088298cf709f5967380016787e4882d4f5dd
Instruction Fuzzy Hash: 8251C531508311ABD7259F28D84A6EB7BE6EF95320F08492EF896D7390DB70CA84C752

Function 00612C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00612CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00612D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00676890,00000000), ref: 00612D5A

Strings

0, xrefs: 00612CA4

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 8f954d542ac0362b4b3a6f48a8d178753ed27018eca4d2b6644760afb36bd1c3
Instruction ID: 782fd7866031c843fb974d431f85adda33cf82803be8d686a3da91f81b61250e
Opcode Fuzzy Hash: 8f954d542ac0362b4b3a6f48a8d178753ed27018eca4d2b6644760afb36bd1c3
Instruction Fuzzy Hash: 7141CC30A043029FD720DF24D854B9ABBEAFF85320F08462EF961972E1D770E955CB92

Function 0062DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0062DAD9

Part of subcall function 005B79AB: _memmove.LIBCMT ref: 005B79F9

Strings

none, xrefs: 0062DBB4
winapi, xrefs: 0062DB4A
cdecl, xrefs: 0062DB30
stdcall, xrefs: 0062DB5B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 02266543a8b4c6a79be72e5c056d5c9a97913306e235fc0389864e20d14eb411
Instruction ID: 132d2b82bc2e0057f9f3c8834a887cf11213cfc51f78cb357f3af24d71ca4a6d
Opcode Fuzzy Hash: 02266543a8b4c6a79be72e5c056d5c9a97913306e235fc0389864e20d14eb411
Instruction Fuzzy Hash: B131927150461AEFCF10EF64CC919EEBBB6FF45310B10862AE865A77D1DB71A905CB80

Function 00609372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006093F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00609409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00609439

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

Strings

ListBox, xrefs: 006093B5
ComboBox, xrefs: 00609380

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 421c27cba93c59c8b07d9add50cddd2ecc858bc7f36df587091dbd3a6e9462ec
Instruction ID: 0a172c42e11cc3511f585a86aa7fd6fd302365dbf16cb97dc06732c206db37e8
Opcode Fuzzy Hash: 421c27cba93c59c8b07d9add50cddd2ecc858bc7f36df587091dbd3a6e9462ec
Instruction Fuzzy Hash: CA210471940108BFDB18AB74CC8A9FFBBBEEF85350F114119F822972E2DB34190A8620

Function 00621B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00621B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00621B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00621B96
InternetCloseHandle.WININET(00000000), ref: 00621BDD

Part of subcall function 00622777: GetLastError.KERNEL32(?,?,00621B0B,00000000,00000000,00000001), ref: 0062278C
Part of subcall function 00622777: SetEvent.KERNEL32(?,?,00621B0B,00000000,00000000,00000001), ref: 006227A1

Strings

, xrefs: 00621B87

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d6e54078d15effe7e2dd1b5115a3de765c7615cced4bd6af31e307e5c732293f
Instruction ID: 6c7bd6f2ab429fc48fde0d81f515392c3565e30f95c5cf07285277399ec9a1e4
Opcode Fuzzy Hash: d6e54078d15effe7e2dd1b5115a3de765c7615cced4bd6af31e307e5c732293f
Instruction Fuzzy Hash: D421C2B1508618BFEB119F20EC85EBF76FEEB5A745F10412AF405AA240EA309D055BA1

Function 00636656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B1D73
Part of subcall function 005B1D35: GetStockObject.GDI32(00000011), ref: 005B1D87
Part of subcall function 005B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006366D0
LoadLibraryW.KERNEL32(?), ref: 006366D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006366EC
DestroyWindow.USER32(?), ref: 006366F4

Strings

SysAnimate32, xrefs: 006366AB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 967eeea6b3db98b2e1df5e88c5f6d8eb91fd64b57b96588ee7b96eafbc6f3930
Instruction ID: f8d385889f89f548a54821771131b69c7ec958c3a6318fefe2874ccf25841f9d
Opcode Fuzzy Hash: 967eeea6b3db98b2e1df5e88c5f6d8eb91fd64b57b96588ee7b96eafbc6f3930
Instruction Fuzzy Hash: FE218071100205BBEF104F64DC82EAB37AEFB5A7A8F509629F91096290D7719C5197A1

Function 0061703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0061705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00617091
GetStdHandle.KERNEL32(0000000C), ref: 006170A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006170DD

Strings

nul, xrefs: 006170D8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d27b405c693a99cee68ecbca8d9bd52b0ccae98ae313d657aae0cf3ebae3dd03
Instruction ID: 0cd60c7b3dcd291ba7c99d483c9c849637646807702749b580b1f0e8caa25dc6
Opcode Fuzzy Hash: d27b405c693a99cee68ecbca8d9bd52b0ccae98ae313d657aae0cf3ebae3dd03
Instruction Fuzzy Hash: 66218EB4504309ABDB209F68DC05ADA77BAAF48721F284A19FCA0D72D0E7709D818B60

Function 0061710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0061712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0061715D
GetStdHandle.KERNEL32(000000F6), ref: 0061716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006171A8

Strings

nul, xrefs: 006171A3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 784b85d3fae90a09ad4f907e076a3a2b787dd413a4e03550550edb26112032a0
Instruction ID: 53dc40fd91c44fa08b2e92cbd13be077800884bdbc81a9dcce8d66b26617f942
Opcode Fuzzy Hash: 784b85d3fae90a09ad4f907e076a3a2b787dd413a4e03550550edb26112032a0
Instruction Fuzzy Hash: A621B375908205ABDB209F68DC05AEAB7FAAF55730F280619FCA1D33D0D770A981CB90

Function 0061AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0061AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0061AF13
__swprintf.LIBCMT ref: 0061AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0063F910), ref: 0061AF6A

Strings

%lu, xrefs: 0061AF26

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d1f03fccd78f1816d6328ea3d88cf8af6bbb73afee419fd0e23f69d925d3cc28
Instruction ID: a93024d1bb14a9425f5f126a1851a8c03146703fb8e55ff69f13dce0d5f03551
Opcode Fuzzy Hash: d1f03fccd78f1816d6328ea3d88cf8af6bbb73afee419fd0e23f69d925d3cc28
Instruction Fuzzy Hash: 76217430A00109AFCB10EF65D989EEE7BB9FF89704B044069F909EB351DB31EA45DB61

Function 00612017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00612048

Strings

KEYS, xrefs: 0061205F
APPEND, xrefs: 00612081
REMOVE, xrefs: 0061204E
EXISTS, xrefs: 00612070

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: b442a728bad6ad5f9d3aade044576c935935ce2ab95db6a88cdad0f9a1d3e41e
Instruction ID: 86a864ef41fe6d198b74387a671fc6bb671a864b5e7abf1adfc2d5d8f0991214
Opcode Fuzzy Hash: b442a728bad6ad5f9d3aade044576c935935ce2ab95db6a88cdad0f9a1d3e41e
Instruction Fuzzy Hash: DA115E3090010ACFCF10EFA4D9515EEBBB6FF5A304F14856AD85567391EB32691ACB50

Function 0062EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0062EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0062EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0062F07E
CloseHandle.KERNEL32(?), ref: 0062F0FF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e647b0dc8e9208662a1ed1636edf6468a3264500511b66aaca8b06b8bbe7f94c
Instruction ID: a82c2911f1f325e3e1e4ee79572cf650cd4b84e9d5129cd578b7810d9275866e
Opcode Fuzzy Hash: e647b0dc8e9208662a1ed1636edf6468a3264500511b66aaca8b06b8bbe7f94c
Instruction Fuzzy Hash: 668160716007119FD720DF24D84AF6ABBE6BF88710F04882DF995DB392DB71AC408B91

Function 006302C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 006310A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00630038,?,?), ref: 006310BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00630388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006303C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0063040E
RegCloseKey.ADVAPI32(?,?), ref: 0063043A
RegCloseKey.ADVAPI32(00000000), ref: 00630447

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 7c60bd123e4b5804926d9e1cd5bc4481025eacf97ad2df0c6b3050d21e9d149a
Instruction ID: 8c127fee03d33200e45cd872c528e30be47dc79c060b8d6ff54bda19f8758b9c
Opcode Fuzzy Hash: 7c60bd123e4b5804926d9e1cd5bc4481025eacf97ad2df0c6b3050d21e9d149a
Instruction Fuzzy Hash: 33513E31208205AFD704EF64C895FAEB7E9FF88704F44852DB59597292DB31E909CB92

Function 0062DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0062DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0062DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0062DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0062DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0062DD35

Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617B20,?,?,00000000), ref: 005B5B8C
Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617B20,?,?,00000000,?,?), ref: 005B5BB0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b9a4a6658c712f286423b310ad58b2950b52f3dca9c654edbc00fc7d701c4f37
Instruction ID: 3aa993791086e853e5516b48296ea13a6dbd7dd0b6f83e97009d783c900b1a5c
Opcode Fuzzy Hash: b9a4a6658c712f286423b310ad58b2950b52f3dca9c654edbc00fc7d701c4f37
Instruction Fuzzy Hash: 76512735A00A16DFCB05EF68D4889EDBBF9FF48310B148469E915AB362DB30AD45CF90

Function 0061E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0061E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0061E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0061E8F2

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0061E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0061E91F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0a23c625c88ce575aa833016ac1d863a6545e5fca9154581a8fe0961616b9c74
Instruction ID: 53964a3ec190129cae9799fb0f71c4bbd7bd2b3d2486fe08420ae944f13acfd5
Opcode Fuzzy Hash: 0a23c625c88ce575aa833016ac1d863a6545e5fca9154581a8fe0961616b9c74
Instruction Fuzzy Hash: 05514D35A00206EFCF11EF64C985AAEBBF5FF48310B148099E909AB362CB31ED51CB50

Function 0063A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb68270e3e09e0c41dc19c920c1d3bd89b15244259f89b4e7aa04b02b715bb1
Instruction ID: a0cf935d9be7e6fb32f26cd9cb2302a671e8af080033b4ae114893008d3e797e
Opcode Fuzzy Hash: 6fb68270e3e09e0c41dc19c920c1d3bd89b15244259f89b4e7aa04b02b715bb1
Instruction Fuzzy Hash: 6241B235D00214AFE714DFA8CC48FE9BBA6EB0A310F144165F995E72E1D770AD41EAD2

Function 005B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005B2357
ScreenToClient.USER32(006767B0,?), ref: 005B2374
GetAsyncKeyState.USER32(00000001), ref: 005B2399
GetAsyncKeyState.USER32(00000002), ref: 005B23A7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 74289d18f8126458b6a0f3f6f5160eea95401e01a230ec74ee6831f4637dda3c
Instruction ID: 370c166b636a1cbb8dc74a64e969a9fa326b9fdfd88304655bff20cb4edee5f8
Opcode Fuzzy Hash: 74289d18f8126458b6a0f3f6f5160eea95401e01a230ec74ee6831f4637dda3c
Instruction Fuzzy Hash: 8741C235904159FBDF199F69C848AEDBFB5FF05320F20471AF869922A0C734AD90DBA1

Function 00606920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0060695D
TranslateAcceleratorW.USER32(?,?,?), ref: 006069A9
TranslateMessage.USER32(?), ref: 006069D2
DispatchMessageW.USER32(?), ref: 006069DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006069EB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 918692fd64f9123b8010e4cab24b7b33589512caace60c6305865d30a6136210
Instruction ID: 274c6a1631e3590915a223f0da4750d45d2c99e7c9cec34791914d1be7dd51d0
Opcode Fuzzy Hash: 918692fd64f9123b8010e4cab24b7b33589512caace60c6305865d30a6136210
Instruction Fuzzy Hash: FD31E031A80647AADB6CDF74CC44FF77BAEAB02300F105169F425D26E1E77099A6D7A0

Function 00608F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00608F12
PostMessageW.USER32(?,00000201,00000001), ref: 00608FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00608FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00608FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00608FDA

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 32f5ef0672dacee422e2f115f86a05542b6e128d01e139bb9f84181ff5e459cb
Instruction ID: dada10858f3b426bf833efe759d4da21cbb357db0736a04efa9031802f4515a4
Opcode Fuzzy Hash: 32f5ef0672dacee422e2f115f86a05542b6e128d01e139bb9f84181ff5e459cb
Instruction Fuzzy Hash: 8031CB7190021AEFDB08CF78D949ADF7BB6EB45325F104229F964EB2D0CBB09914CB90

Function 0060B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0060B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0060B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0060B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0060B742
_wcsstr.LIBCMT ref: 0060B74C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 57080002e16c2cfe8d0f1c609bf532952dca08ddc251531b26e2caf2eddfc47b
Instruction ID: 1241e14b3783efb1ad1397874d84e0858948e2dce96898651d297618a1bb19c3
Opcode Fuzzy Hash: 57080002e16c2cfe8d0f1c609bf532952dca08ddc251531b26e2caf2eddfc47b
Instruction Fuzzy Hash: B121D731644245BBEB295B399C49E7B7F9AEF86710F10902AF805CA2E1EB61DC4197A0

Function 0063B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

GetWindowLongW.USER32(?,000000F0), ref: 0063B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0063B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0063B489
GetSystemMetrics.USER32(00000004), ref: 0063B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00621184,00000000), ref: 0063B4D0

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9cbc365b1a36f1878692114cb69ff7a5ca049f40dbc11896dc888a5dcd650385
Instruction ID: 660368eb1b8e9fc24f7a595f2dc0ac72d89ad6635e5709e25b7e90e0385cc05b
Opcode Fuzzy Hash: 9cbc365b1a36f1878692114cb69ff7a5ca049f40dbc11896dc888a5dcd650385
Instruction Fuzzy Hash: 24219131910615AFCB149F38DC04AAA3BE6FB05721F106738FA26C62E7E7309851DBD4

Function 006097E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00609802

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00609834
__itow.LIBCMT ref: 0060984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00609874
__itow.LIBCMT ref: 00609885

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 51b7fb2b04ab3c40410622463fc7263ce6ba4752be949345c6fa86fdfdd6ba82
Instruction ID: 8a0437b7d6556637d0371d418289e48c521b954919eafa02ec52d85b7d88e10c
Opcode Fuzzy Hash: 51b7fb2b04ab3c40410622463fc7263ce6ba4752be949345c6fa86fdfdd6ba82
Instruction Fuzzy Hash: BF218631A40208ABDB149B658C8AEEF7FBFEF8A710F045029F9059B3D2D6709D4597E1

Function 005B12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B134D
SelectObject.GDI32(?,00000000), ref: 005B135C
BeginPath.GDI32(?), ref: 005B1373
SelectObject.GDI32(?,00000000), ref: 005B139C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9478c9f8b7b0d540f9947e33270e1f5a5ba96e15baf5565e87e850bb96086d27
Instruction ID: 2e30113905d473a4b7c460219810f92db267307106e7e29feab5fc4012046a7b
Opcode Fuzzy Hash: 9478c9f8b7b0d540f9947e33270e1f5a5ba96e15baf5565e87e850bb96086d27
Instruction Fuzzy Hash: 1421F130C00A08EFDB048F29DC047A93FFAFB00321F545626F818921A0E371A8D1CFA5

Function 0060C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0060C176
_memcmp.LIBCMT ref: 0060C194
_memcmp.LIBCMT ref: 0060C1A7
_memcmp.LIBCMT ref: 0060C1BF
_memcmp.LIBCMT ref: 0060C1D7

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e3b51ca9be4f270ef5561ba89c8da6c1aa1143c4f412b897fada6ffa14013c41
Instruction ID: 6d76c0ab327d3cad575a84f9b723ac47cf84d1e5efce24317b7fe4316f743203
Opcode Fuzzy Hash: e3b51ca9be4f270ef5561ba89c8da6c1aa1143c4f412b897fada6ffa14013c41
Instruction Fuzzy Hash: C90122B16841073BE218AB245C42EAB2B4FEF613A8F544262FD00D23C3E6A0DE05C2A4

Function 00614D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00614D5C
__beginthreadex.LIBCMT ref: 00614D7A
MessageBoxW.USER32(?,?,?,?), ref: 00614D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00614DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00614DAC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: dc8ae0a8731b4461f31f7370f9fdd0ae4e694f545c1de70910b16751ea050de9
Instruction ID: e651471b0ef15e66c4ad9c9bb91a70a9724debf67d80d8b54a38e004036217f6
Opcode Fuzzy Hash: dc8ae0a8731b4461f31f7370f9fdd0ae4e694f545c1de70910b16751ea050de9
Instruction Fuzzy Hash: 78110C72D04604FBCB119BA8EC08ADA7FAEEB45320F144269F928D3351DA718D8487E0

Function 0060874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00608766
GetLastError.KERNEL32(?,0060822A,?,?,?), ref: 00608770
GetProcessHeap.KERNEL32(00000008,?,?,0060822A,?,?,?), ref: 0060877F
HeapAlloc.KERNEL32(00000000,?,0060822A,?,?,?), ref: 00608786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0060879D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a1d615f7fe2ee7313644b68ffe211d410a8123fcf16f295e949a4e87cde379f7
Instruction ID: 51acdddb270d32f1961f6ed77e81add6df790d35971dd75beafdc87c1af910e4
Opcode Fuzzy Hash: a1d615f7fe2ee7313644b68ffe211d410a8123fcf16f295e949a4e87cde379f7
Instruction Fuzzy Hash: B4011271641214FFDB144FA6DC49DAB7B6EFF86755B200579F849C3260DA31DD00DAA0

Function 006154E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00615510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00615518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00615522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0061555E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 59f21fda91a727b3c2775176ae0f5babc53d39bead73916bd104e95d1ca79b88
Instruction ID: 1bb1410f4855f0419feee097e27f877d7d3ed37ea48b18a997726fb4ad3c41c8
Opcode Fuzzy Hash: 59f21fda91a727b3c2775176ae0f5babc53d39bead73916bd104e95d1ca79b88
Instruction Fuzzy Hash: C4011B35D10A19DBCF00DFE9E8885EDFB7BFB49711F040496E942B2250DB305694C7A1

Function 00607652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?,?,0060799D), ref: 0060766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?), ref: 0060768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?), ref: 00607698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?), ref: 006076A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0060758C,80070057,?,?), ref: 006076B4

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b24686856755e6050633a2409de18ec6492f755822360a4fca93cad9984f942d
Instruction ID: 05efc6e4fff94d759a61487d4dd589bb59b81b3c6ca2ca5eee4faa7b585ea7ad
Opcode Fuzzy Hash: b24686856755e6050633a2409de18ec6492f755822360a4fca93cad9984f942d
Instruction Fuzzy Hash: 7701B176A10604BBDB144F18DC04AAB7BBEEB44751F100029FD06D2261E732EE408BE0

Function 006085F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00608608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00608612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00608621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00608628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0060863E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ce648377ea333902c74c0c6e587830dd0bc0665f31e47593d337bbffda2cb35f
Instruction ID: 8daeb82d26df9eaf903dfbb43bf9c1853213e8e6cd52c3b7aa957a6e915d3ec6
Opcode Fuzzy Hash: ce648377ea333902c74c0c6e587830dd0bc0665f31e47593d337bbffda2cb35f
Instruction Fuzzy Hash: 82F06831651204AFE7144FA5DC9DEAB3BAEEF85754F001425F545C7290CB71DC45DAA0

Function 00608652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00608669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00608673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00608689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0060869F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 525e0357a94ebe374fbf182ca2951370c8146414229280f53252310f46ccf382
Instruction ID: 5ab1a684586f4b5e2a9e605c6a4ade81e2dd28da65427b2e17a8fbe5a06f2f25
Opcode Fuzzy Hash: 525e0357a94ebe374fbf182ca2951370c8146414229280f53252310f46ccf382
Instruction Fuzzy Hash: FEF0AF70250214AFEB155FA4EC88EA73BAEEF89754F100025F985C32A0CB62D844DEA0

Function 0060C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0060C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0060C6D1
MessageBeep.USER32(00000000), ref: 0060C6E9
KillTimer.USER32(?,0000040A), ref: 0060C705
EndDialog.USER32(?,00000001), ref: 0060C71F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 52a944f9e7d3caa516d89b17c689876e6fa91909fcf92e67d727fc26d43a5080
Instruction ID: c6eaac14f5b1834126fc358c33c7f7f0ea49185d0af594ee894b228e5adb5d88
Opcode Fuzzy Hash: 52a944f9e7d3caa516d89b17c689876e6fa91909fcf92e67d727fc26d43a5080
Instruction Fuzzy Hash: 5301D630840704ABEB345B20DD4EF9777BAFF01701F001669F542A10E0DBF1A9558F80

Function 005B13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005B13BF
StrokeAndFillPath.GDI32(?,?,005EBAD8,00000000,?), ref: 005B13DB
SelectObject.GDI32(?,00000000), ref: 005B13EE
DeleteObject.GDI32 ref: 005B1401
StrokePath.GDI32(?), ref: 005B141C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8882832bf9d1027df762474ad22a4307bfc2caf02eced2acc5bfc1664453518b
Instruction ID: 76964a1545737007abab74ddb0171cb81f6ac8414d60f4fb350baf257c9d556e
Opcode Fuzzy Hash: 8882832bf9d1027df762474ad22a4307bfc2caf02eced2acc5bfc1664453518b
Instruction Fuzzy Hash: 22F01930410A08EBDB195F2AED5C7983FA6BB01326F58A224F429480F2D73159A5DF75

Function 005C2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 005D0FF6: std::exception::exception.LIBCMT ref: 005D102C
Part of subcall function 005D0FF6: __CxxThrowException@8.LIBCMT ref: 005D1041

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 005B7BB1: _memmove.LIBCMT ref: 005B7C0B

__swprintf.LIBCMT ref: 005C302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005C2EC6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: b1560680244defbe5d207c7d7d25b019009edbb929ad5aa2ffd0ba7923814682
Instruction ID: f7837f8a777a671cdec8182026fc5fcb4e346e6dae35a7832a1d08c0b3606850
Opcode Fuzzy Hash: b1560680244defbe5d207c7d7d25b019009edbb929ad5aa2ffd0ba7923814682
Instruction Fuzzy Hash: 5891607210870A9FC728EF64D889D6E7FA4FFD5740F00491EF541972A1EA20EE44CB52

Function 0060B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0060B981

Strings

Container, xrefs: 0060B8FE
%d, xrefs: 0060BA24
AutoIt3GUI, xrefs: 0060B8F9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%d
API String ID: 3565006973-3099487511
Opcode ID: 3b7657680d9f875a73e812b2ca08bff0c7b15262ff484b58fc130031cc09e9bc
Instruction ID: 522cea6b4b617560c80b00bee302e5ba0851cc5d98cfb9ca21b3fdc7d4ed862f
Opcode Fuzzy Hash: 3b7657680d9f875a73e812b2ca08bff0c7b15262ff484b58fc130031cc09e9bc
Instruction Fuzzy Hash: 10913C706406019FDB68CF68C884A67BBEAFF49710F24956EF945CB7A1DB70E841CB60

Function 005D524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005D52DD

Part of subcall function 005E0340: __87except.LIBCMT ref: 005E037B

Strings

pow, xrefs: 005D52B5, 005D52D2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1150761caef0f31af2d5a35c145a4728b2bb5e9da34fd6049ec2ee744de287af
Instruction ID: c85e7c1e2c6a42a556f9bec821a062965e10d03ca23bc9a29398852f4637976e
Opcode Fuzzy Hash: 1150761caef0f31af2d5a35c145a4728b2bb5e9da34fd6049ec2ee744de287af
Instruction Fuzzy Hash: F7517C61A0D64287CF29BB1DCA4137E2F90BB50750F606D5BE0D5823E9FFB48CC89A46

Function 005D023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 005D0277
#, xrefs: 005D0280

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 42c9d882764080eebcabb1560e2e913e6714dc1d275cfcdb8028f815326972f2
Instruction ID: 8dfeaf35adfd0535f1587729698137f27d362b7be5c88d568c1c0462443ccda2
Opcode Fuzzy Hash: 42c9d882764080eebcabb1560e2e913e6714dc1d275cfcdb8028f815326972f2
Instruction Fuzzy Hash: 17510F3554564A9BCF299F28C8886FB7BA6FF5A310F144057E8929B3E0D7309C86CB61

Function 005C3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C33D7
_memmove.LIBCMT ref: 005C3470
_free.LIBCMT ref: 005C3496
_memmove.LIBCMT ref: 005C3549

Strings

Oa\, xrefs: 005C3482

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa\
API String ID: 2620147621-2596033750
Opcode ID: cf4943a8bdb03815a4633ffb5b4f5963ffd4e97a755981b3bea0767dedaa604e
Instruction ID: 5b46eb29e73f14a2bce201914c355a586ed339272b64723ca780dc97801c0678
Opcode Fuzzy Hash: cf4943a8bdb03815a4633ffb5b4f5963ffd4e97a755981b3bea0767dedaa604e
Instruction Fuzzy Hash: 4B5149716083469FDB24CF68C495B2ABFE5BF89314F04892DE98987351DB31D941CB92

Function 005C62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005C63A8
_memmove.LIBCMT ref: 005C6446
_memset.LIBCMT ref: 005C646A

Strings

ERCP, xrefs: 005C6313

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 3841a9ef0ec042b02e6cf083d22c11056b0dc132cac4e76db3158ffd1e417821
Instruction ID: 8850b91d8e1e2a253934ea7765185b8beddfcfa5359a6bffa261ba3cc274426c
Opcode Fuzzy Hash: 3841a9ef0ec042b02e6cf083d22c11056b0dc132cac4e76db3158ffd1e417821
Instruction Fuzzy Hash: 27518C71900709DFCB288FA5C885BAABFE5FF44714F20856EE54ACA280E771A681CB40

Function 00637648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006376D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006376E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00637708

Strings

SysMonthCal32, xrefs: 0063769B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: abfc95bf80e327c9b8c6a3e8697dde0811da0afd219a73f60f0814a7bbdbe891
Instruction ID: 11fb8e181a53c1249a294df1cc0defb412efccdb7f5b96247fb775fad1610e08
Opcode Fuzzy Hash: abfc95bf80e327c9b8c6a3e8697dde0811da0afd219a73f60f0814a7bbdbe891
Instruction Fuzzy Hash: 5221BF32500219BBDF258F64CC46FEA3B7AEF89714F111214FE156B1D1D6B1A8918BE0

Function 00636F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00636FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00636FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00636FDF

Strings

Listbox, xrefs: 00636F77

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e4c5915e4fcdec5503eb36e4614573bc2e81521ce4f0f34b010511827ec57b13
Instruction ID: b9941531ffc751c4593cdc907d1dcf1c13173d9ed7b11cacc44b761fe7b93159
Opcode Fuzzy Hash: e4c5915e4fcdec5503eb36e4614573bc2e81521ce4f0f34b010511827ec57b13
Instruction Fuzzy Hash: D8219232610118BFDF158F54EC85EEB3BABEF89754F118128FA149B290CA71AC518BE0

Function 0063797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006379E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006379F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00637A03

Strings

msctls_trackbar32, xrefs: 006379B8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 421a002c898d77f8221d716042783a2bb653203b52e8bb86a62b21c4bc1d8b7d
Instruction ID: b4fdd7fc8ffd247550a52ed550e98c48255c97d3cf05b4f50df024372cb9d225
Opcode Fuzzy Hash: 421a002c898d77f8221d716042783a2bb653203b52e8bb86a62b21c4bc1d8b7d
Instruction Fuzzy Hash: 1711E772244208BADF249F64CC05FDB3BAAEF89764F010519F645A61D0D2719851DBA0

Function 005B4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005B4C2E), ref: 005B4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005B4CB5

Strings

GetNativeSystemInfo, xrefs: 005B4CAF
kernel32.dll, xrefs: 005B4C9E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b5cf1e4c9ed88c89f068f1ec82074cf0c94042bea7d39a25141f7fbd5afeb853
Instruction ID: f3ae5e1eabf936eb772e3912b27e69a89ad9c39b04af5f93458e74dc738397e4
Opcode Fuzzy Hash: b5cf1e4c9ed88c89f068f1ec82074cf0c94042bea7d39a25141f7fbd5afeb853
Instruction Fuzzy Hash: BCD01270910727DFD7205F31DA18646BAD6AF05B51F118839D886D6160D770D880CA90

Function 005B4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005B4D2E,?,005B4F4F,?,006762F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005B4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005B4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 005B4D7B
kernel32.dll, xrefs: 005B4D6A

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: ce39f3f0a30d3db514847923f74b65fbfc917872456844d5200005fbd237caee
Instruction ID: d72fec63087da020543cfae5bc0aa65ef552c0910db7e06e501c841c9908619e
Opcode Fuzzy Hash: ce39f3f0a30d3db514847923f74b65fbfc917872456844d5200005fbd237caee
Instruction Fuzzy Hash: 07D01270910713CFD7305F31D80865676D9BF15351F1189399486D6250D670D480CE90

Function 005B4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005B4CE1,?), ref: 005B4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005B4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 005B4DAE
kernel32.dll, xrefs: 005B4D9D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 39decf850ef65d3a74bfa0a89602402f5b559bc29918de9c64edcea3f0448d52
Instruction ID: 5b88c947405847e1042ed052ae16b5ef5e54111c203949efcfb285100d424ca3
Opcode Fuzzy Hash: 39decf850ef65d3a74bfa0a89602402f5b559bc29918de9c64edcea3f0448d52
Instruction Fuzzy Hash: 84D05E71950713CFDB309F31E808A86BAE6BF05355F12C83ED8D6D6160EB70E880CAA0

Function 00631072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006312C1), ref: 00631080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00631092

Strings

advapi32.dll, xrefs: 0063107B
RegDeleteKeyExW, xrefs: 0063108C

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f2f7a90a90d29706d43b9694949c777f44edab7b66bff51f9d68faa88a528185
Instruction ID: 419db3782bc6d8003513b46184fc7487bd111eda56f1521bf6da156ebbee9447
Opcode Fuzzy Hash: f2f7a90a90d29706d43b9694949c777f44edab7b66bff51f9d68faa88a528185
Instruction Fuzzy Hash: 80D01230910712CFD7205F35D82856776EAAF06351F119C39A485DA260DB70C8C0C690

Function 006293F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00629009,?,0063F910), ref: 00629403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00629415

Strings

GetModuleHandleExW, xrefs: 0062940F
kernel32.dll, xrefs: 006293FE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9d58e6645e25d8e3b0af50f1e2a0e5406f1000fd557f0ca8700efc0a502bcf35
Instruction ID: 077d623cfe19272dd248e7cb075400b4e7487ff88dee77fafcc147fc273b5b0f
Opcode Fuzzy Hash: 9d58e6645e25d8e3b0af50f1e2a0e5406f1000fd557f0ca8700efc0a502bcf35
Instruction Fuzzy Hash: A6D01274910723CFD7205F71E90854776D7AF06351F11C8399486D6650D6B0C490CAA0

Function 005F1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005F1B42
__swprintf.LIBCMT ref: 005F1B73

Strings

%.3d, xrefs: 005F1B4D
WIN_XPe, xrefs: 005F1BB2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: f708860bb194d49d3b3dfbbaeca83f3fe5dad0e620ffed699b93d22361b458ef
Instruction ID: d942a1e197db215f86916a0c77a1e906590d236423ade1453252f510c1010214
Opcode Fuzzy Hash: f708860bb194d49d3b3dfbbaeca83f3fe5dad0e620ffed699b93d22361b458ef
Instruction Fuzzy Hash: 68D01271C0451CFACB14DB909D448FA7F7DBB04301F5409D3BA06A1000F2789B84AB29

Function 006076C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5db062693706508c85a68c62cd8eb46fee87aeb6a228637bceee660efdc5960
Instruction ID: 0c2484cb5ce22255af40d6420a5ad5bfb40da81cee3980030da6a73a33c71d72
Opcode Fuzzy Hash: f5db062693706508c85a68c62cd8eb46fee87aeb6a228637bceee660efdc5960
Instruction Fuzzy Hash: FBC13B75E44216EFCB18CF94C884AAFB7B6FF48714B158599E805EB291D730ED81CB90

Function 0062E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0062E3D2
CharLowerBuffW.USER32(?,?), ref: 0062E415

Part of subcall function 0062DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0062DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0062E615
_memmove.LIBCMT ref: 0062E628

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 677bddbda2c85b6383ea0569afd1c6521d41259289d89894fb9207c1b9083187
Instruction ID: c047986d99ad26d009df5484b7d1eb5ee52c760c0cb24a8e0ca5f7945656510a
Opcode Fuzzy Hash: 677bddbda2c85b6383ea0569afd1c6521d41259289d89894fb9207c1b9083187
Instruction Fuzzy Hash: 1AC17C716087129FC714DF28C4809AABBE5FF89314F14896EF8999B351D732E946CF82

Function 006283A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006283D8
CoUninitialize.OLE32 ref: 006283E3

Part of subcall function 0060DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0060DAC5

VariantInit.OLEAUT32(?), ref: 006283EE
VariantClear.OLEAUT32(?), ref: 006286BF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: b17b3598eb1690c341fc9451bbeaaa03918346662673b96eef262cb1920d1cc3
Instruction ID: 15b49be5e577ede6b9924648385f17b644d7350c4e6ea8be77910568e112b0ed
Opcode Fuzzy Hash: b17b3598eb1690c341fc9451bbeaaa03918346662673b96eef262cb1920d1cc3
Instruction Fuzzy Hash: B9A13A75204B129FCB50DF14D885A5ABBE5BF88314F14844DFA9AAB3A2CB30FD44CB95

Function 00606DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00606E04
SysAllocString.OLEAUT32(00000000), ref: 00606EAD
VariantCopy.OLEAUT32 ref: 00606EDC
VariantClear.OLEAUT32(?), ref: 00606F03

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 643fd3aaedfa6c6974005f57f6de9122f1b320e1f4f6ba1d3e914e4cfb21bb86
Instruction ID: 9ebcb3daf0d2dcd9a08a34fc7829892a87e10316238e56b9576a30562c1faba2
Opcode Fuzzy Hash: 643fd3aaedfa6c6974005f57f6de9122f1b320e1f4f6ba1d3e914e4cfb21bb86
Instruction Fuzzy Hash: CC51F970B883039ADB38AF65D485B6BB7E7AF48310F20981FF556CB2D1DB70A8549B05

Function 00639A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0117F960,?), ref: 00639AD2
ScreenToClient.USER32(00000002,00000002), ref: 00639B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00639B72

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8318f7cfd0104cf4a93e7e88ad625df03cacfc4112c3f625e51555080c8d6bbb
Instruction ID: 367f4e9ea4be9b1613ee1a3fdd4338060c4a62ba94eafe7d226c7a0d451350ef
Opcode Fuzzy Hash: 8318f7cfd0104cf4a93e7e88ad625df03cacfc4112c3f625e51555080c8d6bbb
Instruction Fuzzy Hash: 2A51EB34A00609AFCB14DF68E9819EE7BB6FB55360F148259F9169B390D770AD81CFA0

Function 00626CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00626CE4
WSAGetLastError.WSOCK32(00000000), ref: 00626CF4

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00626D58
WSAGetLastError.WSOCK32(00000000), ref: 00626D64

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 405a2daadb5f086145ecef3577c00ad42590c2047cedc641a82c55e3bbf1b75c
Instruction ID: fe627b70cda41078e1945e531b19d3046146b41acf9de1943832c73ebbe74638
Opcode Fuzzy Hash: 405a2daadb5f086145ecef3577c00ad42590c2047cedc641a82c55e3bbf1b75c
Instruction Fuzzy Hash: A841A774740611AFEB10AF24DC8AF7A7BE9AF44B10F448458FA599F3D2DB71AD008B91

Function 0062672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0063F910), ref: 006267BA
_strlen.LIBCMT ref: 006267EC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 778a16291a453905e4470874d98fc6556d70a99a9c9119bce5e9fc9365979c47
Instruction ID: 65b7b4a20a97d88e96f553da0f22639714074f8e84db5d574c1f81939baf7437
Opcode Fuzzy Hash: 778a16291a453905e4470874d98fc6556d70a99a9c9119bce5e9fc9365979c47
Instruction Fuzzy Hash: FE41C831A00516AFCB14EB64ECC5FEEBBAABF44310F148169F51597392DB30AD04CB51

Function 0061BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0061BB09
GetLastError.KERNEL32(?,00000000), ref: 0061BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0061BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0061BB80

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c43c151d844e9e07f8d0248d2e323c3585fb8a0563457451d915c201fe09ebf2
Instruction ID: be7eeb7cd7d3a6abacc7b8c0b90c4d1f554c2898e0f9fc62f7e590b1a821aad0
Opcode Fuzzy Hash: c43c151d844e9e07f8d0248d2e323c3585fb8a0563457451d915c201fe09ebf2
Instruction Fuzzy Hash: 3A412939600612DFCB11EF15C588A9DBBE2FF89310B098498F94A9B762CB34FD41CB91

Function 00638AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00638B4D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b3ecf6dba7d4d12b50a7da5dab07077934738c3105c7dbc5e883549c1e40a571
Instruction ID: 245a92c14a8070c7ab98af96b1f27598ea79b4584a783283a76ec15dad8c05da
Opcode Fuzzy Hash: b3ecf6dba7d4d12b50a7da5dab07077934738c3105c7dbc5e883549c1e40a571
Instruction Fuzzy Hash: 123170B4600306BEEB249F28CC85FE9B7A7EB05350F245516FA56D73A1DE30A94097D1

Function 0063ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0063AE1A
GetWindowRect.USER32(?,?), ref: 0063AE90
PtInRect.USER32(?,?,0063C304), ref: 0063AEA0
MessageBeep.USER32(00000000), ref: 0063AF11

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: fa9b46410206e2829fbc4f0473feb7988f94c6e965825a8c481432d0e6de12eb
Instruction ID: 440f7c6ac20b9b069637cb87a3b9d60561cc20f7fd48aab28d84dd3e8f700c23
Opcode Fuzzy Hash: fa9b46410206e2829fbc4f0473feb7988f94c6e965825a8c481432d0e6de12eb
Instruction Fuzzy Hash: 6D416070A00115DFCB15CF98C884AA9BBF7FF89350F1881A9E4989B351D730A942EFD2

Function 00610FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00611037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00611053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006110B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0061110B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 90861c2114a66d8e4ae9fa45eb55a99a34c7961772e0ed0f97989bdbd5c60d9c
Instruction ID: 3afcb94976bc79f6905afe99a512fe8526b08f915062471a18ab8e0b2d34a2d9
Opcode Fuzzy Hash: 90861c2114a66d8e4ae9fa45eb55a99a34c7961772e0ed0f97989bdbd5c60d9c
Instruction Fuzzy Hash: D0317E30E40698AEFF308B658C057F9BBABAB4E312F0C421AE6805A2D0CB7449C19765

Function 00611121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00611176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00611192
PostMessageW.USER32(00000000,00000101,00000000), ref: 006111F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00611243

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: fad58fa92355330637490ee5d990f0c7dc2ccac72e3b101ccc64a6dc0e3542bf
Instruction ID: 4c3097319c116db537176086e4d9a69bd1414375a64adb96c02e9d24665e6831
Opcode Fuzzy Hash: fad58fa92355330637490ee5d990f0c7dc2ccac72e3b101ccc64a6dc0e3542bf
Instruction Fuzzy Hash: AF314B30E4060CAAFF318B658C067FABBBBAB46310F0C431EE7909A6D1D3754AD58755

Function 005E6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005E644B
__isleadbyte_l.LIBCMT ref: 005E6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005E64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005E64DD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b65df5deec274986885d73733492e80def13ad5d48fa753c7bb79383c44c238e
Instruction ID: ab5d58c975c1d1da55eded1a47f05bf67382b9609864d3da90f4c5cd92703bd1
Opcode Fuzzy Hash: b65df5deec274986885d73733492e80def13ad5d48fa753c7bb79383c44c238e
Instruction Fuzzy Hash: 6331C13160029AAFDF298F66C889BBA7FA6FF503D0F154429E894871D1E731D950DB90

Function 00635175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00635189

Part of subcall function 0061387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00613897
Part of subcall function 0061387D: GetCurrentThreadId.KERNEL32 ref: 0061389E
Part of subcall function 0061387D: AttachThreadInput.USER32(00000000,?,006152A7), ref: 006138A5

GetCaretPos.USER32(?), ref: 0063519A
ClientToScreen.USER32(00000000,?), ref: 006351D5
GetForegroundWindow.USER32 ref: 006351DB

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 27a7256a8cc7c8680c48213cf91eacf4a6c707024821eba3f23d1ad7e5127877
Instruction ID: 9b75e16263498a6999309f1964f56c2b219cd838e164a1ca4e718ed1460053eb
Opcode Fuzzy Hash: 27a7256a8cc7c8680c48213cf91eacf4a6c707024821eba3f23d1ad7e5127877
Instruction Fuzzy Hash: E4312F72E00119AFDB00EFA5C8859EFBBF9EF99300F10406AE515E7251DA75AE45CBA0

Function 0063C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

GetCursorPos.USER32(?), ref: 0063C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005EBBFB,?,?,?,?,?), ref: 0063C7D7
GetCursorPos.USER32(?), ref: 0063C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005EBBFB,?,?,?), ref: 0063C85E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: edc64d59d4254f5b0e99fd850673ca5575d93c5720219b75be8d3f0617d83a97
Instruction ID: 7b8685b749ad959faf6224b831dda62f4a7abf6fa2a1db9963701a147614aa09
Opcode Fuzzy Hash: edc64d59d4254f5b0e99fd850673ca5575d93c5720219b75be8d3f0617d83a97
Instruction Fuzzy Hash: F9316D35600418AFCB25CF59C898EEA7FBBEB49720F144169F9099B261C731AE51DFA0

Function 005D0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005D0BF2

Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617B20,?,?,00000000), ref: 005B5B8C
Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617B20,?,?,00000000,?,?), ref: 005B5BB0

_fprintf.LIBCMT ref: 005D0C29
OutputDebugStringW.KERNEL32(?), ref: 00606331

Part of subcall function 005D4CDA: _flsall.LIBCMT ref: 005D4CF3

__setmode.LIBCMT ref: 005D0C5E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: a78e709ad831dbb31e8bfc168fd2804ea464d7516bc833e28607bb3ae2b26496
Instruction ID: 3c7ef8d135cba0255a2ce8b5d90a8ca779ac561ffeab85653a888d905780403c
Opcode Fuzzy Hash: a78e709ad831dbb31e8bfc168fd2804ea464d7516bc833e28607bb3ae2b26496
Instruction Fuzzy Hash: CD11D5319042066FDB1877B89C4AAFEBF6ABF81320F14015BF104972E2EF715D964B95

Function 00608B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00608652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00608669
Part of subcall function 00608652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00608673
Part of subcall function 00608652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00608682
Part of subcall function 00608652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00608689
Part of subcall function 00608652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0060869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00608BEB
_memcmp.LIBCMT ref: 00608C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00608C44
HeapFree.KERNEL32(00000000), ref: 00608C4B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 81052481fc7fd28e56fd1462a355096097b713284b75c06bb422835022453dcc
Instruction ID: e4164e5de5a3b886c6ec38042702b0643bd6ba07380c3b0ebbecfaca0a119b2c
Opcode Fuzzy Hash: 81052481fc7fd28e56fd1462a355096097b713284b75c06bb422835022453dcc
Instruction Fuzzy Hash: 6821A171E81208EFDB14CF94C944BEEB7B9EF40340F044059E495A7280DB31AE05CB60

Function 00621A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00621A97

Part of subcall function 00621B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00621B40
Part of subcall function 00621B21: InternetCloseHandle.WININET(00000000), ref: 00621BDD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 37bcdc0b35dd6c1fcdc873e114cee331e440cd185694ec3df45a340c2c448e7c
Instruction ID: c155c5992c32c9ce3b9aec8a412bf6dc2ed9e4a9a942b85ca941133d6ba51028
Opcode Fuzzy Hash: 37bcdc0b35dd6c1fcdc873e114cee331e440cd185694ec3df45a340c2c448e7c
Instruction Fuzzy Hash: 2B21A135208A15BFDB119F60AC01FBAB7BFFF65702F10401AFA119A660EB71D8119FA4

Function 0060E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0060E1C4,?,?,?,0060EFB7,00000000,000000EF,00000119,?,?), ref: 0060F5BC
Part of subcall function 0060F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0060F5E2
Part of subcall function 0060F5AD: lstrcmpiW.KERNEL32(00000000,?,0060E1C4,?,?,?,0060EFB7,00000000,000000EF,00000119,?,?), ref: 0060F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0060EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0060E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0060E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0060EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0060E237

Strings

cdecl, xrefs: 0060E22E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 88326ba9aebc3d1017043effb5a67f02595d880134b96fdf5f97b83d51512211
Instruction ID: 7a34b949364ba83cb0fa7818baf5bb74f7afb39b6b4b03c506af2f6e121f427a
Opcode Fuzzy Hash: 88326ba9aebc3d1017043effb5a67f02595d880134b96fdf5f97b83d51512211
Instruction Fuzzy Hash: 0011B136100341EFCB29AF64DC49D7B77BAFF84310B40442AE806CB2A0EB72995197A0

Function 005E5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005E5351

Part of subcall function 005D594C: __FF_MSGBANNER.LIBCMT ref: 005D5963
Part of subcall function 005D594C: __NMSG_WRITE.LIBCMT ref: 005D596A
Part of subcall function 005D594C: RtlAllocateHeap.NTDLL(01160000,00000000,00000001,00000000,?,?,?,005D1013,?), ref: 005D598F

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: fa0479628289bd393670347832b349fb3a85969db97c02441a84f6c307e12364
Instruction ID: 2f714115ab20709a4cf63510992901b4829c461fea8ee3d204bf559e331eef68
Opcode Fuzzy Hash: fa0479628289bd393670347832b349fb3a85969db97c02441a84f6c307e12364
Instruction Fuzzy Hash: FC11C832904A169ECB393F75AC0966D3F957F583A4F200C2BF58596291EE7189408790

Function 005B4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005B4560

Part of subcall function 005B410D: _memset.LIBCMT ref: 005B418D
Part of subcall function 005B410D: _wcscpy.LIBCMT ref: 005B41E1
Part of subcall function 005B410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005B41F1

KillTimer.USER32(?,00000001,?,?), ref: 005B45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005B45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005ED6CE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2ae05269d40949cdd03c75ee571d4653e7c3ce0dbd8c07f293515752a5db16b0
Instruction ID: a31bf6df8fd8d39caf37a3bd334b94b2a486b925733917119356d906f756c630
Opcode Fuzzy Hash: 2ae05269d40949cdd03c75ee571d4653e7c3ce0dbd8c07f293515752a5db16b0
Instruction Fuzzy Hash: 67219570904794AFEB368B24D859BE7BFEDAF01304F04049EE6DE56282C7746A848B51

Function 006140B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006140D1
_memset.LIBCMT ref: 006140F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00614144
CloseHandle.KERNEL32(00000000), ref: 0061414D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 789791c77ea678b17888d4aea87bf3a088f287534c1fb52cb4441f2e0645099d
Instruction ID: 702ba0a3149b39a93e0f8018374b52794dd9ad1fadda636835b1eb930674d277
Opcode Fuzzy Hash: 789791c77ea678b17888d4aea87bf3a088f287534c1fb52cb4441f2e0645099d
Instruction Fuzzy Hash: 7A11AB75D012287AD7305BA5AC4DFEBBB7DEF44760F104196F908D7280D6744E848BA4

Function 0062667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00617B20,?,?,00000000), ref: 005B5B8C
Part of subcall function 005B5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00617B20,?,?,00000000,?,?), ref: 005B5BB0

gethostbyname.WSOCK32(?,?,?), ref: 006266AC
WSAGetLastError.WSOCK32(00000000), ref: 006266B7
_memmove.LIBCMT ref: 006266E4
inet_ntoa.WSOCK32(?), ref: 006266EF

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 5b3ff7e7fddf81fb64a5ea2a685b54248ca1b7f30531acb452b6ab1652ff4a57
Instruction ID: 0604615b9ad4ffcf70cf0f928384e9bb33b76a5e6645d157784ecc64f6cabb0f
Opcode Fuzzy Hash: 5b3ff7e7fddf81fb64a5ea2a685b54248ca1b7f30531acb452b6ab1652ff4a57
Instruction Fuzzy Hash: 62113335900506AFCB04FFA4DD9ADEE7BB9BF44310B144065F506A7161EF30AE14CB95

Function 00609023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00609043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00609055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0060906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00609086

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2d83d5c0882bf0776ad2af5667eb005c128d1fcfc3b60c9874dfe3e05eda8a84
Instruction ID: f0dae7745a13a56d13d53a167f6cf0cc6b63676a7fcc8cdf64ff026bbfcd36da
Opcode Fuzzy Hash: 2d83d5c0882bf0776ad2af5667eb005c128d1fcfc3b60c9874dfe3e05eda8a84
Instruction Fuzzy Hash: 1F114C79940218FFDB10DFA5CD85E9EBB75FB48310F204095E905B7290D6716E10DBA4

Function 005B1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005B2612: GetWindowLongW.USER32(?,000000EB), ref: 005B2623

DefDlgProcW.USER32(?,00000020,?), ref: 005B12D8
GetClientRect.USER32(?,?), ref: 005EB84B
GetCursorPos.USER32(?), ref: 005EB855
ScreenToClient.USER32(?,?), ref: 005EB860

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b9c5f99cd625772633e25db7ad9152c261000057f41298c9483c72f22dcd3a13
Instruction ID: 8ced768ed06699ca90cf7377430017f386dfc9b6e7712bd2d77a7efc55495fa4
Opcode Fuzzy Hash: b9c5f99cd625772633e25db7ad9152c261000057f41298c9483c72f22dcd3a13
Instruction Fuzzy Hash: A5118C39A0041AEFCB04DF95D899DFEBBB9FB45301F500456F911E3250C730BA518BA9

Function 00611652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006101FD,?,00611250,?,00008000), ref: 0061166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006101FD,?,00611250,?,00008000), ref: 00611694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006101FD,?,00611250,?,00008000), ref: 0061169E
Sleep.KERNEL32(?,?,?,?,?,?,?,006101FD,?,00611250,?,00008000), ref: 006116D1

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b5298895f5176574faf1405f61e87e8baabd2a2bc89dcfb70c2fdc497aa65e3a
Instruction ID: 0ffde77a1ed2e78ab8b1b2c48b83488356a3afa21116637d7c8e0f92cc75eaf4
Opcode Fuzzy Hash: b5298895f5176574faf1405f61e87e8baabd2a2bc89dcfb70c2fdc497aa65e3a
Instruction Fuzzy Hash: 95115E31C0051DDBCF009FA5E948AEEBF79FF0A751F19405AEA80BA240CB3155A0CBD6

Function 005E7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005E722B

Part of subcall function 005E7912: __fltout2.LIBCMT ref: 005E793B

__cftog_l.LIBCMT ref: 005E7251
__cftoe_l.LIBCMT ref: 005E7283

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6a748f65aac529ed2ab2ca3faaed25ec03e531c26e744c61b300fa655c040901
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 9001803A04418EBBCF1A5E85DC058EE3F22BF5D340B088555FB9858031C337C9B1AB81

Function 0063B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0063B59E
ScreenToClient.USER32(?,?), ref: 0063B5B6
ScreenToClient.USER32(?,?), ref: 0063B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0063B5F5

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d637f6c566700ae5cbd2c901d1d6c560ec9ce222baa3fb7d5840bf529fbeefb3
Instruction ID: aa9c3fe22e4974eb1dc0f620da1a93b5b1bda7b6fd48595cace191d59f1d74cd
Opcode Fuzzy Hash: d637f6c566700ae5cbd2c901d1d6c560ec9ce222baa3fb7d5840bf529fbeefb3
Instruction Fuzzy Hash: CE1143B9D00209EFDB41CFA9C8859EEFBF9FB09310F109166E914E3220D735AA558F90

Function 0063B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063B8FE
_memset.LIBCMT ref: 0063B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00677F20,00677F64), ref: 0063B93C
CloseHandle.KERNEL32 ref: 0063B94E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: ded4be2d3e5d7846fa5f03223b79679bcbf49cc9792046d79e60a25a0b85679e
Instruction ID: 937d5ebe1341f8dcf1d7ff7ad0e48dc7dcddeb453c58136c5f4312212e1b4d48
Opcode Fuzzy Hash: ded4be2d3e5d7846fa5f03223b79679bcbf49cc9792046d79e60a25a0b85679e
Instruction Fuzzy Hash: E5F05EB2544300BBF3106B65AD0AFBB3A5EEB09354F00A022FB0CD6292E779594087E9

Function 00616E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00616E88

Part of subcall function 0061794E: _memset.LIBCMT ref: 00617983

_memmove.LIBCMT ref: 00616EAB
_memset.LIBCMT ref: 00616EB8
LeaveCriticalSection.KERNEL32(?), ref: 00616EC8

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c4115a6c5653224529d08a85ca201bc66ac1479a60691b9f71148f0719ab1d41
Instruction ID: 05884d1fe4ec0f0aba5826088c7c4a25155bcbc5dfc95512d0c12fc72ace2468
Opcode Fuzzy Hash: c4115a6c5653224529d08a85ca201bc66ac1479a60691b9f71148f0719ab1d41
Instruction Fuzzy Hash: ADF0543A504200BBCF516F95DC89E8ABB2AEF45320F08C065FE085F216C771A951DBB5

Function 0063C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005B12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005B134D
Part of subcall function 005B12F3: SelectObject.GDI32(?,00000000), ref: 005B135C
Part of subcall function 005B12F3: BeginPath.GDI32(?), ref: 005B1373
Part of subcall function 005B12F3: SelectObject.GDI32(?,00000000), ref: 005B139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0063C030
LineTo.GDI32(00000000,?,?), ref: 0063C03D
EndPath.GDI32(00000000), ref: 0063C04D
StrokePath.GDI32(00000000), ref: 0063C05B

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 19b103f7449e8863ee58fe516d921d15b05394ceb7abb25e0ec8fd3c07f4eda5
Instruction ID: e6f8d1239425445360f78018c5901a6c5d647ee47982b70af50616380e96d14c
Opcode Fuzzy Hash: 19b103f7449e8863ee58fe516d921d15b05394ceb7abb25e0ec8fd3c07f4eda5
Instruction Fuzzy Hash: F7F05E31405659BBDB166F55EC09FCE3F9AAF05321F044000FA15651E2C7B556A1CFE9

Function 0060A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0060A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0060A3AC
GetCurrentThreadId.KERNEL32 ref: 0060A3B3
AttachThreadInput.USER32(00000000), ref: 0060A3BA

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: a5f161e9c6cfa436d2bd7fc2aece5c31132b760ecbbe8ad4757befc9a13419e5
Instruction ID: 10d5d1d86cc4457faee09dadc9ce55f8728fe1f80ea224ffd5d2b6c3fecf1136
Opcode Fuzzy Hash: a5f161e9c6cfa436d2bd7fc2aece5c31132b760ecbbe8ad4757befc9a13419e5
Instruction Fuzzy Hash: B6E0C931985328BBDB245BA2DC0DED77F5EEF267A1F009025F509D50A0C6718541DBE1

Function 005B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005B2231
SetTextColor.GDI32(?,000000FF), ref: 005B223B
SetBkMode.GDI32(?,00000001), ref: 005B2250
GetStockObject.GDI32(00000005), ref: 005B2258
GetWindowDC.USER32(?,00000000), ref: 005EC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 005EC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 005EC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 005EC112
GetPixel.GDI32(00000000,?,?), ref: 005EC132
ReleaseDC.USER32(?,00000000), ref: 005EC13D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 9966ca162fe242c9ed5dd71c374dd6b96db82c3e62c2dd116d699527dc30dbb6
Instruction ID: c1fe48a002eb42f3048e57edcb6a8c0ff49c41a71ea8c68e220b2c149c9e6da8
Opcode Fuzzy Hash: 9966ca162fe242c9ed5dd71c374dd6b96db82c3e62c2dd116d699527dc30dbb6
Instruction Fuzzy Hash: 60E06D32900284FADF255F64FC0DBD87F11EB15332F008366FAA9880E187728981DB61

Function 00608C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00608C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0060882E), ref: 00608C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0060882E), ref: 00608C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0060882E), ref: 00608C7E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b0f1a414a9f5785d7c52b66f6f70eeead0c9ca68e0581450652f0c91a24565b1
Instruction ID: ca80deb94eb6f3029ea315bad9c27d9b2c7341f4f99b5c084afe5adb219e3c3b
Opcode Fuzzy Hash: b0f1a414a9f5785d7c52b66f6f70eeead0c9ca68e0581450652f0c91a24565b1
Instruction Fuzzy Hash: D0E08636A42221DFE7245FB46E0CF973BBEEF50792F045829B285CA090DB748441CBA1

Function 005F2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005F2187
GetDC.USER32(00000000), ref: 005F2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005F21B1
ReleaseDC.USER32(?), ref: 005F21D2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3bce6792dc55d25dcbbcd5044a7a1940763eff704dc0dbe612cd13ef98ba9c12
Instruction ID: 81dd73456c4e8910ee7b3270d73dc3ffbeaa93e9f5db21551df32b1f1eef6740
Opcode Fuzzy Hash: 3bce6792dc55d25dcbbcd5044a7a1940763eff704dc0dbe612cd13ef98ba9c12
Instruction Fuzzy Hash: ACE0E5B5800208EFDB019FA0C809AADBFB2FB4D350F109429F95AA7220CB3991419F80

Function 005F219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005F219B
GetDC.USER32(00000000), ref: 005F21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005F21B1
ReleaseDC.USER32(?), ref: 005F21D2

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f98fa21857bd4616cc65550bf70235a2824fd95e8b133ee0d9a31fc3f59afc3d
Instruction ID: 48003f1fa1102c2a2f04eb4b5903e65f23bcf7402ffe23584d811626fc5173a8
Opcode Fuzzy Hash: f98fa21857bd4616cc65550bf70235a2824fd95e8b133ee0d9a31fc3f59afc3d
Instruction Fuzzy Hash: F4E012B5C00204AFCB019FB0C809A9DBFF2FF4D310F109429F95AA7220CB39A1419F80

Function 005B63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%d, xrefs: 005B63AE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID:
String ID: %d
API String ID: 0-1176363322
Opcode ID: 399983216157d4c31e444a9065a7cdb9d8784fa22539909d839ee1f4380bd3fe
Instruction ID: e8228f7b8f078c9296b255824e49b22c1798947ee8052496e7a3ad40c56520e2
Opcode Fuzzy Hash: 399983216157d4c31e444a9065a7cdb9d8784fa22539909d839ee1f4380bd3fe
Instruction Fuzzy Hash: DAB1C47180010A9BCF24EF98C4959FEBFB8FF84310F544426E946A7191EB38BE85CB55

Function 0062B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0062B2C3

Strings

xrg, xrefs: 0062B325
xrg, xrefs: 0062B2F9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __itow_s
String ID: xrg$xrg
API String ID: 3653519197-2491328683
Opcode ID: 0a1b55a68fa97eb78063e937f8cd1e6614ace8acbf3ced1ed31aeef6517d9232
Instruction ID: 34550bfae5cadbeb23a9681bbf145a9fff3835ec9f6667625715063d1fc725a1
Opcode Fuzzy Hash: 0a1b55a68fa97eb78063e937f8cd1e6614ace8acbf3ced1ed31aeef6517d9232
Instruction Fuzzy Hash: 52B18070A0021AEBCB14EF54D885DFABBBAFF58300F149459F9459B252EB31EA81CF50

Function 0061B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005CFEC6: _wcscpy.LIBCMT ref: 005CFEE9

Part of subcall function 005B9997: __itow.LIBCMT ref: 005B99C2
Part of subcall function 005B9997: __swprintf.LIBCMT ref: 005B9A0C

__wcsnicmp.LIBCMT ref: 0061B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0061B361

Strings

LPT, xrefs: 0061B292

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 204768b6aaf74671c3c7a508c6e39826a86020c52318b6027776a8253f7d3260
Instruction ID: 309c9961ab7649c91f980fa9952268eee90ed8cd84986605175262b851a856fd
Opcode Fuzzy Hash: 204768b6aaf74671c3c7a508c6e39826a86020c52318b6027776a8253f7d3260
Instruction Fuzzy Hash: 7561A275A00215AFCB14DF94C885EEEBBB5FF48310F15405AF516AB391DB70AE80CB50

Function 005F8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F8B1E
_memmove.LIBCMT ref: 005F8B78

Strings

Oa\, xrefs: 005F8BF2, 005FE39A, 005FE3B6

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _memmove
String ID: Oa\
API String ID: 4104443479-2596033750
Opcode ID: 1a162c44d022da663d74be6e2fae2a1d1c25dd18263f88e073cfb5bcf1fd4fd7
Instruction ID: 36a732697630098c517a057c1d0766e3556bc4f6571e77417e4b0007cc79cab8
Opcode Fuzzy Hash: 1a162c44d022da663d74be6e2fae2a1d1c25dd18263f88e073cfb5bcf1fd4fd7
Instruction Fuzzy Hash: DD514170900609DFCF24CFA8C494ABEBBF1FF44314F24492AE99AD7250EB35A955CB51

Function 005C2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005C2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 005C2AE1

Strings

@, xrefs: 005C2AD5

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: ea5be81eef9835e393a8633395d711855c6a1f6851a959ab8d6bddf1d0549e93
Instruction ID: 3e033cba3d927869742c083195e8241727532ff4be341bba05cc18deb25a0ab2
Opcode Fuzzy Hash: ea5be81eef9835e393a8633395d711855c6a1f6851a959ab8d6bddf1d0549e93
Instruction Fuzzy Hash: 615168714187459BD320AF10D88ABABBBF8FFC5314F42484CF2D9511A1DB3095A8CB16

Function 006199BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005B506B: __fread_nolock.LIBCMT ref: 005B5089

_wcscmp.LIBCMT ref: 00619AAE
_wcscmp.LIBCMT ref: 00619AC1

Strings

FILE, xrefs: 006199FA

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: e543c725dee71a9623ffd26d5061173901251a542f8fafb8d41ba396b9523262
Instruction ID: 26e600fb3ad3cc67f27634c2cef024a1e4ac396713d119cb5afbe7c763ed36fa
Opcode Fuzzy Hash: e543c725dee71a9623ffd26d5061173901251a542f8fafb8d41ba396b9523262
Instruction Fuzzy Hash: C541EE71A0060A7ADF20AAA4DC49FDF7BBDEF45710F04007AF900B7181D675AA4487B1

Function 005F099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005F09A9

Strings

Dtg, xrefs: 005BA2B1
Dtg, xrefs: 005BA477

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClearVariant
String ID: Dtg$Dtg
API String ID: 1473721057-1456422882
Opcode ID: 6d4a0ebaaf1a6513fb68a3c30dcfb821cf1dee03e0762e48f541e31db4314196
Instruction ID: 66436b52010c4924e005a5bdf28e0003ace334d9660ec67c81e66ebc5deb2c45
Opcode Fuzzy Hash: 6d4a0ebaaf1a6513fb68a3c30dcfb821cf1dee03e0762e48f541e31db4314196
Instruction Fuzzy Hash: 1B5107786083429FD754CF18C484A6ABFF2BB99344F54985DF9858B361D731EC81CB82

Function 00622882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00622892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006228C8

Strings

|, xrefs: 00622899

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: b9fe6d11933124d1e0b7bc8d22c92767d1feb646b53260b0fe6f5d69cd3f5ff0
Instruction ID: bc2c471a20e4a6c7a5cbe7f8a5d4c4cc4381439c8635f229bfb71f25b5930155
Opcode Fuzzy Hash: b9fe6d11933124d1e0b7bc8d22c92767d1feb646b53260b0fe6f5d69cd3f5ff0
Instruction Fuzzy Hash: 59311C71C0011AAFCF11DFA5DC89EEEBFBAFF48340F104069F815A6265DA315956DB60

Function 00636CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00636D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00636DC2

Strings

static, xrefs: 00636D22

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b767386418243b01684b7916fe8f03b226ad29b69f34e82e88c8955c00dad817
Instruction ID: b88686ca9dc2695a57d69490a4b082ff75dfe25cec0b9f75c428eaf6a057f736
Opcode Fuzzy Hash: b767386418243b01684b7916fe8f03b226ad29b69f34e82e88c8955c00dad817
Instruction Fuzzy Hash: 4831A171200604AEDB109F24CC40BFB77BAFF49720F109519F99597190CA31AC91CBA4

Function 00612D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00612E3B

Strings

0, xrefs: 00612DF9

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 31ae4eec1a7ce3a0840cb3932e1ecc97cb60481f14ec1c20f55d8fbdebbea631
Instruction ID: 6517ba321e5f8958395327c057417360331f2612324382a054014a13bf44a8bb
Opcode Fuzzy Hash: 31ae4eec1a7ce3a0840cb3932e1ecc97cb60481f14ec1c20f55d8fbdebbea631
Instruction Fuzzy Hash: AF31D931900307ABDB248F58D8457DEBBB6FF45350F1C402AE985962A1D77099E5DB50

Function 00636943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006369D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006369DB

Strings

Combobox, xrefs: 0063699D

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2577028422fd727c2623e29b12eeb86a39918de76b2795569644f78024ceba9e
Instruction ID: 372fda681d89409a7255a32c8577d8cad883fe18d9c023f7e71c40a4725f9db8
Opcode Fuzzy Hash: 2577028422fd727c2623e29b12eeb86a39918de76b2795569644f78024ceba9e
Instruction Fuzzy Hash: 4211637160020ABFEF159E14CC91FEB3B6BEB993A4F114125F9589B3D0D6719C5187E0

Function 00636E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005B1D73
Part of subcall function 005B1D35: GetStockObject.GDI32(00000011), ref: 005B1D87
Part of subcall function 005B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005B1D91

GetWindowRect.USER32(00000000,?), ref: 00636EE0
GetSysColor.USER32(00000012), ref: 00636EFA

Strings

static, xrefs: 00636EBD

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 12c7d60a304ffe5dd95c9f5e14ef782551deac02b3f07e65021920c3a322bfa1
Instruction ID: f0102c7385bc6b2686bdad8822eaf1aa2b2172e8f6d28e8e957dd0a7dea88293
Opcode Fuzzy Hash: 12c7d60a304ffe5dd95c9f5e14ef782551deac02b3f07e65021920c3a322bfa1
Instruction Fuzzy Hash: 3E215972A1020AAFDB04DFA8DD45AEA7BBAFB08314F014628F955D3250D634E8619B90

Function 00636B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00636C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00636C20

Strings

edit, xrefs: 00636BF5

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a6e1b58d5722c477072fdc4c189ad4f2edbc0c9e4d85c80f89e359c34b426d2a
Instruction ID: 6ba32b52de3f8eaaa3adbadbdd9723f6f56104d19d79d0b904f7a2464457c7dc
Opcode Fuzzy Hash: a6e1b58d5722c477072fdc4c189ad4f2edbc0c9e4d85c80f89e359c34b426d2a
Instruction Fuzzy Hash: CC11BC71500208BBEB108F64DC45AEB7B6BEB15378F209724F966D32E0C735DCA19BA0

Function 00612E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00612F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00612F30

Strings

0, xrefs: 00612F07

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fa63a99c1b18cea675b8c10ce82f3cdd7df0989ec8a2c5cc78df336cac349889
Instruction ID: 033f7a048a27d3543397e1c036321343a76bf6b21c1a2dc798a2091e197a53a7
Opcode Fuzzy Hash: fa63a99c1b18cea675b8c10ce82f3cdd7df0989ec8a2c5cc78df336cac349889
Instruction Fuzzy Hash: AD11EF35901256AFCB24DB58DD14BE977BBEB01310F0C40A6F854A73A0DBB0EEA6C791

Function 006224CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00622520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00622549

Strings

<local>, xrefs: 00622511

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9f9d14d1f8d7444bf3aed02009219c7efbdfc1dd99b6a9ac76326a467e29f2d7
Instruction ID: 428cdd6c72a9d39e018c7db0cd12d685bacb9141d39212b433ef7c0ac985d4fd
Opcode Fuzzy Hash: 9f9d14d1f8d7444bf3aed02009219c7efbdfc1dd99b6a9ac76326a467e29f2d7
Instruction Fuzzy Hash: 18110270500A36BADB249F51ECA9EFBFFAAFF06351F10812AF90562140D6706991DEF0

Function 006280A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0062830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006280C8,?,00000000,?,?), ref: 00628322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006280CB
htons.WSOCK32(00000000,?,00000000), ref: 00628108

Strings

255.255.255.255, xrefs: 006280E3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 4b03254be9dbb2eecd4256fe33cde3f958b885f0c8403661c38e7d6d370bc835
Instruction ID: ced0119b4f6dc4bb069d36a98832a3d201411a8797cdbcbc87ab50a42c3e3c25
Opcode Fuzzy Hash: 4b03254be9dbb2eecd4256fe33cde3f958b885f0c8403661c38e7d6d370bc835
Instruction Fuzzy Hash: 4011E534600616ABCB14AFA4DC46FEEB736FF14310F10851AF911973D1DB31A815CA95

Function 005C0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005B3C26,006762F8,?,?,?), ref: 005C0ACE

Part of subcall function 005B7D2C: _memmove.LIBCMT ref: 005B7D66

_wcscat.LIBCMT ref: 005F50E1

Strings

cg, xrefs: 005C0B0E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cg
API String ID: 257928180-2033670147
Opcode ID: 156817922e15fb80f2a816b5feac4c0d190ff02b198caed50f61dfbd437df5fe
Instruction ID: 8e9545b1278a75d3282339b767591024dc5e2656ff448cc01888ab25934a8cb1
Opcode Fuzzy Hash: 156817922e15fb80f2a816b5feac4c0d190ff02b198caed50f61dfbd437df5fe
Instruction Fuzzy Hash: 4411A53490421D9ECB00EBA4CC45EDD7FB9FF48354F0054A9B94DD72D1EA70EA849B51

Function 006092E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00609355

Strings

ListBox, xrefs: 0060931F
ComboBox, xrefs: 006092F4

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 21c4bf6a682bc2b91cee76cce268dcbbe8cab6bdbeeb5d8392aada11076b97d5
Instruction ID: df2b301f0d070f13cd3292d7338d9f7ec15a2809c73b40908a27ef4e9083e979
Opcode Fuzzy Hash: 21c4bf6a682bc2b91cee76cce268dcbbe8cab6bdbeeb5d8392aada11076b97d5
Instruction Fuzzy Hash: 9C019271A45219ABCB0CEB64CC968FF776FBF46320B144619F832673D2DA31690CCA60

Function 006091DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0060924D

Strings

ListBox, xrefs: 00609217
ComboBox, xrefs: 006091EC

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7a6d3d48e95e73dd87bdcbf0537d11d8225ca690bbcb447f8c44f3d3b4c7b22e
Instruction ID: 967c223ee11cd152148162f1335acff790e3da22fe1880128394ca1d8e77a70c
Opcode Fuzzy Hash: 7a6d3d48e95e73dd87bdcbf0537d11d8225ca690bbcb447f8c44f3d3b4c7b22e
Instruction Fuzzy Hash: 9401AC71A8110977CB0CEBA0C996EFF77AEAF45300F141119B913672D2EA216F0C9671

Function 00609264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005B7F41: _memmove.LIBCMT ref: 005B7F82

Part of subcall function 0060B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0060B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 006092D0

Strings

ListBox, xrefs: 0060929C
ComboBox, xrefs: 00609271

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ebcec057fed654574ea3af90c3ddbcde6475cca115f22bd6e83c6c281fa899e8
Instruction ID: d63ad2e28e48f693a0a3bb1b2e73f0cac2ae9c20987f0c829e3ace0cb8738d94
Opcode Fuzzy Hash: ebcec057fed654574ea3af90c3ddbcde6475cca115f22bd6e83c6c281fa899e8
Instruction Fuzzy Hash: 7801A271A8110977CB08EBA0C996EFF77AEAF15300F241119B812632C2DA216F0C9275

Function 005D6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005D6DD0
__calloc_crt.LIBCMT ref: 005D6DE9

Strings

@Rg, xrefs: 005D6E00

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rg
API String ID: 3494438863-3565199359
Opcode ID: c0b82575934ec445a8f94f04116e1ef9cfa9318952773eb329ecba6d1baff43a
Instruction ID: 79aa7fc1fd3e754de23d9cda768afe06e4bdb0ddb0c1b5969432b2e29642980a
Opcode Fuzzy Hash: c0b82575934ec445a8f94f04116e1ef9cfa9318952773eb329ecba6d1baff43a
Instruction Fuzzy Hash: FEF04F71309A179BE778DF1DFD156662F97F744720B111427F118DA392EBB08DC68680

Function 006151CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006151E8
_wcscmp.LIBCMT ref: 006151FA

Strings

#32770, xrefs: 006151F4

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 40b2c351b66e7da54cebc5860fbe2db31defafaf0fff444a734d575608059722
Instruction ID: 73164a23b82a2c331505489ea0de687ebcb2c0166d79a05c9d1ceaa7cac0721a
Opcode Fuzzy Hash: 40b2c351b66e7da54cebc5860fbe2db31defafaf0fff444a734d575608059722
Instruction Fuzzy Hash: 09E02232A002292AE3209B99AC09AA7FBACEB80721F00006BF914D3140E560AA448BE1

Function 006081BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006081CA

Part of subcall function 005D3598: _doexit.LIBCMT ref: 005D35A2

Strings

AutoIt, xrefs: 006081BE
Error allocating memory., xrefs: 006081C3

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 8e42ce4a002d32a34322aa68c54a6350a98c1d63b2028c2df6a2eaa534d4d396
Instruction ID: dfeaf43b96c92424c860e45f7d8b2c944c5282a2964ea705a5b740aab4992563
Opcode Fuzzy Hash: 8e42ce4a002d32a34322aa68c54a6350a98c1d63b2028c2df6a2eaa534d4d396
Instruction Fuzzy Hash: E6D012322C531937D32432A96D0FBC66A895B55B51F004457BB085A6D38DD6598142E9

Function 005EB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005EB564: _memset.LIBCMT ref: 005EB571

Part of subcall function 005D0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005EB540,?,?,?,005B100A), ref: 005D0B89

IsDebuggerPresent.KERNEL32(?,?,?,005B100A), ref: 005EB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005B100A), ref: 005EB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005EB54E

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 23607158015a0e1d0b600822722f8d2f1984ed472155cd86a85ccf9d30f0b019
Instruction ID: 801c40b0ada281a2726e268c48d2512713dbcae20b038b0410dbeb998ecacf4a
Opcode Fuzzy Hash: 23607158015a0e1d0b600822722f8d2f1984ed472155cd86a85ccf9d30f0b019
Instruction Fuzzy Hash: BCE06DB0600752CBE324DF29D9083437FE0BB04706F00892EE886C2661F7B4E548CBA1

Function 00635BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00635BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00635C08

Part of subcall function 006154E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0061555E

Strings

Shell_TrayWnd, xrefs: 00635BEE

Memory Dump Source

Source File: 00000000.00000002.2093394233.00000000005B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005B0000, based on PE: true

Associated: 00000000.00000002.2093373221.00000000005B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.000000000063F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2093453111.0000000000665000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094160326.000000000066F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2094617633.0000000000678000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b0000_Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8a49367ac6d79a5dc21d892c3db71188403f2a0df99431a547a42d0fe3ff1664
Instruction ID: 2777928627aabe21239b61eb34a1b5bc663524c62eb6011c25add64470aa5545
Opcode Fuzzy Hash: 8a49367ac6d79a5dc21d892c3db71188403f2a0df99431a547a42d0fe3ff1664
Instruction Fuzzy Hash: 1BD0A932788300B6E364AB70AC0BFD3AA12AB11B10F000828B206AA0E0C8E45800C680

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_dcd3242e9fa4189184df4216daa4e4c7cdf1959_85207d7d_bb024b10-d75a-459b-92b6-56fb7dbdaa65\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER759F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75CF.tmp.xml

C:\Users\user\AppData\Local\Temp\WER65D0.tmp.WERDataCollectionStatus.txt

C:\Users\user\AppData\Local\Temp\ambiparous

C:\Users\user\AppData\Local\Temp\aut5E8B.tmp

C:\Users\user\AppData\Local\Temp\aut5ECB.tmp

C:\Users\user\AppData\Local\Temp\bothsidedness

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Comprobante de pago (PAGOS BBVA)_97867654657567848674789676543567345.exe

Function 005B3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 005B4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 005B4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006193DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 005B3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Function 005B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 005B71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005B3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 005B3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 005B3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 005BF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01142640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005B39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01142410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142
fileCOMMON

Function 005B410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre