Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rComprobantedepago.exe

Overview

General Information

Sample name:rComprobantedepago.exe
Analysis ID:1541414
MD5:53dcebc0162dfa2c90a784cfce083a0f
SHA1:7593ef00f01a5283b0aa7401b11377bf963044b6
SHA256:86c4b66010280d6bd5f052d7d2ce8209a71fe8d0a74fb2469a1e0203d18b2574
Tags:exeuser-Porcupine
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • rComprobantedepago.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\rComprobantedepago.exe" MD5: 53DCEBC0162DFA2C90A784CFCE083A0F)
    • svchost.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\rComprobantedepago.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Uncommon Svchost Parent Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rComprobantedepago.exe", CommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", ParentImage: C:\Users\user\Desktop\rComprobantedepago.exe, ParentProcessId: 5260, ParentProcessName: rComprobantedepago.exe, ProcessCommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", ProcessId: 7096, ProcessName: svchost.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rComprobantedepago.exe", CommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", ParentImage: C:\Users\user\Desktop\rComprobantedepago.exe, ParentProcessId: 5260, ParentProcessName: rComprobantedepago.exe, ProcessCommandLine: "C:\Users\user\Desktop\rComprobantedepago.exe", ProcessId: 7096, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: rComprobantedepago.exeReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: rComprobantedepago.exeJoe Sandbox ML: detected
Source: rComprobantedepago.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: rComprobantedepago.exe, 00000000.00000003.2075432023.0000000004580000.00000004.00001000.00020000.00000000.sdmp, rComprobantedepago.exe, 00000000.00000003.2079533337.0000000004720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174640440.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176525879.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rComprobantedepago.exe, 00000000.00000003.2075432023.0000000004580000.00000004.00001000.00020000.00000000.sdmp, rComprobantedepago.exe, 00000000.00000003.2079533337.0000000004720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2213336286.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174640440.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176525879.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C8D3 NtClose,2_2_0042C8D3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B60 NtClose,LdrInitializeThunk,2_2_03372B60
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03372DF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,2_2_033735C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374340 NtSetContextThread,2_2_03374340
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374650 NtSuspendThread,2_2_03374650
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BA0 NtEnumerateValueKey,2_2_03372BA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B80 NtQueryInformationFile,2_2_03372B80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BF0 NtAllocateVirtualMemory,2_2_03372BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BE0 NtQueryValueKey,2_2_03372BE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AB0 NtWaitForSingleObject,2_2_03372AB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AF0 NtWriteFile,2_2_03372AF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AD0 NtReadFile,2_2_03372AD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F30 NtCreateSection,2_2_03372F30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F60 NtCreateProcessEx,2_2_03372F60
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FB0 NtResumeThread,2_2_03372FB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FA0 NtQuerySection,2_2_03372FA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F90 NtProtectVirtualMemory,2_2_03372F90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FE0 NtCreateFile,2_2_03372FE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E30 NtWriteVirtualMemory,2_2_03372E30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EA0 NtAdjustPrivilegesToken,2_2_03372EA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E80 NtReadVirtualMemory,2_2_03372E80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EE0 NtQueueApcThread,2_2_03372EE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D30 NtUnmapViewOfSection,2_2_03372D30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D10 NtMapViewOfSection,2_2_03372D10
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D00 NtSetInformationFile,2_2_03372D00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DB0 NtEnumerateKey,2_2_03372DB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DD0 NtDelayExecution,2_2_03372DD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C00 NtQueryInformationProcess,2_2_03372C00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C70 NtFreeVirtualMemory,2_2_03372C70
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C60 NtCreateKey,2_2_03372C60
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CA0 NtQueryInformationToken,2_2_03372CA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CF0 NtOpenProcess,2_2_03372CF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CC0 NtQueryVirtualMemory,2_2_03372CC0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373010 NtOpenDirectoryObject,2_2_03373010
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373090 NtSetValueKey,2_2_03373090
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033739B0 NtGetContextThread,2_2_033739B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D10 NtOpenProcessToken,2_2_03373D10
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D70 NtOpenThread,2_2_03373D70
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00409A400_2_00409A40
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004120380_2_00412038
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004271610_2_00427161
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0047E1FA0_2_0047E1FA
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004212BE0_2_004212BE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004433900_2_00443390
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004433910_2_00443391
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0041A46B0_2_0041A46B
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0041240C0_2_0041240C
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004465660_2_00446566
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004045E00_2_004045E0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0041D7500_2_0041D750
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004037E00_2_004037E0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004278590_2_00427859
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004128180_2_00412818
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040F8900_2_0040F890
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0042397B0_2_0042397B
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00411B630_2_00411B63
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0047CBF00_2_0047CBF0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044EBBC0_2_0044EBBC
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00412C380_2_00412C38
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044ED9A0_2_0044ED9A
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00423EBF0_2_00423EBF
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00424F700_2_00424F70
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0041AF0D0_2_0041AF0D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_03FFB6180_2_03FFB618
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030202_2_00403020
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041014A2_2_0041014A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101532_2_00410153
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AD32_2_00416AD3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B502_2_00402B50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103732_2_00410373
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3F32_2_0040E3F3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EEE32_2_0042EEE3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027202_2_00402720
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA3522_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034003E62_2_034003E6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F02_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E02742_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C02C02_2_033C02C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA1182_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033301002_2_03330100
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C81582_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F41A22_2_033F41A2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034001AA2_2_034001AA
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F81CC2_2_033F81CC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D20002_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033407702_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033647502_2_03364750
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C02_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C6E02_2_0335C6E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033405352_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034005912_2_03400591
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E44202_2_033E4420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F24462_2_033F2446
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EE4F62_2_033EE4F6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB402_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F6BD72_2_033F6BD7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA802_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033569622_2_03356962
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A02_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340A9A62_2_0340A9A6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334A8402_2_0334A840
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033428402_2_03342840
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033268B82_2_033268B8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E8F02_2_0336E8F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360F302_2_03360F30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E2F302_2_033E2F30
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03382F282_2_03382F28
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4F402_2_033B4F40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BEFA02_2_033BEFA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334CFE02_2_0334CFE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332FC82_2_03332FC8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEE262_2_033FEE26
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340E592_2_03340E59
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352E902_2_03352E90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FCE932_2_033FCE93
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEEDB2_2_033FEEDB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DCD1F2_2_033DCD1F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334AD002_2_0334AD00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03358DBF2_2_03358DBF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333ADE02_2_0333ADE0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340C002_2_03340C00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0CB52_2_033E0CB5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330CF22_2_03330CF2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F132D2_2_033F132D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332D34C2_2_0332D34C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0338739A2_2_0338739A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033452A02_2_033452A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E12ED2_2_033E12ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B2C02_2_0335B2C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340B16B2_2_0340B16B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332F1722_2_0332F172
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337516C2_2_0337516C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334B1B02_2_0334B1B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F70E92_2_033F70E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF0E02_2_033FF0E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EF0CC2_2_033EF0CC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033470C02_2_033470C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF7B02_2_033FF7B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033856302_2_03385630
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F16CC2_2_033F16CC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F75712_2_033F7571
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034095C32_2_034095C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DD5B02_2_033DD5B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF43F2_2_033FF43F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033314602_2_03331460
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFB762_2_033FFB76
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FB802_2_0335FB80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B5BF02_2_033B5BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337DBF92_2_0337DBF9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B3A6C2_2_033B3A6C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFA492_2_033FFA49
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7A462_2_033F7A46
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DDAAC2_2_033DDAAC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03385AA02_2_03385AA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E1AA32_2_033E1AA3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EDAC62_2_033EDAC6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D59102_2_033D5910
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033499502_2_03349950
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B9502_2_0335B950
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AD8002_2_033AD800
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033438E02_2_033438E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFF092_2_033FFF09
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFFB12_2_033FFFB1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03341F922_2_03341F92
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03303FD22_2_03303FD2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03303FD52_2_03303FD5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03349EB02_2_03349EB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7D732_2_033F7D73
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F1D5A2_2_033F1D5A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03343D402_2_03343D40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FDC02_2_0335FDC0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B9C322_2_033B9C32
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFCF22_2_033FFCF2
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 111 times
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: String function: 0040E6D0 appears 35 times
Source: rComprobantedepago.exe, 00000000.00000003.2075432023.00000000046A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rComprobantedepago.exe
Source: rComprobantedepago.exe, 00000000.00000003.2073755273.000000000484D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs rComprobantedepago.exe
Source: rComprobantedepago.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal72.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
Source: C:\Users\user\Desktop\rComprobantedepago.exeFile created: C:\Users\user\AppData\Local\Temp\peaksJump to behavior
Source: rComprobantedepago.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rComprobantedepago.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: rComprobantedepago.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\rComprobantedepago.exeFile read: C:\Users\user\Desktop\rComprobantedepago.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\rComprobantedepago.exe "C:\Users\user\Desktop\rComprobantedepago.exe"
Source: C:\Users\user\Desktop\rComprobantedepago.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rComprobantedepago.exe"
Source: C:\Users\user\Desktop\rComprobantedepago.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rComprobantedepago.exe"Jump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: rComprobantedepago.exeStatic file information: File size 1349421 > 1048576
Source: Binary string: wntdll.pdbUGP source: rComprobantedepago.exe, 00000000.00000003.2075432023.0000000004580000.00000004.00001000.00020000.00000000.sdmp, rComprobantedepago.exe, 00000000.00000003.2079533337.0000000004720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174640440.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176525879.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rComprobantedepago.exe, 00000000.00000003.2075432023.0000000004580000.00000004.00001000.00020000.00000000.sdmp, rComprobantedepago.exe, 00000000.00000003.2079533337.0000000004720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2213336286.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2174640440.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2213336286.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2176525879.0000000003100000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
Source: rComprobantedepago.exeStatic PE information: real checksum: 0xa2135 should be: 0x156666
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D802 push ebp; ret 2_2_0040D803
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414AC3 push edi; retf 2_2_00414ACF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403290 push eax; ret 2_2_00403292
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004143D3 push edi; ret 2_2_004143E3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D5F7 push ecx; retf 2_2_0040D60E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411E2B push cs; ret 2_2_00411E31
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E2C push ebp; iretd 2_2_00409E2D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004256B3 push ebp; iretd 2_2_004256C8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040BF5B push edi; ret 2_2_0040BF5C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D77E push FFFFFFC7h; iretd 2_2_0040D787
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D7D4 push esi; iretd 2_2_0040D7D5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330225F pushad ; ret 2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033027FA pushad ; ret 2_2_033027F9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx2_2_033309B6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330283D push eax; iretd 2_2_03302858
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
Source: C:\Users\user\Desktop\rComprobantedepago.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004440780_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\rComprobantedepago.exeAPI/Special instruction interceptor: Address: 3FFB23C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
Source: C:\Users\user\Desktop\rComprobantedepago.exeAPI coverage: 3.3 %
Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
Source: C:\Windows\SysWOW64\svchost.exe TID: 1076Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
Source: rComprobantedepago.exe, 00000000.00000002.2080083202.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A23 LdrLoadDll,2_2_00417A23
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_03FFB508 mov eax, dword ptr fs:[00000030h]0_2_03FFB508
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_03FFB4A8 mov eax, dword ptr fs:[00000030h]0_2_03FFB4A8
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_03FF9E98 mov eax, dword ptr fs:[00000030h]0_2_03FF9E98
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340634F mov eax, dword ptr fs:[00000030h]2_2_0340634F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]2_2_0332C310
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]2_2_03350310
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]2_2_033D437C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov ecx, dword ptr fs:[00000030h]2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03408324 mov eax, dword ptr fs:[00000030h]2_2_03408324
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]2_2_033FA352
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]2_2_033D8350
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]2_2_033663FF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]2_2_033EC3CD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]2_2_033B63C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]2_2_0332823B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340625D mov eax, dword ptr fs:[00000030h]2_2_0340625D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]2_2_0332826B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]2_2_0332A250
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]2_2_03336259
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]2_2_033B8243
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034062D6 mov eax, dword ptr fs:[00000030h]2_2_034062D6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]2_2_03360124
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404164 mov eax, dword ptr fs:[00000030h]2_2_03404164
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]2_2_033F0115
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]2_2_0332C156
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]2_2_033C8158
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]2_2_034061E5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]2_2_03370185
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]2_2_033601F8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]2_2_033C6030
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]2_2_0332A020
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]2_2_0332C020
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]2_2_033B4000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]2_2_0335C073
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]2_2_03332050
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]2_2_033B6050
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]2_2_033F60B8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033280A0 mov eax, dword ptr fs:[00000030h]2_2_033280A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]2_2_033C80A8
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]2_2_0333208A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]2_2_0332C0F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]2_2_033720F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0332A0E3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]2_2_033380E9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]2_2_033B60E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]2_2_033B20DE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]2_2_033AC730
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]2_2_03330710
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]2_2_03360710
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]2_2_0336C700
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]2_2_03338770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]2_2_03330750
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]2_2_033BE75D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]2_2_033B4755
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]2_2_033307AF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]2_2_033E47A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]2_2_033D678E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]2_2_033BE7E1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]2_2_0333C7C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]2_2_033B07C3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]2_2_0334E627
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]2_2_03366620
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]2_2_03368620
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]2_2_0333262C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]2_2_03372619
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]2_2_033AE609
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]2_2_03362674
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]2_2_0334C640
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]2_2_033666B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]2_2_0336C6A6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]2_2_0336A6C7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]2_2_033C6500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]2_2_0336E59C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]2_2_03332582
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]2_2_03364588
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]2_2_033325E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]2_2_033365D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]2_2_0336A430
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]2_2_0332C427
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]2_2_033BC460
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]2_2_033EA456
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]2_2_0332645D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]2_2_0335245A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]2_2_033644B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]2_2_033BA4B0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]2_2_033364AB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]2_2_033EA49A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]2_2_033304E5
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03402B57 mov eax, dword ptr fs:[00000030h]2_2_03402B57
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404B00 mov eax, dword ptr fs:[00000030h]2_2_03404B00
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]2_2_0332CB7E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328B50 mov eax, dword ptr fs:[00000030h]2_2_03328B50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]2_2_033DEB50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]2_2_033FAB40
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]2_2_033D8B42
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]2_2_0335EBFC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]2_2_033BCBF0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]2_2_033DEBD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]2_2_0336CA38
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]2_2_0336CA24
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]2_2_0335EA2E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]2_2_033BCA11
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]2_2_033DEA60
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]2_2_03386AA4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]2_2_03368A90
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]2_2_03404A80
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]2_2_03330AD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404940 mov eax, dword ptr fs:[00000030h]2_2_03404940
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]2_2_033B892A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]2_2_033C892B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]2_2_033BC912
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]2_2_033BC97C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]2_2_033B0946
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]2_2_033BE9E0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]2_2_033649D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]2_2_033FA9D3
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]2_2_033C69C0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]2_2_0336A830
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]2_2_033BC810
Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]2_2_033BE872
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\rComprobantedepago.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rComprobantedepago.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6B6008Jump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
Source: C:\Users\user\Desktop\rComprobantedepago.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rComprobantedepago.exe"Jump to behavior
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
Source: rComprobantedepago.exeBinary or memory string: Shell_TrayWnd
Source: rComprobantedepago.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
Source: rComprobantedepago.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: rComprobantedepago.exeBinary or memory string: WIN_XP
Source: rComprobantedepago.exeBinary or memory string: WIN_XPe
Source: rComprobantedepago.exeBinary or memory string: WIN_VISTA
Source: rComprobantedepago.exeBinary or memory string: WIN_7
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
Source: C:\Users\user\Desktop\rComprobantedepago.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		1
Native API		2
Valid Accounts		2
Valid Accounts		2
Valid Accounts		21
Input Capture		1
System Time Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		LSASS Memory241
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
Access Token Manipulation		2
Virtualization/Sandbox Evasion		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin Shares3
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
Process Injection		21
Access Token Manipulation		NTDS3
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		212
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials1
Account Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync1
System Owner/User Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem2
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rComprobantedepago.exe18%ReversingLabs
rComprobantedepago.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541414
Start date and time:2024-10-24 20:01:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:rComprobantedepago.exe
Detection:MAL
Classification:mal72.evad.winEXE@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 44
  • Number of non-executed functions: 308
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • VT rate limit hit for: rComprobantedepago.exe

Simulations

Behavior and APIs

TimeTypeDescription
14:02:12API Interceptor3x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\peaks

Download File
Process:C:\Users\user\Desktop\rComprobantedepago.exe
File Type:data
Category:dropped
Size (bytes):288256
Entropy (8bit):7.9941975893897315
Encrypted:true
SSDEEP:6144:Q0dHy5u0t1rImMmFS91AdPXZ2HOY93eCJ7FRAz:Q0dS5DrImr4WF+93lJ/Az
MD5:3F3B8E215498F5BFBA8D7FB59057F253
SHA1:D70DCA323A199CD4B9B604A365FEECBF4CFC8FA4
SHA-256:596F1AC0C0879263728781DD669D633D18B0CBA563543B0C34B66DBDDED237E5
SHA-512:82690BE2200E37753E0D6043B1FCF367C283865DAD54C968154B68573E1F4F5CFA5EA3DFDAE1AA98F96685F8596FEE7334751AAF0A7DAE1D3882E44DEDA735F2
Malicious:false
Reputation:low
Preview:.....D3LL..9....t.FB..bAX...LLAUG098P3HJFAQFBJBPAD3LLAUG09.P3HDY._F.C.q.E..m.=.C.H"\/8',q%#$,?5dQ)l3 ).PVpw..f,>"'dO]K`3LLAUG0@9Y.u*!.l&%..0&.)..o'W."...v&&.\..l!#..%"=zP^.P3HJFAQF..BP.E2L.j..098P3HJF.QDCAC[ADgHLAUG098P3.^FAQVBJB ED3L.AUW098R3HLFAQFBJBVAD3LLAUG@=8P1HJFAQF@J..AD#LLQUG09(P3XJFAQFBZBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3Hd2$)2BJB..@3L\AUGd=8P#HJFAQFBJBPAD3LlAU'098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAUG098P3HJFAQFBJBPAD3LLAU

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.524651869952035
TrID:
  • Win32 Executable (generic) a (10002005/4) 95.11%
  • AutoIt3 compiled script executable (510682/80) 4.86%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:rComprobantedepago.exe
File size:1'349'421 bytes
MD5:53dcebc0162dfa2c90a784cfce083a0f
SHA1:7593ef00f01a5283b0aa7401b11377bf963044b6
SHA256:86c4b66010280d6bd5f052d7d2ce8209a71fe8d0a74fb2469a1e0203d18b2574
SHA512:d8faccae84c8969c5127fb7d71d6f9ab041b9ed70e64c7504bf048360a2fcf82939c741c536a82d801b7efaa6f1f102fae3a2a4ab33650d10afa57e875e60150
SSDEEP:24576:ffmMv6Ckr7Mny5QLgGj+u3Au9m+IIzckiLb5+83A:f3v+7/5QLgFucjb5+83A
TLSH:D755F112B7D680B6D9A33975297BE32ADB3475194323C48BA7E02F778F111409B3B762
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon

Icon Hash:1733312925935517

Static PE Info

General

Entrypoint:0x416310
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F266891294Ch
jmp 00007F266890671Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F26689068AAh
cmp edi, eax
jc 00007F2668906A4Ah
cmp ecx, 00000100h
jc 00007F26689068C1h
cmp dword ptr [004A94E0h], 00000000h
je 00007F26689068B8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F26689068AAh
pop esi
pop edi
pop ebp
jmp 00007F2668906D0Ah
test edi, 00000003h
jne 00007F26689068B7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F26689068CCh
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F26689068AEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F266890686Eh

Rich Headers

Programming Language:
  • [ASM] VS2008 SP1 build 30729
  • [ C ] VS2008 SP1 build 30729
  • [C++] VS2008 SP1 build 30729
  • [ C ] VS2005 build 50727
  • [IMP] VS2005 build 50727
  • [ASM] VS2008 build 21022
  • [RES] VS2008 build 21022
  • [LNK] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

Imports

DLLImport
WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishGreat Britain
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:01:58
Start date:24/10/2024
Path:C:\Users\user\Desktop\rComprobantedepago.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\rComprobantedepago.exe"
Imagebase:0x400000
File size:1'349'421 bytes
MD5 hash:53DCEBC0162DFA2C90A784CFCE083A0F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:14:02:00
Start date:24/10/2024
Path:C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\rComprobantedepago.exe"
Imagebase:0xeb0000
File size:46'504 bytes
MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.2%
    Dynamic/Decrypted Code Coverage:2%
    Signature Coverage:3.2%
    Total number of Nodes:1698
    Total number of Limit Nodes:45
    execution_graph 84693 4444e4 84698 40d900 84693->84698 84695 4444ee 84702 43723d 84695->84702 84697 444504 84699 40d917 84698->84699 84700 40d909 84698->84700 84699->84700 84701 40d91c CloseHandle 84699->84701 84700->84695 84701->84695 84703 40d900 CloseHandle 84702->84703 84704 437247 ctype 84703->84704 84704->84697 84705 3ffa3d8 84719 3ff8028 84705->84719 84707 3ffa485 84722 3ffa2c8 84707->84722 84709 3ffa4ae CreateFileW 84711 3ffa4fd 84709->84711 84712 3ffa502 84709->84712 84712->84711 84713 3ffa519 VirtualAlloc 84712->84713 84713->84711 84714 3ffa537 ReadFile 84713->84714 84714->84711 84715 3ffa552 84714->84715 84716 3ff92c8 13 API calls 84715->84716 84717 3ffa585 84716->84717 84718 3ffa5a8 ExitProcess 84717->84718 84718->84711 84725 3ffb4a8 GetPEB 84719->84725 84721 3ff86b3 84721->84707 84723 3ffa2d1 Sleep 84722->84723 84724 3ffa2df 84723->84724 84726 3ffb4d2 84725->84726 84726->84721 84727 444343 84730 444326 84727->84730 84729 44434e WriteFile 84731 444340 84730->84731 84732 4442c7 84730->84732 84731->84729 84737 40e190 SetFilePointerEx 84732->84737 84734 4442e0 SetFilePointerEx 84738 40e190 SetFilePointerEx 84734->84738 84736 4442ff 84736->84729 84737->84734 84738->84736 84739 46d22f 84742 46d098 84739->84742 84741 46d241 84743 46d0b5 84742->84743 84744 46d115 84743->84744 84745 46d0b9 84743->84745 84809 45c216 78 API calls 84744->84809 84786 41171a 84745->84786 84749 46d126 84751 46d0f8 84749->84751 84757 46d142 84749->84757 84750 46d0cc 84799 453063 84750->84799 84805 4092c0 84751->84805 84755 46d0fd 84755->84741 84758 46d1c8 84757->84758 84760 46d158 84757->84760 84819 4676a3 78 API calls 84758->84819 84763 453063 111 API calls 84760->84763 84761 46d0ea 84761->84757 84764 46d0ee 84761->84764 84766 46d15e 84763->84766 84764->84751 84804 44ade5 CloseHandle ctype 84764->84804 84765 46d1ce 84820 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84765->84820 84767 46d18d 84766->84767 84769 46d196 84766->84769 84810 467fce 82 API calls 84767->84810 84811 4013a0 84769->84811 84774 46d1e7 84776 4092c0 VariantClear 84774->84776 84784 46d194 84774->84784 84776->84784 84777 46d1ac 84817 40d3b0 75 API calls 2 library calls 84777->84817 84779 46d224 84779->84741 84780 46d1b8 84818 467fce 82 API calls 84780->84818 84781 40d900 CloseHandle 84783 46d216 84781->84783 84821 44ade5 CloseHandle ctype 84783->84821 84784->84779 84784->84781 84788 411724 84786->84788 84789 41173e 84788->84789 84792 411740 std::bad_alloc::bad_alloc 84788->84792 84822 4138ba 84788->84822 84840 411afc 6 API calls __decode_pointer 84788->84840 84789->84750 84798 40d940 76 API calls 84789->84798 84796 411766 84792->84796 84841 411421 84792->84841 84793 411770 84845 41805b RaiseException 84793->84845 84844 4116fd 67 API calls std::exception::exception 84796->84844 84797 41177e 84798->84750 84800 45306e 84799->84800 84801 45307a 84799->84801 84800->84801 84983 452e2a 111 API calls 5 library calls 84800->84983 84803 40dfa0 83 API calls 84801->84803 84803->84761 84804->84751 84806 4092c8 ctype 84805->84806 84807 429db0 VariantClear 84806->84807 84808 4092d5 ctype 84806->84808 84807->84808 84808->84755 84809->84749 84810->84784 84812 41171a 75 API calls 84811->84812 84813 4013c4 84812->84813 84984 401380 84813->84984 84816 40df50 75 API calls 84816->84777 84817->84780 84818->84784 84819->84765 84820->84774 84821->84779 84823 41396d 84822->84823 84834 4138cc 84822->84834 84853 411afc 6 API calls __decode_pointer 84823->84853 84825 413973 84854 417f23 67 API calls __getptd_noexit 84825->84854 84828 413965 84828->84788 84831 413929 RtlAllocateHeap 84831->84834 84832 4138dd 84832->84834 84846 418252 67 API calls 2 library calls 84832->84846 84847 4180a7 67 API calls 7 library calls 84832->84847 84848 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84832->84848 84834->84828 84834->84831 84834->84832 84835 413959 84834->84835 84838 41395e 84834->84838 84849 41386b 67 API calls 4 library calls 84834->84849 84850 411afc 6 API calls __decode_pointer 84834->84850 84851 417f23 67 API calls __getptd_noexit 84835->84851 84852 417f23 67 API calls __getptd_noexit 84838->84852 84840->84788 84855 4113e5 84841->84855 84843 41142e 84843->84796 84844->84793 84845->84797 84846->84832 84847->84832 84849->84834 84850->84834 84851->84838 84852->84828 84853->84825 84854->84828 84856 4113f1 __setmode 84855->84856 84863 41181b 84856->84863 84862 411412 __setmode 84862->84843 84889 418407 84863->84889 84865 4113f6 84866 4112fa 84865->84866 84954 4169e9 TlsGetValue 84866->84954 84869 4169e9 __decode_pointer 6 API calls 84870 41131e 84869->84870 84881 4113a1 84870->84881 84964 4170e7 68 API calls 5 library calls 84870->84964 84872 41133c 84873 411388 84872->84873 84876 411357 84872->84876 84877 411366 84872->84877 84874 41696e __encode_pointer 6 API calls 84873->84874 84875 411396 84874->84875 84878 41696e __encode_pointer 6 API calls 84875->84878 84965 417047 73 API calls _realloc 84876->84965 84880 411360 84877->84880 84877->84881 84878->84881 84880->84877 84883 41137c 84880->84883 84966 417047 73 API calls _realloc 84880->84966 84886 41141b 84881->84886 84967 41696e TlsGetValue 84883->84967 84884 411376 84884->84881 84884->84883 84979 411824 84886->84979 84890 41841c 84889->84890 84891 41842f EnterCriticalSection 84889->84891 84896 418344 84890->84896 84891->84865 84893 418422 84893->84891 84924 4117af 67 API calls 3 library calls 84893->84924 84895 41842e 84895->84891 84897 418350 __setmode 84896->84897 84898 418360 84897->84898 84899 418378 84897->84899 84925 418252 67 API calls 2 library calls 84898->84925 84908 418386 __setmode 84899->84908 84928 416fb6 84899->84928 84902 418365 84926 4180a7 67 API calls 7 library calls 84902->84926 84905 41836c 84927 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84905->84927 84906 4183a7 84911 418407 __lock 67 API calls 84906->84911 84907 418398 84934 417f23 67 API calls __getptd_noexit 84907->84934 84908->84893 84913 4183ae 84911->84913 84914 4183e2 84913->84914 84915 4183b6 84913->84915 84916 413a88 ___endstdio 67 API calls 84914->84916 84935 4189e6 InitializeCriticalSectionAndSpinCount __setmode 84915->84935 84919 4183d3 84916->84919 84918 4183c1 84918->84919 84936 413a88 84918->84936 84950 4183fe LeaveCriticalSection _doexit 84919->84950 84922 4183cd 84949 417f23 67 API calls __getptd_noexit 84922->84949 84924->84895 84925->84902 84926->84905 84931 416fbf 84928->84931 84929 4138ba _malloc 66 API calls 84929->84931 84930 416ff5 84930->84906 84930->84907 84931->84929 84931->84930 84932 416fd6 Sleep 84931->84932 84933 416feb 84932->84933 84933->84930 84933->84931 84934->84908 84935->84918 84938 413a94 __setmode 84936->84938 84937 413b0d _realloc __setmode 84937->84922 84938->84937 84940 418407 __lock 65 API calls 84938->84940 84948 413ad3 84938->84948 84939 413ae8 RtlFreeHeap 84939->84937 84941 413afa 84939->84941 84945 413aab ___sbh_find_block 84940->84945 84953 417f23 67 API calls __getptd_noexit 84941->84953 84943 413aff GetLastError 84943->84937 84944 413ac5 84952 413ade LeaveCriticalSection _doexit 84944->84952 84945->84944 84951 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __fptostr 84945->84951 84948->84937 84948->84939 84949->84919 84950->84908 84951->84944 84952->84948 84953->84943 84955 416a01 84954->84955 84956 416a22 GetModuleHandleW 84954->84956 84955->84956 84959 416a0b TlsGetValue 84955->84959 84957 416a32 84956->84957 84958 416a3d GetProcAddress 84956->84958 84977 41177f Sleep GetModuleHandleW 84957->84977 84961 41130e 84958->84961 84963 416a16 84959->84963 84961->84869 84962 416a38 84962->84958 84962->84961 84963->84956 84963->84961 84964->84872 84965->84880 84966->84884 84968 4169a7 GetModuleHandleW 84967->84968 84969 416986 84967->84969 84970 4169c2 GetProcAddress 84968->84970 84971 4169b7 84968->84971 84969->84968 84972 416990 TlsGetValue 84969->84972 84974 41699f 84970->84974 84978 41177f Sleep GetModuleHandleW 84971->84978 84975 41699b 84972->84975 84974->84873 84975->84968 84975->84974 84976 4169bd 84976->84970 84976->84974 84977->84962 84978->84976 84982 41832d LeaveCriticalSection 84979->84982 84981 411420 84981->84862 84982->84981 84983->84801 84985 41171a 75 API calls 84984->84985 84986 401387 84985->84986 84986->84816 84987 40116e 84988 401119 DefWindowProcW 84987->84988 84989 429212 84994 410b90 84989->84994 84992 411421 __cinit 74 API calls 84993 42922f 84992->84993 84995 410b9a __write_nolock 84994->84995 84996 41171a 75 API calls 84995->84996 84997 410c31 GetModuleFileNameW 84996->84997 85011 413db0 84997->85011 84999 410c66 _wcsncat 85014 413e3c 84999->85014 85002 41171a 75 API calls 85003 410ca3 _wcscpy 85002->85003 85004 410cd1 RegOpenKeyExW 85003->85004 85005 429bc3 RegQueryValueExW 85004->85005 85006 410cf7 85004->85006 85007 429cd9 RegCloseKey 85005->85007 85009 429bf2 _wcscat _wcslen _wcsncpy 85005->85009 85006->84992 85008 41171a 75 API calls 85008->85009 85009->85008 85010 429cd8 85009->85010 85010->85007 85017 413b95 85011->85017 85047 41abec 85014->85047 85018 413c2f 85017->85018 85024 413bae 85017->85024 85019 413d60 85018->85019 85020 413d7b 85018->85020 85043 417f23 67 API calls __getptd_noexit 85019->85043 85045 417f23 67 API calls __getptd_noexit 85020->85045 85023 413d65 85029 413cfb 85023->85029 85044 417ebb 6 API calls 2 library calls 85023->85044 85024->85018 85033 413c1d 85024->85033 85039 41ab19 67 API calls wcstoxq 85024->85039 85027 413d03 85027->85018 85027->85029 85030 413d8e 85027->85030 85028 413cb9 85028->85018 85031 413cd6 85028->85031 85041 41ab19 67 API calls wcstoxq 85028->85041 85029->84999 85046 41ab19 67 API calls wcstoxq 85030->85046 85031->85018 85031->85029 85035 413cef 85031->85035 85033->85018 85038 413c9b 85033->85038 85040 41ab19 67 API calls wcstoxq 85033->85040 85042 41ab19 67 API calls wcstoxq 85035->85042 85038->85027 85038->85028 85039->85033 85040->85038 85041->85031 85042->85029 85043->85023 85045->85023 85046->85029 85048 41ac02 85047->85048 85049 41abfd 85047->85049 85056 417f23 67 API calls __getptd_noexit 85048->85056 85049->85048 85052 41ac22 85049->85052 85051 41ac07 85057 417ebb 6 API calls 2 library calls 85051->85057 85054 410c99 85052->85054 85058 417f23 67 API calls __getptd_noexit 85052->85058 85054->85002 85056->85051 85058->85051 85059 401230 85060 401241 _memset 85059->85060 85061 4012c5 85059->85061 85074 401be0 85060->85074 85063 40126b 85064 4012ae KillTimer SetTimer 85063->85064 85065 42aa61 85063->85065 85066 401298 85063->85066 85064->85061 85069 42aa8b Shell_NotifyIconW 85065->85069 85070 42aa69 Shell_NotifyIconW 85065->85070 85067 4012a2 85066->85067 85068 42aaac 85066->85068 85067->85064 85073 42aaf8 Shell_NotifyIconW 85067->85073 85071 42aad7 Shell_NotifyIconW 85068->85071 85072 42aab5 Shell_NotifyIconW 85068->85072 85069->85064 85070->85064 85071->85064 85072->85064 85073->85064 85075 401bfb 85074->85075 85095 401cde 85074->85095 85076 4013a0 75 API calls 85075->85076 85077 401c0b 85076->85077 85078 42a9a0 LoadStringW 85077->85078 85079 401c18 85077->85079 85082 42a9bb 85078->85082 85096 4021e0 85079->85096 85081 401c2d 85084 401c3a 85081->85084 85085 42a9cd 85081->85085 85109 40df50 75 API calls 85082->85109 85084->85082 85086 401c44 85084->85086 85110 40d3b0 75 API calls 2 library calls 85085->85110 85108 40d3b0 75 API calls 2 library calls 85086->85108 85089 42a9dc 85090 42a9f0 85089->85090 85092 401c53 _memset _wcscpy _wcsncpy 85089->85092 85111 40d3b0 75 API calls 2 library calls 85090->85111 85094 401cc2 Shell_NotifyIconW 85092->85094 85093 42a9fe 85094->85095 85095->85063 85097 4021f1 _wcslen 85096->85097 85098 42a598 85096->85098 85101 402205 85097->85101 85102 402226 85097->85102 85118 40c740 85098->85118 85100 42a5a2 85112 404020 85101->85112 85104 401380 75 API calls 85102->85104 85106 40222d 85104->85106 85105 40220c _realloc 85105->85081 85106->85100 85107 41171a 75 API calls 85106->85107 85107->85105 85108->85092 85109->85092 85110->85089 85111->85093 85113 404028 85112->85113 85115 404029 ctype 85112->85115 85113->85105 85114 42a0b0 85115->85114 85116 41171a 75 API calls 85115->85116 85117 404068 85116->85117 85117->85105 85119 40c752 85118->85119 85120 40c747 85118->85120 85119->85100 85120->85119 85123 402ae0 85120->85123 85122 42a572 _realloc 85122->85100 85124 42a06a 85123->85124 85125 402aef 85123->85125 85126 401380 75 API calls 85124->85126 85125->85122 85127 42a072 85126->85127 85128 41171a 75 API calls 85127->85128 85129 42a095 _realloc 85128->85129 85129->85122 85130 4034b0 85131 4034b9 85130->85131 85132 4034bd 85130->85132 85133 42a0ba 85132->85133 85134 41171a 75 API calls 85132->85134 85135 4034fe _realloc ctype 85134->85135 85136 40f110 RegOpenKeyExW 85137 40f13c RegQueryValueExW RegCloseKey 85136->85137 85138 40f15f 85136->85138 85137->85138 85139 416193 85176 41718c 85139->85176 85141 41619f GetStartupInfoW 85143 4161c2 85141->85143 85177 41aa31 HeapCreate 85143->85177 85145 416212 85179 416e29 GetModuleHandleW 85145->85179 85149 416223 __RTC_Initialize 85213 41b669 85149->85213 85152 416231 85153 41623d GetCommandLineW 85152->85153 85282 4117af 67 API calls 3 library calls 85152->85282 85228 42235f GetEnvironmentStringsW 85153->85228 85156 41624c 85234 4222b1 GetModuleFileNameW 85156->85234 85157 41623c 85157->85153 85159 416256 85162 416261 85159->85162 85283 4117af 67 API calls 3 library calls 85159->85283 85238 422082 85162->85238 85164 416272 85251 41186e 85164->85251 85167 416279 85169 416284 __wwincmdln 85167->85169 85285 4117af 67 API calls 3 library calls 85167->85285 85257 40d7f0 85169->85257 85172 4162b3 85287 411a4b 67 API calls _doexit 85172->85287 85175 4162b8 __setmode 85176->85141 85178 416206 85177->85178 85178->85145 85280 41616a 67 API calls 3 library calls 85178->85280 85180 416e44 85179->85180 85181 416e3d 85179->85181 85183 416fac 85180->85183 85184 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85180->85184 85288 41177f Sleep GetModuleHandleW 85181->85288 85298 416ad5 70 API calls 2 library calls 85183->85298 85186 416e97 TlsAlloc 85184->85186 85185 416e43 85185->85180 85189 416218 85186->85189 85190 416ee5 TlsSetValue 85186->85190 85189->85149 85281 41616a 67 API calls 3 library calls 85189->85281 85190->85189 85191 416ef6 85190->85191 85289 411a69 6 API calls 4 library calls 85191->85289 85193 416efb 85194 41696e __encode_pointer 6 API calls 85193->85194 85195 416f06 85194->85195 85196 41696e __encode_pointer 6 API calls 85195->85196 85197 416f16 85196->85197 85198 41696e __encode_pointer 6 API calls 85197->85198 85199 416f26 85198->85199 85200 41696e __encode_pointer 6 API calls 85199->85200 85201 416f36 85200->85201 85290 41828b InitializeCriticalSectionAndSpinCount __getstream 85201->85290 85203 416f43 85203->85183 85204 4169e9 __decode_pointer 6 API calls 85203->85204 85205 416f57 85204->85205 85205->85183 85291 416ffb 85205->85291 85208 4169e9 __decode_pointer 6 API calls 85209 416f8a 85208->85209 85209->85183 85210 416f91 85209->85210 85297 416b12 67 API calls 5 library calls 85210->85297 85212 416f99 GetCurrentThreadId 85212->85189 85317 41718c 85213->85317 85215 41b675 GetStartupInfoA 85216 416ffb __calloc_crt 67 API calls 85215->85216 85223 41b696 85216->85223 85217 41b8b4 __setmode 85217->85152 85218 41b831 GetStdHandle 85222 41b7fb 85218->85222 85219 416ffb __calloc_crt 67 API calls 85219->85223 85220 41b896 SetHandleCount 85220->85217 85221 41b843 GetFileType 85221->85222 85222->85217 85222->85218 85222->85220 85222->85221 85319 4189e6 InitializeCriticalSectionAndSpinCount __setmode 85222->85319 85223->85217 85223->85219 85223->85222 85224 41b77e 85223->85224 85224->85217 85224->85222 85225 41b7a7 GetFileType 85224->85225 85318 4189e6 InitializeCriticalSectionAndSpinCount __setmode 85224->85318 85225->85224 85229 422370 85228->85229 85230 422374 85228->85230 85229->85156 85231 416fb6 __malloc_crt 67 API calls 85230->85231 85232 422395 _realloc 85231->85232 85233 42239c FreeEnvironmentStringsW 85232->85233 85233->85156 85235 4222e6 _wparse_cmdline 85234->85235 85236 416fb6 __malloc_crt 67 API calls 85235->85236 85237 422329 _wparse_cmdline 85235->85237 85236->85237 85237->85159 85239 42209a _wcslen 85238->85239 85243 416267 85238->85243 85240 416ffb __calloc_crt 67 API calls 85239->85240 85246 4220be _wcslen 85240->85246 85241 422123 85242 413a88 ___endstdio 67 API calls 85241->85242 85242->85243 85243->85164 85284 4117af 67 API calls 3 library calls 85243->85284 85244 416ffb __calloc_crt 67 API calls 85244->85246 85245 422149 85247 413a88 ___endstdio 67 API calls 85245->85247 85246->85241 85246->85243 85246->85244 85246->85245 85249 422108 85246->85249 85320 426349 67 API calls wcstoxq 85246->85320 85247->85243 85249->85246 85321 417d93 10 API calls 3 library calls 85249->85321 85252 41187c __IsNonwritableInCurrentImage 85251->85252 85322 418486 85252->85322 85254 41189a __initterm_e 85255 411421 __cinit 74 API calls 85254->85255 85256 4118b9 __IsNonwritableInCurrentImage __initterm 85254->85256 85255->85256 85256->85167 85258 431bcb 85257->85258 85259 40d80c 85257->85259 85260 4092c0 VariantClear 85259->85260 85261 40d847 85260->85261 85326 40eb50 85261->85326 85264 40d877 85329 411ac6 67 API calls 4 library calls 85264->85329 85267 40d888 85330 411b24 67 API calls wcstoxq 85267->85330 85269 40d891 85331 40f370 SystemParametersInfoW SystemParametersInfoW 85269->85331 85271 40d89f 85332 40d6d0 GetCurrentDirectoryW 85271->85332 85273 40d8a7 SystemParametersInfoW 85274 40d8d4 85273->85274 85275 40d8cd FreeLibrary 85273->85275 85276 4092c0 VariantClear 85274->85276 85275->85274 85277 40d8dd 85276->85277 85278 4092c0 VariantClear 85277->85278 85279 40d8e6 85278->85279 85279->85172 85286 411a1f 67 API calls _doexit 85279->85286 85280->85145 85281->85149 85282->85157 85283->85162 85284->85164 85285->85169 85286->85172 85287->85175 85288->85185 85289->85193 85290->85203 85294 417004 85291->85294 85293 416f70 85293->85183 85293->85208 85294->85293 85295 417022 Sleep 85294->85295 85299 422452 85294->85299 85296 417037 85295->85296 85296->85293 85296->85294 85297->85212 85298->85189 85300 42245e __setmode 85299->85300 85301 422476 85300->85301 85311 422495 _memset 85300->85311 85312 417f23 67 API calls __getptd_noexit 85301->85312 85303 42247b 85313 417ebb 6 API calls 2 library calls 85303->85313 85305 422507 HeapAlloc 85305->85311 85306 42248b __setmode 85306->85294 85308 418407 __lock 66 API calls 85308->85311 85311->85305 85311->85306 85311->85308 85314 41a74c 5 API calls 2 library calls 85311->85314 85315 42254e LeaveCriticalSection _doexit 85311->85315 85316 411afc 6 API calls __decode_pointer 85311->85316 85312->85303 85314->85311 85315->85311 85316->85311 85317->85215 85318->85224 85319->85222 85320->85246 85321->85249 85323 41848c 85322->85323 85324 41696e __encode_pointer 6 API calls 85323->85324 85325 4184a4 85323->85325 85324->85323 85325->85254 85370 40eb70 85326->85370 85329->85267 85330->85269 85331->85271 85374 401f80 85332->85374 85334 40d6f1 IsDebuggerPresent 85335 431a9d MessageBoxA 85334->85335 85336 40d6ff 85334->85336 85337 431ab6 85335->85337 85336->85337 85338 40d71f 85336->85338 85476 403e90 75 API calls 3 library calls 85337->85476 85444 40f3b0 85338->85444 85342 40d73a GetFullPathNameW 85474 401440 127 API calls _wcscat 85342->85474 85344 40d77a 85345 40d782 85344->85345 85347 431b09 SetCurrentDirectoryW 85344->85347 85346 40d78b 85345->85346 85477 43604b 6 API calls 85345->85477 85456 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85346->85456 85347->85345 85351 431b28 85351->85346 85352 431b30 GetModuleFileNameW 85351->85352 85354 431ba4 GetForegroundWindow ShellExecuteW 85352->85354 85355 431b4c 85352->85355 85358 40d7c7 85354->85358 85478 401b70 85355->85478 85356 40d795 85364 40d7a8 85356->85364 85464 40e1e0 85356->85464 85362 40d7d1 SetCurrentDirectoryW 85358->85362 85362->85273 85363 431b66 85485 40d3b0 75 API calls 2 library calls 85363->85485 85364->85358 85475 401000 Shell_NotifyIconW _memset 85364->85475 85367 431b72 GetForegroundWindow ShellExecuteW 85368 431b9f 85367->85368 85368->85358 85369 40eba0 LoadLibraryA GetProcAddress 85369->85264 85371 40d86e 85370->85371 85372 40eb76 LoadLibraryA 85370->85372 85371->85264 85371->85369 85372->85371 85373 40eb87 GetProcAddress 85372->85373 85373->85371 85486 40e680 85374->85486 85378 401fa2 GetModuleFileNameW 85504 40ff90 85378->85504 85380 401fbd 85516 4107b0 85380->85516 85383 401b70 75 API calls 85384 401fe4 85383->85384 85519 4019e0 85384->85519 85386 401ff2 85387 4092c0 VariantClear 85386->85387 85388 402002 85387->85388 85389 401b70 75 API calls 85388->85389 85390 40201c 85389->85390 85391 4019e0 76 API calls 85390->85391 85392 40202c 85391->85392 85393 401b70 75 API calls 85392->85393 85394 40203c 85393->85394 85527 40c3e0 85394->85527 85396 40204d 85545 40c060 85396->85545 85400 40206e 85557 4115d0 85400->85557 85403 42c174 85406 401a70 75 API calls 85403->85406 85404 402088 85405 4115d0 __wcsicoll 79 API calls 85404->85405 85408 402093 85405->85408 85407 42c189 85406->85407 85410 401a70 75 API calls 85407->85410 85408->85407 85409 40209e 85408->85409 85411 4115d0 __wcsicoll 79 API calls 85409->85411 85412 42c1a7 85410->85412 85413 4020a9 85411->85413 85414 42c1b0 GetModuleFileNameW 85412->85414 85413->85414 85415 4020b4 85413->85415 85417 401a70 75 API calls 85414->85417 85416 4115d0 __wcsicoll 79 API calls 85415->85416 85418 4020bf 85416->85418 85419 42c1e2 85417->85419 85424 401a70 75 API calls 85418->85424 85426 42c20a _wcscpy 85418->85426 85436 402107 85418->85436 85569 40df50 75 API calls 85419->85569 85421 402119 85423 42c243 85421->85423 85565 40e7e0 76 API calls 85421->85565 85422 42c1f1 85425 401a70 75 API calls 85422->85425 85428 4020e5 _wcscpy 85424->85428 85429 42c201 85425->85429 85430 401a70 75 API calls 85426->85430 85434 401a70 75 API calls 85428->85434 85429->85426 85439 402148 85430->85439 85431 402132 85566 40d030 76 API calls 85431->85566 85433 40213e 85435 4092c0 VariantClear 85433->85435 85434->85436 85435->85439 85436->85421 85436->85426 85437 402184 85441 4092c0 VariantClear 85437->85441 85439->85437 85442 401a70 75 API calls 85439->85442 85567 40d030 76 API calls 85439->85567 85568 40e640 76 API calls 85439->85568 85443 402196 ctype 85441->85443 85442->85439 85443->85334 85445 42ccf4 _memset 85444->85445 85446 40f3c9 85444->85446 85448 42cd05 GetOpenFileNameW 85445->85448 86247 40ffb0 76 API calls ctype 85446->86247 85448->85446 85450 40d732 85448->85450 85449 40f3d2 86248 410130 SHGetMalloc 85449->86248 85450->85342 85450->85344 85452 40f3d9 86253 410020 88 API calls __wcsicoll 85452->86253 85454 40f3e7 86254 40f400 85454->86254 85457 42b9d3 85456->85457 85458 41025a LoadImageW RegisterClassExW 85456->85458 86312 443e8f EnumResourceNamesW LoadImageW 85457->86312 86311 4102f0 7 API calls 85458->86311 85461 40d790 85463 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85461->85463 85462 42b9da 85463->85356 85466 40e207 _memset 85464->85466 85465 40e262 85467 40e2a4 85465->85467 86313 43737d 84 API calls __wcsicoll 85465->86313 85466->85465 85468 42aa14 DestroyIcon 85466->85468 85470 40e2c0 Shell_NotifyIconW 85467->85470 85471 42aa50 Shell_NotifyIconW 85467->85471 85468->85465 85472 401be0 77 API calls 85470->85472 85473 40e2da 85472->85473 85473->85364 85474->85344 85475->85358 85476->85344 85477->85351 85479 401b76 _wcslen 85478->85479 85480 41171a 75 API calls 85479->85480 85483 401bc5 85479->85483 85481 401bad _realloc 85480->85481 85482 41171a 75 API calls 85481->85482 85482->85483 85484 40d3b0 75 API calls 2 library calls 85483->85484 85484->85363 85485->85367 85487 40c060 75 API calls 85486->85487 85488 401f90 85487->85488 85489 402940 85488->85489 85490 40294a __write_nolock 85489->85490 85491 4021e0 75 API calls 85490->85491 85493 402972 85491->85493 85502 4029a4 85493->85502 85570 401cf0 85493->85570 85494 402ae0 75 API calls 85494->85502 85495 402a8c 85496 401b70 75 API calls 85495->85496 85501 402abe 85495->85501 85497 402ab3 85496->85497 85574 40d970 75 API calls 2 library calls 85497->85574 85498 401b70 75 API calls 85498->85502 85501->85378 85502->85494 85502->85495 85502->85498 85503 401cf0 75 API calls 85502->85503 85573 40d970 75 API calls 2 library calls 85502->85573 85503->85502 85575 40f5e0 85504->85575 85507 40ffa6 85507->85380 85509 42b6d8 85512 42b6e6 85509->85512 85631 434fe1 85509->85631 85511 413a88 ___endstdio 67 API calls 85513 42b6f5 85511->85513 85512->85511 85514 434fe1 106 API calls 85513->85514 85515 42b702 85514->85515 85515->85380 85517 41171a 75 API calls 85516->85517 85518 401fd6 85517->85518 85518->85383 85520 401a03 85519->85520 85522 4019e5 85519->85522 85521 401a1a 85520->85521 85520->85522 86236 404260 76 API calls 85521->86236 85524 4019ff 85522->85524 86235 404260 76 API calls 85522->86235 85524->85386 85526 401a26 85526->85386 85528 40c3e4 85527->85528 85529 40c42c 85527->85529 85532 40c3f0 85528->85532 85533 42a475 85528->85533 85530 42a422 85529->85530 85531 40c435 85529->85531 85537 42a427 85530->85537 85538 42a445 85530->85538 85534 40c441 85531->85534 85535 42a455 85531->85535 86237 4042f0 75 API calls __cinit 85532->86237 86242 453155 75 API calls 85533->86242 86238 4042f0 75 API calls __cinit 85534->86238 86241 453155 75 API calls 85535->86241 85544 40c3fb 85537->85544 86239 453155 75 API calls 85537->86239 86240 453155 75 API calls 85538->86240 85544->85396 85546 41171a 75 API calls 85545->85546 85547 40c088 85546->85547 85548 41171a 75 API calls 85547->85548 85549 402061 85548->85549 85550 401a70 85549->85550 85551 401a90 85550->85551 85552 401a77 85550->85552 85554 4021e0 75 API calls 85551->85554 85553 401a8d 85552->85553 86243 404080 75 API calls _realloc 85552->86243 85553->85400 85556 401a9c 85554->85556 85556->85400 85558 4115e1 85557->85558 85559 411650 85557->85559 85564 40207d 85558->85564 86244 417f23 67 API calls __getptd_noexit 85558->86244 86246 4114bf 79 API calls 3 library calls 85559->86246 85562 4115ed 86245 417ebb 6 API calls 2 library calls 85562->86245 85564->85403 85564->85404 85565->85431 85566->85433 85567->85439 85568->85439 85569->85422 85571 402ae0 75 API calls 85570->85571 85572 401cf7 85571->85572 85572->85493 85573->85502 85574->85501 85635 40f580 85575->85635 85577 40f5f8 _strcat ctype 85643 40f6d0 85577->85643 85582 42b2ee 85672 4151b0 85582->85672 85584 40f679 85584->85582 85585 40f681 85584->85585 85659 414e94 85585->85659 85590 40f68b 85590->85507 85594 452574 85590->85594 85591 42b31d 85678 415484 85591->85678 85593 42b33d 85595 41557c _fseek 105 API calls 85594->85595 85596 4525df 85595->85596 86180 4523ce 85596->86180 85599 4525fc 85599->85509 85600 4151b0 __fread_nolock 81 API calls 85601 45261d 85600->85601 85602 4151b0 __fread_nolock 81 API calls 85601->85602 85603 45262e 85602->85603 85604 4151b0 __fread_nolock 81 API calls 85603->85604 85605 452649 85604->85605 85606 4151b0 __fread_nolock 81 API calls 85605->85606 85607 452666 85606->85607 85608 41557c _fseek 105 API calls 85607->85608 85609 452682 85608->85609 85610 4138ba _malloc 67 API calls 85609->85610 85611 45268e 85610->85611 85612 4138ba _malloc 67 API calls 85611->85612 85613 45269b 85612->85613 85614 4151b0 __fread_nolock 81 API calls 85613->85614 85615 4526ac 85614->85615 85616 44afdc GetSystemTimeAsFileTime 85615->85616 85617 4526bf 85616->85617 85618 4526d5 85617->85618 85619 4526fd 85617->85619 85620 413a88 ___endstdio 67 API calls 85618->85620 85621 452704 85619->85621 85622 45275b 85619->85622 85624 4526df 85620->85624 86186 44b195 85621->86186 85623 413a88 ___endstdio 67 API calls 85622->85623 85626 452759 85623->85626 85627 413a88 ___endstdio 67 API calls 85624->85627 85626->85509 85630 4526e8 85627->85630 85628 452753 85629 413a88 ___endstdio 67 API calls 85628->85629 85629->85626 85630->85509 85632 434ff1 85631->85632 85633 434feb 85631->85633 85632->85512 85634 414e94 __fcloseall 106 API calls 85633->85634 85634->85632 85636 429440 85635->85636 85637 40f589 _wcslen 85635->85637 85638 40f58f WideCharToMultiByte 85637->85638 85639 40f5d8 85638->85639 85640 40f5ad 85638->85640 85639->85577 85641 41171a 75 API calls 85640->85641 85642 40f5bb WideCharToMultiByte 85641->85642 85642->85577 85644 40f6dd _strlen 85643->85644 85691 40f790 85644->85691 85647 414e06 85711 414d40 85647->85711 85649 40f666 85649->85582 85650 40f450 85649->85650 85652 40f45a _strcat _realloc __write_nolock 85650->85652 85651 4151b0 __fread_nolock 81 API calls 85651->85652 85652->85651 85653 40f531 85652->85653 85655 42936d 85652->85655 85794 41557c 85652->85794 85653->85584 85656 41557c _fseek 105 API calls 85655->85656 85657 429394 85656->85657 85658 4151b0 __fread_nolock 81 API calls 85657->85658 85658->85653 85660 414ea0 __setmode 85659->85660 85661 414ed1 85660->85661 85662 414eb4 85660->85662 85664 415965 __lock_file 68 API calls 85661->85664 85668 414ec9 __setmode 85661->85668 85933 417f23 67 API calls __getptd_noexit 85662->85933 85666 414ee9 85664->85666 85665 414eb9 85934 417ebb 6 API calls 2 library calls 85665->85934 85917 414e1d 85666->85917 85668->85590 86002 41511a 85672->86002 85674 4151c8 85675 44afdc 85674->85675 86173 4431e0 85675->86173 85677 44affd 85677->85591 85679 415490 __setmode 85678->85679 85680 4154bb 85679->85680 85681 41549e 85679->85681 85683 415965 __lock_file 68 API calls 85680->85683 86177 417f23 67 API calls __getptd_noexit 85681->86177 85685 4154c3 85683->85685 85684 4154a3 86178 417ebb 6 API calls 2 library calls 85684->86178 85687 4152e7 __ftell_nolock 71 API calls 85685->85687 85688 4154cf 85687->85688 86179 4154e8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85688->86179 85690 4154b3 __setmode 85690->85593 85693 40f7ae _memset 85691->85693 85692 42a349 85693->85692 85695 40f628 85693->85695 85696 415258 85693->85696 85695->85647 85697 415285 85696->85697 85698 415268 85696->85698 85697->85698 85700 41528c 85697->85700 85707 417f23 67 API calls __getptd_noexit 85698->85707 85709 41c551 103 API calls 14 library calls 85700->85709 85701 41526d 85708 417ebb 6 API calls 2 library calls 85701->85708 85704 4152b2 85705 41527d 85704->85705 85710 4191c9 101 API calls 7 library calls 85704->85710 85705->85693 85707->85701 85709->85704 85710->85705 85714 414d4c __setmode 85711->85714 85712 414d5f 85763 417f23 67 API calls __getptd_noexit 85712->85763 85714->85712 85716 414d95 85714->85716 85715 414d64 85764 417ebb 6 API calls 2 library calls 85715->85764 85730 41e28c 85716->85730 85719 414d9a 85720 414da1 85719->85720 85721 414dae 85719->85721 85765 417f23 67 API calls __getptd_noexit 85720->85765 85723 414dd6 85721->85723 85724 414db6 85721->85724 85748 41dfd8 85723->85748 85766 417f23 67 API calls __getptd_noexit 85724->85766 85727 414d74 @_EH4_CallFilterFunc@8 __setmode 85727->85649 85731 41e298 __setmode 85730->85731 85732 418407 __lock 67 API calls 85731->85732 85745 41e2a6 85732->85745 85733 41e31b 85768 41e3bb 85733->85768 85734 41e322 85736 416fb6 __malloc_crt 67 API calls 85734->85736 85738 41e32c 85736->85738 85737 41e3b0 __setmode 85737->85719 85738->85733 85773 4189e6 InitializeCriticalSectionAndSpinCount __setmode 85738->85773 85740 418344 __mtinitlocknum 67 API calls 85740->85745 85742 41e351 85743 41e35c 85742->85743 85744 41e36f EnterCriticalSection 85742->85744 85747 413a88 ___endstdio 67 API calls 85743->85747 85744->85733 85745->85733 85745->85734 85745->85740 85771 4159a6 68 API calls __lock 85745->85771 85772 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85745->85772 85747->85733 85756 41dffb __wopenfile 85748->85756 85749 41e015 85778 417f23 67 API calls __getptd_noexit 85749->85778 85751 41e01a 85779 417ebb 6 API calls 2 library calls 85751->85779 85752 41e247 85775 425db0 85752->85775 85756->85749 85756->85756 85762 41e1e9 85756->85762 85780 4136bc 79 API calls 2 library calls 85756->85780 85758 41e1e2 85758->85762 85781 4136bc 79 API calls 2 library calls 85758->85781 85760 41e201 85760->85762 85782 4136bc 79 API calls 2 library calls 85760->85782 85762->85749 85762->85752 85763->85715 85765->85727 85766->85727 85767 414dfc LeaveCriticalSection LeaveCriticalSection __wfsopen 85767->85727 85774 41832d LeaveCriticalSection 85768->85774 85770 41e3c2 85770->85737 85771->85745 85772->85745 85773->85742 85774->85770 85783 425ce4 85775->85783 85777 414de1 85777->85767 85778->85751 85780->85758 85781->85760 85782->85762 85785 425cf0 __setmode 85783->85785 85784 425d03 85786 417f23 wcstoxq 67 API calls 85784->85786 85785->85784 85787 425d41 85785->85787 85788 425d08 85786->85788 85789 4255c4 __tsopen_nolock 132 API calls 85787->85789 85790 417ebb wcstoxq 6 API calls 85788->85790 85791 425d5b 85789->85791 85793 425d17 __setmode 85790->85793 85792 425d82 __sopen_helper LeaveCriticalSection 85791->85792 85792->85793 85793->85777 85798 415588 __setmode 85794->85798 85795 415596 85825 417f23 67 API calls __getptd_noexit 85795->85825 85797 4155c4 85807 415965 85797->85807 85798->85795 85798->85797 85799 41559b 85826 417ebb 6 API calls 2 library calls 85799->85826 85805 4155ab __setmode 85805->85652 85808 415977 85807->85808 85809 415999 EnterCriticalSection 85807->85809 85808->85809 85810 41597f 85808->85810 85811 4155cc 85809->85811 85812 418407 __lock 67 API calls 85810->85812 85813 4154f2 85811->85813 85812->85811 85814 415512 85813->85814 85815 415502 85813->85815 85817 415524 85814->85817 85828 4152e7 85814->85828 85882 417f23 67 API calls __getptd_noexit 85815->85882 85845 41486c 85817->85845 85820 415507 85827 4155f7 LeaveCriticalSection LeaveCriticalSection __wfsopen 85820->85827 85825->85799 85827->85805 85829 41531a 85828->85829 85830 4152fa 85828->85830 85832 41453a __fileno 67 API calls 85829->85832 85883 417f23 67 API calls __getptd_noexit 85830->85883 85834 415320 85832->85834 85833 4152ff 85884 417ebb 6 API calls 2 library calls 85833->85884 85836 41efd4 __locking 71 API calls 85834->85836 85837 415335 85836->85837 85838 4153a9 85837->85838 85840 415364 85837->85840 85844 41530f 85837->85844 85885 417f23 67 API calls __getptd_noexit 85838->85885 85841 41efd4 __locking 71 API calls 85840->85841 85840->85844 85842 415404 85841->85842 85843 41efd4 __locking 71 API calls 85842->85843 85842->85844 85843->85844 85844->85817 85846 414885 85845->85846 85850 4148a7 85845->85850 85847 41453a __fileno 67 API calls 85846->85847 85846->85850 85848 4148a0 85847->85848 85886 41c3cf 101 API calls 5 library calls 85848->85886 85851 41453a 85850->85851 85852 41455e 85851->85852 85853 414549 85851->85853 85857 41efd4 85852->85857 85887 417f23 67 API calls __getptd_noexit 85853->85887 85855 41454e 85888 417ebb 6 API calls 2 library calls 85855->85888 85858 41efe0 __setmode 85857->85858 85859 41efe8 85858->85859 85862 41f003 85858->85862 85909 417f36 67 API calls __getptd_noexit 85859->85909 85860 41f011 85911 417f36 67 API calls __getptd_noexit 85860->85911 85862->85860 85866 41f052 85862->85866 85864 41efed 85910 417f23 67 API calls __getptd_noexit 85864->85910 85865 41f016 85912 417f23 67 API calls __getptd_noexit 85865->85912 85889 41ba3b 85866->85889 85870 41f01d 85913 417ebb 6 API calls 2 library calls 85870->85913 85871 41f058 85873 41f065 85871->85873 85874 41f07b 85871->85874 85899 41ef5f 85873->85899 85914 417f23 67 API calls __getptd_noexit 85874->85914 85877 41f073 85916 41f0a6 LeaveCriticalSection __unlock_fhandle 85877->85916 85878 41f080 85915 417f36 67 API calls __getptd_noexit 85878->85915 85879 41eff5 __setmode 85879->85820 85882->85820 85883->85833 85885->85844 85886->85850 85887->85855 85890 41ba47 __setmode 85889->85890 85891 41baa2 85890->85891 85892 418407 __lock 67 API calls 85890->85892 85893 41bac4 __setmode 85891->85893 85894 41baa7 EnterCriticalSection 85891->85894 85895 41ba73 85892->85895 85893->85871 85894->85893 85896 41ba8a 85895->85896 85897 4189e6 __getstream InitializeCriticalSectionAndSpinCount 85895->85897 85898 41bad2 ___lock_fhandle LeaveCriticalSection 85896->85898 85897->85896 85898->85891 85900 41b9c4 __lseeki64_nolock 67 API calls 85899->85900 85901 41ef6e 85900->85901 85902 41ef84 SetFilePointer 85901->85902 85903 41ef74 85901->85903 85905 41ef9b GetLastError 85902->85905 85906 41efa3 85902->85906 85904 417f23 wcstoxq 67 API calls 85903->85904 85907 41ef79 85904->85907 85905->85906 85906->85907 85908 417f49 __dosmaperr 67 API calls 85906->85908 85907->85877 85908->85907 85909->85864 85910->85879 85911->85865 85912->85870 85914->85878 85915->85877 85916->85879 85918 414e31 85917->85918 85919 414e4d 85917->85919 85963 417f23 67 API calls __getptd_noexit 85918->85963 85921 41486c __flush 101 API calls 85919->85921 85925 414e46 85919->85925 85924 414e59 85921->85924 85922 414e36 85964 417ebb 6 API calls 2 library calls 85922->85964 85936 41e680 85924->85936 85935 414f08 LeaveCriticalSection LeaveCriticalSection __wfsopen 85925->85935 85928 41453a __fileno 67 API calls 85929 414e67 85928->85929 85940 41e5b3 85929->85940 85931 414e6d 85931->85925 85932 413a88 ___endstdio 67 API calls 85931->85932 85932->85925 85933->85665 85935->85668 85937 41e690 85936->85937 85938 414e61 85936->85938 85937->85938 85939 413a88 ___endstdio 67 API calls 85937->85939 85938->85928 85939->85938 85941 41e5bf __setmode 85940->85941 85942 41e5c7 85941->85942 85945 41e5e2 85941->85945 85980 417f36 67 API calls __getptd_noexit 85942->85980 85944 41e5f0 85982 417f36 67 API calls __getptd_noexit 85944->85982 85945->85944 85948 41e631 85945->85948 85946 41e5cc 85981 417f23 67 API calls __getptd_noexit 85946->85981 85951 41ba3b ___lock_fhandle 68 API calls 85948->85951 85950 41e5f5 85983 417f23 67 API calls __getptd_noexit 85950->85983 85953 41e637 85951->85953 85955 41e652 85953->85955 85956 41e644 85953->85956 85954 41e5fc 85984 417ebb 6 API calls 2 library calls 85954->85984 85985 417f23 67 API calls __getptd_noexit 85955->85985 85965 41e517 85956->85965 85960 41e5d4 __setmode 85960->85931 85961 41e64c 85986 41e676 LeaveCriticalSection __unlock_fhandle 85961->85986 85963->85922 85987 41b9c4 85965->85987 85967 41e57d 86000 41b93e 68 API calls 2 library calls 85967->86000 85968 41e527 85968->85967 85970 41b9c4 __lseeki64_nolock 67 API calls 85968->85970 85979 41e55b 85968->85979 85973 41e552 85970->85973 85971 41b9c4 __lseeki64_nolock 67 API calls 85974 41e567 CloseHandle 85971->85974 85972 41e585 85975 41e5a7 85972->85975 86001 417f49 67 API calls 3 library calls 85972->86001 85977 41b9c4 __lseeki64_nolock 67 API calls 85973->85977 85974->85967 85978 41e573 GetLastError 85974->85978 85975->85961 85977->85979 85978->85967 85979->85967 85979->85971 85980->85946 85981->85960 85982->85950 85983->85954 85985->85961 85986->85960 85988 41b9d1 85987->85988 85989 41b9e9 85987->85989 85990 417f36 __write_nolock 67 API calls 85988->85990 85991 417f36 __write_nolock 67 API calls 85989->85991 85993 41ba2e 85989->85993 85992 41b9d6 85990->85992 85994 41ba17 85991->85994 85995 417f23 wcstoxq 67 API calls 85992->85995 85993->85968 85996 417f23 wcstoxq 67 API calls 85994->85996 85997 41b9de 85995->85997 85998 41ba1e 85996->85998 85997->85968 85999 417ebb wcstoxq 6 API calls 85998->85999 85999->85993 86000->85972 86001->85975 86003 415126 __setmode 86002->86003 86004 415164 __setmode 86003->86004 86005 41513a _memset 86003->86005 86006 41516f 86003->86006 86004->85674 86031 417f23 67 API calls __getptd_noexit 86005->86031 86007 415965 __lock_file 68 API calls 86006->86007 86009 415177 86007->86009 86015 414f10 86009->86015 86010 415154 86032 417ebb 6 API calls 2 library calls 86010->86032 86018 414f2e _memset 86015->86018 86021 414f4c 86015->86021 86016 414f37 86084 417f23 67 API calls __getptd_noexit 86016->86084 86018->86016 86018->86021 86023 414f8b 86018->86023 86019 414f3c 86085 417ebb 6 API calls 2 library calls 86019->86085 86033 4151a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 86021->86033 86023->86021 86024 4150d5 _memset 86023->86024 86025 4150a9 _memset 86023->86025 86026 41453a __fileno 67 API calls 86023->86026 86034 41ed9e 86023->86034 86064 41e6b1 86023->86064 86086 41ee9b 67 API calls 3 library calls 86023->86086 86088 417f23 67 API calls __getptd_noexit 86024->86088 86087 417f23 67 API calls __getptd_noexit 86025->86087 86026->86023 86031->86010 86033->86004 86035 41edaa __setmode 86034->86035 86036 41edb2 86035->86036 86040 41edcd 86035->86040 86158 417f36 67 API calls __getptd_noexit 86036->86158 86038 41eddb 86160 417f36 67 API calls __getptd_noexit 86038->86160 86039 41edb7 86159 417f23 67 API calls __getptd_noexit 86039->86159 86040->86038 86042 41ee1c 86040->86042 86045 41ee29 86042->86045 86046 41ee3d 86042->86046 86044 41ede0 86161 417f23 67 API calls __getptd_noexit 86044->86161 86163 417f36 67 API calls __getptd_noexit 86045->86163 86049 41ba3b ___lock_fhandle 68 API calls 86046->86049 86052 41ee43 86049->86052 86050 41ede7 86162 417ebb 6 API calls 2 library calls 86050->86162 86051 41ee2e 86164 417f23 67 API calls __getptd_noexit 86051->86164 86056 41ee50 86052->86056 86057 41ee66 86052->86057 86055 41edbf __setmode 86055->86023 86089 41e7dc 86056->86089 86165 417f23 67 API calls __getptd_noexit 86057->86165 86060 41ee6b 86166 417f36 67 API calls __getptd_noexit 86060->86166 86061 41ee5e 86167 41ee91 LeaveCriticalSection __unlock_fhandle 86061->86167 86065 41e6c1 86064->86065 86069 41e6de 86064->86069 86171 417f23 67 API calls __getptd_noexit 86065->86171 86066 41e6d6 86066->86023 86068 41e6c6 86172 417ebb 6 API calls 2 library calls 86068->86172 86069->86066 86071 41e713 86069->86071 86168 423600 86069->86168 86073 41453a __fileno 67 API calls 86071->86073 86074 41e727 86073->86074 86075 41ed9e __read 79 API calls 86074->86075 86076 41e72e 86075->86076 86076->86066 86077 41453a __fileno 67 API calls 86076->86077 86078 41e751 86077->86078 86078->86066 86079 41453a __fileno 67 API calls 86078->86079 86080 41e75d 86079->86080 86080->86066 86081 41453a __fileno 67 API calls 86080->86081 86082 41e769 86081->86082 86083 41453a __fileno 67 API calls 86082->86083 86083->86066 86084->86019 86086->86023 86087->86019 86088->86019 86090 41e813 86089->86090 86091 41e7f8 86089->86091 86093 41e822 86090->86093 86095 41e849 86090->86095 86092 417f36 __write_nolock 67 API calls 86091->86092 86094 41e7fd 86092->86094 86096 417f36 __write_nolock 67 API calls 86093->86096 86098 417f23 wcstoxq 67 API calls 86094->86098 86097 41e868 86095->86097 86109 41e87c 86095->86109 86099 41e827 86096->86099 86100 417f36 __write_nolock 67 API calls 86097->86100 86135 41e805 86098->86135 86102 417f23 wcstoxq 67 API calls 86099->86102 86105 41e86d 86100->86105 86101 41e8d4 86104 417f36 __write_nolock 67 API calls 86101->86104 86103 41e82e 86102->86103 86106 417ebb wcstoxq 6 API calls 86103->86106 86107 41e8d9 86104->86107 86108 417f23 wcstoxq 67 API calls 86105->86108 86106->86135 86110 417f23 wcstoxq 67 API calls 86107->86110 86111 41e874 86108->86111 86109->86101 86112 41e8b0 86109->86112 86113 41e8f5 86109->86113 86109->86135 86110->86111 86114 417ebb wcstoxq 6 API calls 86111->86114 86112->86101 86119 41e8bb ReadFile 86112->86119 86116 416fb6 __malloc_crt 67 API calls 86113->86116 86114->86135 86120 41e90b 86116->86120 86117 41ed62 GetLastError 86123 41ebe8 86117->86123 86124 41ed6f 86117->86124 86118 41e9e7 86118->86117 86126 41e9fb 86118->86126 86119->86117 86119->86118 86121 41e931 86120->86121 86122 41e913 86120->86122 86127 423462 __lseeki64_nolock 69 API calls 86121->86127 86125 417f23 wcstoxq 67 API calls 86122->86125 86131 417f49 __dosmaperr 67 API calls 86123->86131 86137 41eb6d 86123->86137 86128 417f23 wcstoxq 67 API calls 86124->86128 86130 41e918 86125->86130 86126->86137 86138 41ea17 86126->86138 86141 41ec2d 86126->86141 86132 41e93d 86127->86132 86129 41ed74 86128->86129 86133 417f36 __write_nolock 67 API calls 86129->86133 86134 417f36 __write_nolock 67 API calls 86130->86134 86131->86137 86132->86119 86133->86137 86134->86135 86135->86061 86136 413a88 ___endstdio 67 API calls 86136->86135 86137->86135 86137->86136 86139 41ea7d ReadFile 86138->86139 86148 41eafa 86138->86148 86142 41ea9b GetLastError 86139->86142 86151 41eaa5 86139->86151 86140 41eca5 ReadFile 86143 41ecc4 GetLastError 86140->86143 86149 41ecce 86140->86149 86141->86137 86141->86140 86142->86138 86142->86151 86143->86141 86143->86149 86144 41ebbe MultiByteToWideChar 86144->86137 86145 41ebe2 GetLastError 86144->86145 86145->86123 86146 41eb75 86153 41eb32 86146->86153 86154 41ebac 86146->86154 86147 41eb68 86150 417f23 wcstoxq 67 API calls 86147->86150 86148->86137 86148->86146 86148->86147 86148->86153 86149->86141 86152 423462 __lseeki64_nolock 69 API calls 86149->86152 86150->86137 86151->86138 86155 423462 __lseeki64_nolock 69 API calls 86151->86155 86152->86149 86153->86144 86156 423462 __lseeki64_nolock 69 API calls 86154->86156 86155->86151 86157 41ebbb 86156->86157 86157->86144 86158->86039 86159->86055 86160->86044 86161->86050 86163->86051 86164->86050 86165->86060 86166->86061 86167->86055 86169 416fb6 __malloc_crt 67 API calls 86168->86169 86170 423615 86169->86170 86170->86071 86171->86068 86176 414cef GetSystemTimeAsFileTime __aulldiv 86173->86176 86175 4431ef 86175->85677 86176->86175 86177->85684 86179->85690 86183 4523e1 _wcscpy 86180->86183 86181 44afdc GetSystemTimeAsFileTime 86181->86183 86182 452553 86182->85599 86182->85600 86183->86181 86183->86182 86184 4151b0 81 API calls __fread_nolock 86183->86184 86185 41557c 105 API calls _fseek 86183->86185 86184->86183 86185->86183 86187 44b1b4 86186->86187 86188 44b1a6 86186->86188 86190 44b1ca 86187->86190 86191 44b1c2 86187->86191 86192 414e06 138 API calls 86187->86192 86189 414e06 138 API calls 86188->86189 86189->86187 86221 4352d1 81 API calls 2 library calls 86190->86221 86191->85628 86194 44b2c1 86192->86194 86194->86190 86196 44b2cf 86194->86196 86195 44b20d 86197 44b211 86195->86197 86198 44b23b 86195->86198 86199 414e94 __fcloseall 106 API calls 86196->86199 86201 44b2dc 86196->86201 86203 414e94 __fcloseall 106 API calls 86197->86203 86205 44b21e 86197->86205 86222 43526e 86198->86222 86199->86201 86201->85628 86202 44b242 86206 44b270 86202->86206 86207 44b248 86202->86207 86203->86205 86204 44b22e 86204->85628 86205->86204 86208 414e94 __fcloseall 106 API calls 86205->86208 86232 44b0af 111 API calls 86206->86232 86209 44b255 86207->86209 86211 414e94 __fcloseall 106 API calls 86207->86211 86208->86204 86212 44b265 86209->86212 86215 414e94 __fcloseall 106 API calls 86209->86215 86211->86209 86212->85628 86213 44b276 86233 43522c 67 API calls ___endstdio 86213->86233 86215->86212 86216 44b27c 86217 44b289 86216->86217 86218 414e94 __fcloseall 106 API calls 86216->86218 86219 44b299 86217->86219 86220 414e94 __fcloseall 106 API calls 86217->86220 86218->86217 86219->85628 86220->86219 86221->86195 86223 4138ba _malloc 67 API calls 86222->86223 86224 43527d 86223->86224 86225 4138ba _malloc 67 API calls 86224->86225 86226 43528d 86225->86226 86227 4138ba _malloc 67 API calls 86226->86227 86228 43529d 86227->86228 86230 4352bc 86228->86230 86234 43522c 67 API calls ___endstdio 86228->86234 86230->86202 86231 4352c8 86231->86202 86232->86213 86233->86216 86234->86231 86235->85524 86236->85526 86237->85544 86238->85544 86239->85544 86240->85535 86241->85544 86242->85544 86243->85553 86244->85562 86246->85564 86247->85449 86249 410148 SHGetDesktopFolder 86248->86249 86252 4101a3 _wcscpy 86248->86252 86250 41015a _wcscpy 86249->86250 86249->86252 86251 41018a SHGetPathFromIDListW 86250->86251 86250->86252 86251->86252 86252->85452 86253->85454 86255 40f5e0 152 API calls 86254->86255 86256 40f417 86255->86256 86257 42ca37 86256->86257 86259 40f42c 86256->86259 86260 42ca1f 86256->86260 86258 452574 140 API calls 86257->86258 86263 42ca50 86258->86263 86307 4037e0 139 API calls 7 library calls 86259->86307 86308 43717f 110 API calls _printf 86260->86308 86266 42ca76 86263->86266 86267 42ca54 86263->86267 86264 40f446 86264->85450 86265 42ca2d 86265->86257 86268 41171a 75 API calls 86266->86268 86269 434fe1 106 API calls 86267->86269 86282 42cacc ctype 86268->86282 86270 42ca5e 86269->86270 86309 43717f 110 API calls _printf 86270->86309 86272 42ccc3 86274 413a88 ___endstdio 67 API calls 86272->86274 86273 42ca6c 86273->86266 86275 42cccd 86274->86275 86276 434fe1 106 API calls 86275->86276 86277 42ccda 86276->86277 86281 401b70 75 API calls 86281->86282 86282->86272 86282->86281 86285 445051 75 API calls _realloc 86282->86285 86286 44b408 86282->86286 86293 402cc0 86282->86293 86301 4026a0 86282->86301 86310 44c80c 87 API calls 3 library calls 86282->86310 86285->86282 86287 44b414 86286->86287 86288 41171a 75 API calls 86287->86288 86289 44b42b 86288->86289 86290 44b449 86289->86290 86291 401b70 75 API calls 86289->86291 86290->86282 86292 44b43f 86291->86292 86292->86282 86294 402cd2 _realloc ctype 86293->86294 86295 402d71 86293->86295 86296 41171a 75 API calls 86294->86296 86297 41171a 75 API calls 86295->86297 86298 402cd9 86296->86298 86297->86294 86299 41171a 75 API calls 86298->86299 86300 402cff 86298->86300 86299->86300 86300->86282 86302 4026af 86301->86302 86305 40276b 86301->86305 86303 41171a 75 API calls 86302->86303 86304 4026ee ctype 86302->86304 86302->86305 86303->86304 86304->86305 86306 41171a 75 API calls 86304->86306 86305->86282 86306->86304 86307->86264 86308->86265 86309->86273 86310->86282 86311->85461 86312->85462 86313->85467 86314 431914 86315 431920 86314->86315 86316 431928 86315->86316 86317 43193d 86315->86317 86578 45e62e 116 API calls 3 library calls 86316->86578 86579 47f2b4 174 API calls 86317->86579 86320 43194a 86327 4095b0 ctype 86320->86327 86580 45e62e 116 API calls 3 library calls 86320->86580 86322 409708 86324 4097af 86324->86322 86565 40d590 VariantClear 86324->86565 86326 4315b8 WaitForSingleObject 86326->86327 86329 4315d6 GetExitCodeProcess CloseHandle 86326->86329 86327->86322 86327->86324 86327->86326 86330 431623 Sleep 86327->86330 86336 40986e Sleep 86327->86336 86337 4098f1 TranslateMessage DispatchMessageW 86327->86337 86342 409894 86327->86342 86355 45e62e 116 API calls 86327->86355 86356 4319c9 VariantClear 86327->86356 86358 4092c0 VariantClear 86327->86358 86360 40b380 86327->86360 86384 409340 86327->86384 86417 409030 86327->86417 86431 40d300 86327->86431 86436 40d320 86327->86436 86442 409a40 86327->86442 86581 40e380 VariantClear ctype 86327->86581 86569 40d590 VariantClear 86329->86569 86333 43163b timeGetTime 86330->86333 86330->86342 86333->86342 86338 409880 timeGetTime 86336->86338 86336->86342 86337->86327 86338->86342 86339 431673 CloseHandle 86339->86342 86340 43170c GetExitCodeProcess CloseHandle 86340->86342 86341 40d590 VariantClear 86341->86342 86342->86327 86342->86339 86342->86340 86342->86341 86344 46dd22 133 API calls 86342->86344 86346 46e641 134 API calls 86342->86346 86348 431781 Sleep 86342->86348 86357 4092c0 VariantClear 86342->86357 86566 447e59 75 API calls 86342->86566 86567 453b07 77 API calls 86342->86567 86568 4646a2 76 API calls 86342->86568 86570 444233 88 API calls _wcslen 86342->86570 86571 457509 VariantClear 86342->86571 86572 404120 86342->86572 86576 4717e3 VariantClear 86342->86576 86577 436272 6 API calls 86342->86577 86344->86342 86346->86342 86348->86327 86355->86327 86356->86327 86357->86342 86358->86327 86361 40b3a5 86360->86361 86362 40b53d 86360->86362 86363 430a99 86361->86363 86369 40b3b6 86361->86369 86582 45e62e 116 API calls 3 library calls 86362->86582 86583 45e62e 116 API calls 3 library calls 86363->86583 86366 40b528 86366->86327 86367 430aae 86371 4092c0 VariantClear 86367->86371 86369->86367 86372 40b3f2 86369->86372 86380 40b4fd ctype 86369->86380 86370 430dc9 86370->86370 86371->86366 86373 430ae9 VariantClear 86372->86373 86374 40b429 86372->86374 86381 40b476 ctype 86372->86381 86382 40b43b ctype 86373->86382 86374->86382 86584 40e380 VariantClear ctype 86374->86584 86375 430d41 VariantClear 86375->86380 86377 40b4eb 86377->86380 86585 40e380 VariantClear ctype 86377->86585 86379 41171a 75 API calls 86379->86381 86380->86366 86586 45e62e 116 API calls 3 library calls 86380->86586 86381->86377 86383 430d08 ctype 86381->86383 86382->86379 86382->86381 86383->86375 86383->86380 86385 409386 86384->86385 86387 409395 86384->86387 86587 4042f0 75 API calls __cinit 86385->86587 86389 42fba9 86387->86389 86391 42fc07 86387->86391 86393 42fc85 86387->86393 86395 42fcd8 86387->86395 86397 42fd4f 86387->86397 86398 42fd39 86387->86398 86404 40946f 86387->86404 86408 40947b 86387->86408 86410 4094c1 86387->86410 86412 4092c0 VariantClear 86387->86412 86416 409484 ctype 86387->86416 86590 453155 75 API calls 86387->86590 86592 40c620 118 API calls 86387->86592 86594 45e62e 116 API calls 3 library calls 86387->86594 86591 45e62e 116 API calls 3 library calls 86389->86591 86593 45e62e 116 API calls 3 library calls 86391->86593 86595 4781ae 140 API calls 86393->86595 86597 47f2b4 174 API calls 86395->86597 86400 4092c0 VariantClear 86397->86400 86599 45e62e 116 API calls 3 library calls 86398->86599 86400->86416 86401 42fc9c 86401->86416 86596 45e62e 116 API calls 3 library calls 86401->86596 86403 42fce9 86403->86416 86598 45e62e 116 API calls 3 library calls 86403->86598 86588 409210 VariantClear 86404->86588 86411 4092c0 VariantClear 86408->86411 86410->86416 86589 404260 76 API calls 86410->86589 86411->86416 86412->86387 86414 4094e1 86415 4092c0 VariantClear 86414->86415 86415->86416 86416->86327 86600 409110 117 API calls 86417->86600 86419 42ceb6 86610 410ae0 VariantClear ctype 86419->86610 86421 40906e 86421->86419 86423 42cea9 86421->86423 86425 4090a4 86421->86425 86422 42cebf 86609 45e62e 116 API calls 3 library calls 86423->86609 86601 404160 86425->86601 86428 4090f0 ctype 86428->86327 86429 4092c0 VariantClear 86430 4090be ctype 86429->86430 86430->86428 86430->86429 86432 4292e3 86431->86432 86433 40d30c 86431->86433 86434 429323 86432->86434 86435 4292fd TranslateAcceleratorW 86432->86435 86433->86327 86434->86327 86435->86433 86437 4296d0 86436->86437 86440 40d32f 86436->86440 86437->86327 86438 42972a IsDialogMessageW 86439 40d33c 86438->86439 86438->86440 86439->86327 86440->86438 86440->86439 86745 4340ec GetClassLongW 86440->86745 86443 409a66 _wcslen 86442->86443 86444 40aade _realloc ctype 86443->86444 86445 41171a 75 API calls 86443->86445 86447 401380 75 API calls 86444->86447 86446 409a9c _realloc 86445->86446 86448 41171a 75 API calls 86446->86448 86449 42cee9 86447->86449 86450 409abd 86448->86450 86451 41171a 75 API calls 86449->86451 86450->86444 86452 409aeb CharUpperBuffW 86450->86452 86455 409b09 ctype 86450->86455 86453 42cf10 _realloc 86451->86453 86452->86455 86776 45e62e 116 API calls 3 library calls 86453->86776 86462 409b88 ctype 86455->86462 86747 47d10e 150 API calls 86455->86747 86457 4092c0 VariantClear 86458 42e5e0 86457->86458 86777 410ae0 VariantClear ctype 86458->86777 86460 42e5f2 86461 409e4a 86461->86453 86464 41171a 75 API calls 86461->86464 86468 409ea4 86461->86468 86462->86453 86462->86461 86463 40aa5b 86462->86463 86466 40c3e0 75 API calls 86462->86466 86467 40aa81 _realloc ctype 86462->86467 86471 42d195 VariantClear 86462->86471 86478 4092c0 VariantClear 86462->86478 86482 41171a 75 API calls 86462->86482 86494 42d128 86462->86494 86497 42d20c 86462->86497 86508 42dbb9 86462->86508 86748 40c620 118 API calls 86462->86748 86750 40be00 75 API calls 2 library calls 86462->86750 86751 40e380 VariantClear ctype 86462->86751 86465 41171a 75 API calls 86463->86465 86464->86468 86465->86467 86466->86462 86491 41171a 75 API calls 86467->86491 86469 409ed0 86468->86469 86470 41171a 75 API calls 86468->86470 86477 42d50d 86469->86477 86526 409ef8 _realloc ctype 86469->86526 86756 40b800 VariantClear VariantClear ctype 86469->86756 86475 42d480 86470->86475 86471->86462 86472 40a3a7 86481 40a415 86472->86481 86525 42db5c 86472->86525 86474 42d491 86753 40df50 75 API calls 86474->86753 86475->86474 86752 44b3f6 75 API calls 86475->86752 86476 42d527 86476->86526 86758 40e2e0 VariantClear ctype 86476->86758 86477->86476 86757 40b800 VariantClear VariantClear ctype 86477->86757 86478->86462 86485 41171a 75 API calls 86481->86485 86482->86462 86498 40a41c 86485->86498 86489 42db96 86763 45e62e 116 API calls 3 library calls 86489->86763 86491->86444 86492 42d4a6 86754 4530b3 75 API calls 86492->86754 86496 4092c0 VariantClear 86494->86496 86495 42d4d7 86755 4530b3 75 API calls 86495->86755 86500 42d131 86496->86500 86497->86327 86509 40a481 86498->86509 86764 40c8a0 VariantClear ctype 86498->86764 86749 410ae0 VariantClear ctype 86500->86749 86506 402cc0 75 API calls 86506->86526 86507 4092c0 VariantClear 86538 40a534 _realloc ctype 86507->86538 86508->86457 86510 40a4ed 86509->86510 86511 42dc1e VariantClear 86509->86511 86509->86538 86515 40a4ff ctype 86510->86515 86765 40e380 VariantClear ctype 86510->86765 86511->86515 86514 41171a 75 API calls 86514->86538 86515->86514 86515->86538 86516 4019e0 76 API calls 86516->86526 86519 44b3f6 75 API calls 86519->86526 86520 42deb6 VariantClear 86520->86538 86521 411421 74 API calls __cinit 86521->86526 86522 41171a 75 API calls 86522->86526 86523 40a73c 86524 42e237 86523->86524 86533 40a76b 86523->86533 86769 46e709 VariantClear VariantClear ctype 86524->86769 86762 4721e5 VariantClear 86525->86762 86526->86444 86526->86472 86526->86489 86526->86506 86526->86516 86526->86519 86526->86521 86526->86522 86526->86525 86532 40a053 86526->86532 86759 45ee98 75 API calls 86526->86759 86760 404260 76 API calls 86526->86760 86761 409210 VariantClear 86526->86761 86527 42df47 VariantClear 86527->86538 86528 42dfe9 VariantClear 86528->86538 86529 40a7a2 86544 40a7ad ctype 86529->86544 86770 40b800 VariantClear VariantClear ctype 86529->86770 86531 40e380 VariantClear 86531->86538 86532->86327 86533->86529 86557 40a800 ctype 86533->86557 86746 40b800 VariantClear VariantClear ctype 86533->86746 86536 41171a 75 API calls 86536->86538 86537 41171a 75 API calls 86541 42dd10 VariantInit VariantCopy 86537->86541 86538->86507 86538->86520 86538->86523 86538->86524 86538->86527 86538->86528 86538->86531 86538->86536 86538->86537 86766 46e9cd 75 API calls 86538->86766 86767 409210 VariantClear 86538->86767 86768 44cc6c VariantClear ctype 86538->86768 86539 40a8b0 86551 40a8c2 ctype 86539->86551 86772 40e380 VariantClear ctype 86539->86772 86540 42e312 86542 42e337 VariantClear 86540->86542 86540->86551 86541->86538 86543 42dd30 VariantClear 86541->86543 86542->86551 86543->86538 86545 40a7ee 86544->86545 86549 42e2a7 VariantClear 86544->86549 86544->86557 86545->86557 86771 40e380 VariantClear ctype 86545->86771 86547 42e3b2 86552 42e3da VariantClear 86547->86552 86556 40a91a ctype 86547->86556 86549->86557 86550 40a908 86550->86556 86773 40e380 VariantClear ctype 86550->86773 86551->86547 86551->86550 86552->86556 86554 42e47f 86559 42e4a3 VariantClear 86554->86559 86564 40a957 ctype 86554->86564 86556->86554 86558 40a945 86556->86558 86557->86539 86557->86540 86558->86564 86774 40e380 VariantClear ctype 86558->86774 86559->86564 86561 40aa22 ctype 86561->86327 86562 42e559 VariantClear 86562->86564 86564->86561 86564->86562 86775 40e380 VariantClear ctype 86564->86775 86565->86322 86566->86342 86567->86342 86568->86342 86569->86342 86570->86342 86571->86342 86573 40412e 86572->86573 86574 4092c0 VariantClear 86573->86574 86575 404138 86574->86575 86575->86348 86576->86342 86577->86342 86578->86327 86579->86320 86580->86327 86581->86327 86582->86363 86583->86367 86584->86382 86585->86380 86586->86370 86587->86387 86588->86408 86589->86414 86590->86387 86591->86416 86592->86387 86593->86416 86594->86387 86595->86401 86596->86416 86597->86403 86598->86416 86599->86397 86600->86421 86602 4092c0 VariantClear 86601->86602 86603 40416e 86602->86603 86604 404120 VariantClear 86603->86604 86605 40419b 86604->86605 86611 40efe0 86605->86611 86619 4734b7 86605->86619 86606 4041c6 86606->86419 86606->86430 86609->86419 86610->86422 86612 40eff5 CreateFileW 86611->86612 86613 4299bf 86611->86613 86615 40f017 86612->86615 86614 4299c4 CreateFileW 86613->86614 86613->86615 86614->86615 86616 4299ea 86614->86616 86615->86606 86663 40e0d0 SetFilePointerEx SetFilePointerEx 86616->86663 86618 4299f5 86618->86615 86620 453063 111 API calls 86619->86620 86621 4734d7 86620->86621 86622 473545 86621->86622 86623 47350c 86621->86623 86664 463c42 86622->86664 86624 4092c0 VariantClear 86623->86624 86630 473514 86624->86630 86626 473558 86627 47355c 86626->86627 86643 473595 86626->86643 86629 4092c0 VariantClear 86627->86629 86628 473616 86677 463d7e 86628->86677 86639 473564 86629->86639 86630->86606 86632 453063 111 API calls 86632->86643 86633 473622 86634 473697 86633->86634 86635 47362c 86633->86635 86711 457838 86634->86711 86638 4092c0 VariantClear 86635->86638 86641 473634 86638->86641 86639->86606 86641->86606 86642 473655 86645 4092c0 VariantClear 86642->86645 86643->86628 86643->86632 86643->86642 86723 462f5a 87 API calls __wcsicoll 86643->86723 86657 47365d 86645->86657 86647 4736b0 86724 45e62e 116 API calls 3 library calls 86647->86724 86648 4736c9 86725 40e7e0 76 API calls 86648->86725 86651 4736ba GetCurrentProcess TerminateProcess 86651->86648 86652 4736db 86661 4736ff 86652->86661 86726 40d030 76 API calls 86652->86726 86654 473731 86659 473744 FreeLibrary 86654->86659 86660 47374b 86654->86660 86655 4736f1 86727 46b945 134 API calls 2 library calls 86655->86727 86657->86606 86659->86660 86660->86606 86661->86654 86728 40d030 76 API calls 86661->86728 86729 46b945 134 API calls 2 library calls 86661->86729 86663->86618 86730 45335b 76 API calls 86664->86730 86666 463c5d 86731 442c52 80 API calls _wcslen 86666->86731 86668 463c72 86670 40c060 75 API calls 86668->86670 86676 463cac 86668->86676 86671 463c8e 86670->86671 86732 4608ce 75 API calls _realloc 86671->86732 86673 463ca4 86674 40c740 75 API calls 86673->86674 86674->86676 86675 463cf7 86675->86626 86676->86675 86733 462f5a 87 API calls __wcsicoll 86676->86733 86678 453063 111 API calls 86677->86678 86679 463d99 86678->86679 86680 463de0 86679->86680 86681 463dca 86679->86681 86735 40c760 78 API calls 86680->86735 86734 453081 111 API calls 86681->86734 86684 463de7 86704 463e19 86684->86704 86736 40c760 78 API calls 86684->86736 86685 463dd0 LoadLibraryW 86693 463e09 86685->86693 86687 463e3e 86689 463e4e 86687->86689 86690 463e7b 86687->86690 86688 463dfb 86688->86704 86737 40c760 78 API calls 86688->86737 86738 40d500 75 API calls 86689->86738 86740 40c760 78 API calls 86690->86740 86693->86687 86693->86704 86695 463e57 86739 45efe7 77 API calls ctype 86695->86739 86696 463e82 GetProcAddress 86699 463e90 86696->86699 86698 463e62 GetProcAddress 86701 463e79 86698->86701 86700 463edf 86699->86700 86699->86701 86699->86704 86700->86704 86705 463eef FreeLibrary 86700->86705 86701->86699 86741 403470 75 API calls _realloc 86701->86741 86703 463eb4 86742 40d500 75 API calls 86703->86742 86704->86633 86705->86704 86707 463ebd 86743 45efe7 77 API calls ctype 86707->86743 86709 463ec8 GetProcAddress 86744 401330 ctype 86709->86744 86712 457a4c 86711->86712 86718 45785f _strcat _wcslen _wcscpy ctype 86711->86718 86719 410d40 86712->86719 86713 40c760 78 API calls 86713->86718 86714 453081 111 API calls 86714->86718 86715 443576 78 API calls 86715->86718 86716 4138ba 67 API calls _malloc 86716->86718 86717 40f580 77 API calls 86717->86718 86718->86712 86718->86713 86718->86714 86718->86715 86718->86716 86718->86717 86721 410d55 86719->86721 86720 410ded VirtualProtect 86722 410dbb 86720->86722 86721->86720 86721->86722 86722->86647 86722->86648 86723->86643 86724->86651 86725->86652 86726->86655 86727->86661 86728->86661 86729->86661 86730->86666 86731->86668 86732->86673 86733->86675 86734->86685 86735->86684 86736->86688 86737->86693 86738->86695 86739->86698 86740->86696 86741->86703 86742->86707 86743->86709 86744->86700 86745->86440 86746->86529 86747->86455 86748->86462 86749->86561 86750->86462 86751->86462 86752->86474 86753->86492 86754->86495 86755->86469 86756->86477 86757->86476 86758->86526 86759->86526 86760->86526 86761->86526 86762->86489 86763->86508 86764->86498 86765->86515 86766->86538 86767->86538 86768->86538 86769->86529 86770->86544 86771->86557 86772->86551 86773->86556 86774->86564 86775->86564 86776->86508 86777->86460 86778 42919b 86783 40ef10 86778->86783 86781 411421 __cinit 74 API calls 86782 4291aa 86781->86782 86784 41171a 75 API calls 86783->86784 86785 40ef17 86784->86785 86786 42ad48 86785->86786 86791 40ef40 74 API calls __cinit 86785->86791 86788 40ef2a 86792 40e470 86788->86792 86791->86788 86793 40c060 75 API calls 86792->86793 86794 40e483 GetVersionExW 86793->86794 86795 4021e0 75 API calls 86794->86795 86796 40e4bb 86795->86796 86818 40e600 86796->86818 86803 42accc 86804 42ad28 GetSystemInfo 86803->86804 86808 42ad38 GetSystemInfo 86804->86808 86805 40e557 GetCurrentProcess 86838 40ee30 LoadLibraryA GetProcAddress 86805->86838 86806 40e56c 86806->86808 86831 40eee0 86806->86831 86811 40e5c9 86835 40eea0 86811->86835 86814 40e5e0 86816 40e5f1 FreeLibrary 86814->86816 86817 40e5f4 86814->86817 86815 40e5dd FreeLibrary 86815->86814 86816->86817 86817->86781 86819 40e60b 86818->86819 86820 40c740 75 API calls 86819->86820 86821 40e4c2 86820->86821 86822 40e620 86821->86822 86823 40e62a 86822->86823 86824 42ac93 86823->86824 86825 40c740 75 API calls 86823->86825 86826 40e4ce 86825->86826 86826->86803 86827 40ee70 86826->86827 86828 40e551 86827->86828 86829 40ee76 LoadLibraryA 86827->86829 86828->86805 86828->86806 86829->86828 86830 40ee87 GetProcAddress 86829->86830 86830->86828 86832 40e5bf 86831->86832 86833 40eee6 LoadLibraryA 86831->86833 86832->86804 86832->86811 86833->86832 86834 40eef7 GetProcAddress 86833->86834 86834->86832 86839 40eec0 LoadLibraryA GetProcAddress 86835->86839 86837 40e5d3 GetNativeSystemInfo 86837->86814 86837->86815 86838->86806 86839->86837 86840 3ffa983 86843 3ffa5f8 86840->86843 86842 3ffa9cf 86844 3ff8028 GetPEB 86843->86844 86853 3ffa697 86844->86853 86846 3ffa6c8 CreateFileW 86852 3ffa6d5 86846->86852 86846->86853 86847 3ffa6f1 VirtualAlloc 86848 3ffa712 ReadFile 86847->86848 86847->86852 86851 3ffa730 VirtualAlloc 86848->86851 86848->86852 86849 3ffa8e4 VirtualFree 86850 3ffa8f2 86849->86850 86850->86842 86851->86852 86851->86853 86852->86849 86852->86850 86853->86847 86853->86852 86854 3ffa7f8 CloseHandle 86853->86854 86855 3ffa808 VirtualFree 86853->86855 86856 3ffb508 GetPEB 86853->86856 86854->86853 86855->86853 86857 3ffb532 86856->86857 86857->86846 86858 42e89e 86865 40c000 86858->86865 86860 42e8ac 86861 409a40 165 API calls 86860->86861 86862 42e8ca 86861->86862 86876 44b92e VariantClear 86862->86876 86864 42f3ae 86866 40c014 86865->86866 86867 40c007 86865->86867 86869 40c01a 86866->86869 86870 40c02c 86866->86870 86877 409210 VariantClear 86867->86877 86878 409210 VariantClear 86869->86878 86872 41171a 75 API calls 86870->86872 86875 40c033 86872->86875 86873 40c00f 86873->86860 86874 40c023 86874->86860 86875->86860 86876->86864 86877->86873 86878->86874

    Executed Functions

    Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00409A61
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID: 0vH$4RH
    • API String ID: 1143807570-2085553193
    • Opcode ID: 88df8d8af20de5990424bb7013774891aa099bf653dc4abbc1b612a7a0f9e2b0
    • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
    • Opcode Fuzzy Hash: 88df8d8af20de5990424bb7013774891aa099bf653dc4abbc1b612a7a0f9e2b0
    • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
    Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
      • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rComprobantedepago.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
      • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
    • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
    • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\rComprobantedepago.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
      • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
    • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\rComprobantedepago.exe,00000004), ref: 0040D7D6
    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
    • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\rComprobantedepago.exe,00000004), ref: 00431B0E
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\rComprobantedepago.exe,00000004), ref: 00431B3F
    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
    • ShellExecuteW.SHELL32(00000000), ref: 00431B92
      • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
      • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
      • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
      • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
      • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
      • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
      • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
    • String ID: @GH$@GH$C:\Users\user\Desktop\rComprobantedepago.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
    • API String ID: 2493088469-260609954
    • Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
    • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
    • Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
    • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
    Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1254 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 1263 40e506-40e509 1254->1263 1264 42accc-42acd1 1254->1264 1267 40e540-40e555 call 40ee70 1263->1267 1268 40e50b-40e51c 1263->1268 1265 42acd3-42acdb 1264->1265 1266 42acdd-42ace0 1264->1266 1270 42ad12-42ad20 1265->1270 1271 42ace2-42aceb 1266->1271 1272 42aced-42acf0 1266->1272 1283 40e557-40e573 GetCurrentProcess call 40ee30 1267->1283 1284 40e579-40e5a8 1267->1284 1273 40e522-40e525 1268->1273 1274 42ac9b-42aca7 1268->1274 1282 42ad28-42ad2d GetSystemInfo 1270->1282 1271->1270 1272->1270 1278 42acf2-42ad06 1272->1278 1273->1267 1279 40e527-40e537 1273->1279 1276 42acb2-42acba 1274->1276 1277 42aca9-42acad 1274->1277 1276->1267 1277->1267 1285 42ad08-42ad0c 1278->1285 1286 42ad0e 1278->1286 1280 42acbf-42acc7 1279->1280 1281 40e53d 1279->1281 1280->1267 1281->1267 1288 42ad38-42ad3d GetSystemInfo 1282->1288 1283->1284 1295 40e575 1283->1295 1284->1288 1289 40e5ae-40e5c3 call 40eee0 1284->1289 1285->1270 1286->1270 1289->1282 1294 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 1289->1294 1298 40e5e0-40e5ef 1294->1298 1299 40e5dd-40e5de FreeLibrary 1294->1299 1295->1284 1300 40e5f1-40e5f2 FreeLibrary 1298->1300 1301 40e5f4-40e5ff 1298->1301 1299->1298 1300->1301
    APIs
    • GetVersionExW.KERNEL32 ref: 0040E495
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
    • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
    • FreeLibrary.KERNEL32(?), ref: 0040E5DE
    • FreeLibrary.KERNEL32(?), ref: 0040E5F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
    • String ID: pMH
    • API String ID: 2923339712-2522892712
    • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
    • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
    • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
    • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
    Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsThemeActive$uxtheme.dll
    • API String ID: 2574300362-3542929980
    • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
    • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
    • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
    • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
    Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
    • __wsplitpath.LIBCMT ref: 00410C61
      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
    • _wcsncat.LIBCMT ref: 00410C78
    • __wmakepath.LIBCMT ref: 00410C94
      • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    • _wcscpy.LIBCMT ref: 00410CCC
    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
    • RegQueryValueExW.ADVAPI32 ref: 00429BE4
    • _wcscat.LIBCMT ref: 00429C43
    • _wcslen.LIBCMT ref: 00429C55
    • _wcslen.LIBCMT ref: 00429C66
    • _wcscat.LIBCMT ref: 00429C80
    • _wcsncpy.LIBCMT ref: 00429CC0
    • RegCloseKey.ADVAPI32(?), ref: 00429CDE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID: Include$Software\AutoIt v3\AutoIt$\
    • API String ID: 1004883554-2276155026
    • Opcode ID: 7ddc168bc2068c325cd193227568a5015a4a486856808f6178fece6a235d7228
    • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
    • Opcode Fuzzy Hash: 7ddc168bc2068c325cd193227568a5015a4a486856808f6178fece6a235d7228
    • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
    Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
      • Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5
    • Sleep.KERNEL32(0000000A), ref: 00409870
    • timeGetTime.WINMM ref: 00409880
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BuffCharSleepTimeUpper_wcslentime
    • String ID:
    • API String ID: 3219444185-0
    • Opcode ID: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
    • Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
    • Opcode Fuzzy Hash: da6b74c52f7fd8fa7285d44dc66266380a963bd06260c315e722df216112258b
    • Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A
    Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __fread_nolock$_fseek_wcscpy
    • String ID: FILE
    • API String ID: 3888824918-3121273764
    • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
    • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
    • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
    • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
    Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32 ref: 00410326
    • RegisterClassExW.USER32 ref: 00410359
    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
    • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
    • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
    • ImageList_ReplaceIcon.COMCTL32(00AFD8A8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
    • API String ID: 2914291525-1005189915
    • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
    • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
    • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
    • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
    Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 004101F9
    • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
    • LoadIconW.USER32(?,00000063), ref: 0041021F
    • LoadIconW.USER32(?,000000A4), ref: 00410232
    • LoadIconW.USER32(?,000000A2), ref: 00410245
    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
    • RegisterClassExW.USER32 ref: 004102C6
      • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
      • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
      • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
      • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
      • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
      • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
      • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00AFD8A8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
    • String ID: #$0$PGH
    • API String ID: 423443420-3673556320
    • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
    • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
    • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
    • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
    Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • _fseek.LIBCMT ref: 004525DA
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
    • __fread_nolock.LIBCMT ref: 00452618
    • __fread_nolock.LIBCMT ref: 00452629
    • __fread_nolock.LIBCMT ref: 00452644
    • __fread_nolock.LIBCMT ref: 00452661
    • _fseek.LIBCMT ref: 0045267D
    • _malloc.LIBCMT ref: 00452689
    • _malloc.LIBCMT ref: 00452696
    • __fread_nolock.LIBCMT ref: 004526A7
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __fread_nolock$_fseek_malloc_wcscpy
    • String ID:
    • API String ID: 1911931848-0
    • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
    • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
    • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
    • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
    Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1344 40f450-40f45c call 425210 1347 40f460-40f478 1344->1347 1347->1347 1348 40f47a-40f4a8 call 413990 call 410f70 1347->1348 1353 40f4b0-40f4d1 call 4151b0 1348->1353 1356 40f531 1353->1356 1357 40f4d3-40f4da 1353->1357 1358 40f536-40f540 1356->1358 1359 40f4dc-40f4de 1357->1359 1360 40f4fd-40f517 call 41557c 1357->1360 1361 40f4e0-40f4e2 1359->1361 1364 40f51c-40f51f 1360->1364 1363 40f4e6-40f4ed 1361->1363 1365 40f521-40f52c 1363->1365 1366 40f4ef-40f4f2 1363->1366 1364->1353 1367 40f543-40f54e 1365->1367 1368 40f52e-40f52f 1365->1368 1369 42937a-4293a0 call 41557c call 4151b0 1366->1369 1370 40f4f8-40f4fb 1366->1370 1371 40f550-40f553 1367->1371 1372 40f555-40f560 1367->1372 1368->1366 1380 4293a5-4293c3 call 4151d0 1369->1380 1370->1360 1370->1361 1371->1366 1375 429372 1372->1375 1376 40f566-40f571 1372->1376 1375->1369 1378 429361-429367 1376->1378 1379 40f577-40f57a 1376->1379 1378->1363 1381 42936d 1378->1381 1379->1366 1380->1358 1381->1375
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __fread_nolock_fseek_strcat
    • String ID: AU3!$EA06
    • API String ID: 3818483258-2658333250
    • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
    • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
    • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
    • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
    Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1384 410130-410142 SHGetMalloc 1385 410148-410158 SHGetDesktopFolder 1384->1385 1386 42944f-429459 call 411691 1384->1386 1387 4101d1-4101e0 1385->1387 1388 41015a-410188 call 411691 1385->1388 1387->1386 1394 4101e6-4101ee 1387->1394 1396 4101c5-4101ce 1388->1396 1397 41018a-4101a1 SHGetPathFromIDListW 1388->1397 1396->1387 1398 4101a3-4101b1 call 411691 1397->1398 1399 4101b4-4101c0 1397->1399 1398->1399 1399->1396
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscpy$DesktopFolderFromListMallocPath
    • String ID: C:\Users\user\Desktop\rComprobantedepago.exe
    • API String ID: 192938534-1392315590
    • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
    • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
    • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
    • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
    Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1402 401230-40123b 1403 401241-401272 call 4131f0 call 401be0 1402->1403 1404 4012c5-4012cd 1402->1404 1409 401274-401292 1403->1409 1410 4012ae-4012bf KillTimer SetTimer 1403->1410 1411 42aa61-42aa67 1409->1411 1412 401298-40129c 1409->1412 1410->1404 1415 42aa8b-42aaa7 Shell_NotifyIconW 1411->1415 1416 42aa69-42aa86 Shell_NotifyIconW 1411->1416 1413 4012a2-4012a8 1412->1413 1414 42aaac-42aab3 1412->1414 1413->1410 1419 42aaf8-42ab15 Shell_NotifyIconW 1413->1419 1417 42aad7-42aaf3 Shell_NotifyIconW 1414->1417 1418 42aab5-42aad2 Shell_NotifyIconW 1414->1418 1415->1410 1416->1410 1417->1410 1418->1410 1419->1410
    APIs
    • _memset.LIBCMT ref: 00401257
      • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
      • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
      • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
      • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
    • KillTimer.USER32(?,?), ref: 004012B0
    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
    • String ID:
    • API String ID: 1792922140-0
    • Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
    • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
    • Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
    • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
    Function 03FFA5F8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1420 3ffa5f8-3ffa6a6 call 3ff8028 1423 3ffa6ad-3ffa6d3 call 3ffb508 CreateFileW 1420->1423 1426 3ffa6da-3ffa6ea 1423->1426 1427 3ffa6d5 1423->1427 1434 3ffa6ec 1426->1434 1435 3ffa6f1-3ffa70b VirtualAlloc 1426->1435 1428 3ffa825-3ffa829 1427->1428 1429 3ffa86b-3ffa86e 1428->1429 1430 3ffa82b-3ffa82f 1428->1430 1436 3ffa871-3ffa878 1429->1436 1432 3ffa83b-3ffa83f 1430->1432 1433 3ffa831-3ffa834 1430->1433 1437 3ffa84f-3ffa853 1432->1437 1438 3ffa841-3ffa84b 1432->1438 1433->1432 1434->1428 1439 3ffa70d 1435->1439 1440 3ffa712-3ffa729 ReadFile 1435->1440 1441 3ffa8cd-3ffa8e2 1436->1441 1442 3ffa87a-3ffa885 1436->1442 1445 3ffa855-3ffa85f 1437->1445 1446 3ffa863 1437->1446 1438->1437 1439->1428 1447 3ffa72b 1440->1447 1448 3ffa730-3ffa770 VirtualAlloc 1440->1448 1443 3ffa8e4-3ffa8ef VirtualFree 1441->1443 1444 3ffa8f2-3ffa8fa 1441->1444 1449 3ffa889-3ffa895 1442->1449 1450 3ffa887 1442->1450 1443->1444 1445->1446 1446->1429 1447->1428 1453 3ffa777-3ffa792 call 3ffb758 1448->1453 1454 3ffa772 1448->1454 1451 3ffa8a9-3ffa8b5 1449->1451 1452 3ffa897-3ffa8a7 1449->1452 1450->1441 1457 3ffa8b7-3ffa8c0 1451->1457 1458 3ffa8c2-3ffa8c8 1451->1458 1456 3ffa8cb 1452->1456 1460 3ffa79d-3ffa7a7 1453->1460 1454->1428 1456->1436 1457->1456 1458->1456 1461 3ffa7da-3ffa7ee call 3ffb568 1460->1461 1462 3ffa7a9-3ffa7d8 call 3ffb758 1460->1462 1468 3ffa7f2-3ffa7f6 1461->1468 1469 3ffa7f0 1461->1469 1462->1460 1470 3ffa7f8-3ffa7fc CloseHandle 1468->1470 1471 3ffa802-3ffa806 1468->1471 1469->1428 1470->1471 1472 3ffa808-3ffa813 VirtualFree 1471->1472 1473 3ffa816-3ffa81f 1471->1473 1472->1473 1473->1423 1473->1428
    APIs
    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03FFA6C9
    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03FFA8EF
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateFileFreeVirtual
    • String ID:
    • API String ID: 204039940-0
    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
    • Instruction ID: 80e4df3c0bbe8271c1ee5a4fa78b5dbd8d7293e2b3e1b09b8efca1663cd256de
    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
    • Instruction Fuzzy Hash: D7A10675E00209EFDF14CFA4C988BAEB7B5BF48304F248599EA05BB290D7B59A41CF50
    Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1474 414f10-414f2c 1475 414f4f 1474->1475 1476 414f2e-414f31 1474->1476 1478 414f51-414f55 1475->1478 1476->1475 1477 414f33-414f35 1476->1477 1479 414f37-414f46 call 417f23 1477->1479 1480 414f56-414f5b 1477->1480 1491 414f47-414f4c call 417ebb 1479->1491 1482 414f6a-414f6d 1480->1482 1483 414f5d-414f68 1480->1483 1486 414f7a-414f7c 1482->1486 1487 414f6f-414f77 call 4131f0 1482->1487 1483->1482 1485 414f8b-414f9e 1483->1485 1489 414fa0-414fa6 1485->1489 1490 414fa8 1485->1490 1486->1479 1488 414f7e-414f89 1486->1488 1487->1486 1488->1479 1488->1485 1493 414faf-414fb1 1489->1493 1490->1493 1491->1475 1496 4150a1-4150a4 1493->1496 1497 414fb7-414fbe 1493->1497 1496->1478 1499 414fc0-414fc5 1497->1499 1500 415004-415007 1497->1500 1499->1500 1501 414fc7 1499->1501 1502 415071-415072 call 41e6b1 1500->1502 1503 415009-41500d 1500->1503 1506 415102 1501->1506 1507 414fcd-414fd1 1501->1507 1509 415077-41507b 1502->1509 1504 41500f-415018 1503->1504 1505 41502e-415035 1503->1505 1510 415023-415028 1504->1510 1511 41501a-415021 1504->1511 1513 415037 1505->1513 1514 415039-41503c 1505->1514 1512 415106-41510f 1506->1512 1515 414fd3 1507->1515 1516 414fd5-414fd8 1507->1516 1509->1512 1517 415081-415085 1509->1517 1518 41502a-41502c 1510->1518 1511->1518 1512->1478 1513->1514 1519 415042-41504e call 41453a call 41ed9e 1514->1519 1520 4150d5-4150d9 1514->1520 1515->1516 1521 4150a9-4150af 1516->1521 1522 414fde-414fff call 41ee9b 1516->1522 1517->1520 1523 415087-415096 1517->1523 1518->1514 1542 415053-415058 1519->1542 1528 4150eb-4150fd call 417f23 1520->1528 1529 4150db-4150e8 call 4131f0 1520->1529 1524 4150b1-4150bd call 4131f0 1521->1524 1525 4150c0-4150d0 call 417f23 1521->1525 1531 415099-41509b 1522->1531 1523->1531 1524->1525 1525->1491 1528->1491 1529->1528 1531->1496 1531->1497 1543 415114-415118 1542->1543 1544 41505e-415061 1542->1544 1543->1512 1544->1506 1545 415067-41506f 1544->1545 1545->1531
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
    • String ID:
    • API String ID: 3886058894-0
    • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
    • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
    • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
    • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
    Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1546 401be0-401bf5 1547 401bfb-401c12 call 4013a0 1546->1547 1548 401cde-401ce3 1546->1548 1551 42a9a0-42a9b0 LoadStringW 1547->1551 1552 401c18-401c34 call 4021e0 1547->1552 1555 42a9bb-42a9c8 call 40df50 1551->1555 1557 401c3a-401c3e 1552->1557 1558 42a9cd-42a9ea call 40d3b0 call 437a81 1552->1558 1562 401c53-401cd9 call 4131f0 call 41326a call 411691 Shell_NotifyIconW call 402620 1555->1562 1557->1555 1560 401c44-401c4e call 40d3b0 1557->1560 1558->1562 1570 42a9f0-42aa04 call 40d3b0 call 437a81 1558->1570 1560->1562 1562->1548
    APIs
    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • _memset.LIBCMT ref: 00401C62
    • _wcsncpy.LIBCMT ref: 00401CA1
    • _wcscpy.LIBCMT ref: 00401CBD
    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
    • String ID: Line:
    • API String ID: 1620655955-1585850449
    • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
    • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
    • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
    • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
    Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1579 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
    APIs
    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
    • ShowWindow.USER32(?,00000000), ref: 00410454
    • ShowWindow.USER32(?,00000000), ref: 0041045E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$CreateShow
    • String ID: AutoIt v3$edit
    • API String ID: 1584632944-3779509399
    • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
    • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
    • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
    • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
    Function 03FFA3D8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1580 3ffa3d8-3ffa4fb call 3ff8028 call 3ffa2c8 CreateFileW 1587 3ffa4fd 1580->1587 1588 3ffa502-3ffa512 1580->1588 1589 3ffa5b2-3ffa5b7 1587->1589 1591 3ffa519-3ffa533 VirtualAlloc 1588->1591 1592 3ffa514 1588->1592 1593 3ffa537-3ffa54e ReadFile 1591->1593 1594 3ffa535 1591->1594 1592->1589 1595 3ffa552-3ffa58c call 3ffa308 call 3ff92c8 1593->1595 1596 3ffa550 1593->1596 1594->1589 1601 3ffa58e-3ffa5a3 call 3ffa358 1595->1601 1602 3ffa5a8-3ffa5b0 ExitProcess 1595->1602 1596->1589 1601->1602 1602->1589
    APIs
      • Part of subcall function 03FFA2C8: Sleep.KERNELBASE(000001F4), ref: 03FFA2D9
    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03FFA4F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateFileSleep
    • String ID: BJBPAD3LLAUG098P3HJFAQF
    • API String ID: 2694422964-773785891
    • Opcode ID: b0ff4c7074b7d5276c5576463a0ae945e58e7b3fbffb3492e60dc1285fbf702c
    • Instruction ID: 5d6714e0af4c577ab78ec3d31773e275afed5e0f1d69a72d4f423259c35ad9c3
    • Opcode Fuzzy Hash: b0ff4c7074b7d5276c5576463a0ae945e58e7b3fbffb3492e60dc1285fbf702c
    • Instruction Fuzzy Hash: 33516071D04389DEEF11DBA4C858BEEBBB8AF05304F044199E6097B2C1D7B91B48CBA5
    Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 00413AA6
      • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
      • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
      • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
    • ___sbh_find_block.LIBCMT ref: 00413AB1
    • ___sbh_free_block.LIBCMT ref: 00413AC0
    • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
    • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
    • String ID:
    • API String ID: 2714421763-0
    • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
    • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
    • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
    • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
    Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
    • _strcat.LIBCMT ref: 0040F603
      • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
      • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
    • String ID: HH
    • API String ID: 1194219731-2761332787
    • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
    • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
    • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
    • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
    Function 03FF92C8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
    Download Yara Rule
    APIs
    • CreateProcessW.KERNELBASE(?,00000000), ref: 03FF9A83
    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FF9B19
    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FF9B3B
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$ContextCreateMemoryReadThreadWow64
    • String ID:
    • API String ID: 2438371351-0
    • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
    • Instruction ID: af6ebb69eaeba6afeaefdb216567e5e1c86278b33d0bae773cf904d1c191bfae
    • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
    • Instruction Fuzzy Hash: 4B62FF30A14259DBEB24CFA4C850BDEB375EF58300F1091A9D60DEB3A4E7B59E81CB59
    Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0040E202
    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: IconNotifyShell__memset
    • String ID:
    • API String ID: 928536360-0
    • Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
    • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
    • Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
    • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
    Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00411734
      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
    • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
    • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
    • __CxxThrowException@8.LIBCMT ref: 00411779
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
    • String ID:
    • API String ID: 1411284514-0
    • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
    • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
    • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
    • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
    Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
    • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
    • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
    • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
    Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
    • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID:
    • API String ID: 3677997916-0
    • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
    • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
    • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
    • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
    Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00435278
      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
    • _malloc.LIBCMT ref: 00435288
    • _malloc.LIBCMT ref: 00435298
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _malloc$AllocateHeap
    • String ID:
    • API String ID: 680241177-0
    • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
    • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
    • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
    • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
    Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00401B71
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID: @EXITCODE
    • API String ID: 580348202-3436989551
    • Opcode ID: 249d3e1fb0eb7af7dd68e91585e8e82f6d1afee6ce15ea26a7b3c9390e073f3e
    • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
    • Opcode Fuzzy Hash: 249d3e1fb0eb7af7dd68e91585e8e82f6d1afee6ce15ea26a7b3c9390e073f3e
    • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
    Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: bce5a430e362d6c0f9263e4079566161b41ce8f41440fa6e324fb9004993b7e3
    • Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
    • Opcode Fuzzy Hash: bce5a430e362d6c0f9263e4079566161b41ce8f41440fa6e324fb9004993b7e3
    • Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E
    Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
    • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
    • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
    • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
    Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __lock_file_memset
    • String ID:
    • API String ID: 26237723-0
    • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
    • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
    • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
    • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
    Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
    • __lock_file.LIBCMT ref: 00414EE4
      • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
    • __fclose_nolock.LIBCMT ref: 00414EEE
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
    • String ID:
    • API String ID: 717694121-0
    • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
    • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
    • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
    • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
    Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON
    Download Yara Rule
    APIs
    • TranslateMessage.USER32(?), ref: 004098F6
    • DispatchMessageW.USER32(?), ref: 00409901
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Message$DispatchTranslate
    • String ID:
    • API String ID: 1706434739-0
    • Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
    • Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
    • Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
    • Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A
    Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
    Download Yara Rule
    APIs
    • TranslateMessage.USER32(?), ref: 004098F6
    • DispatchMessageW.USER32(?), ref: 00409901
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Message$DispatchTranslate
    • String ID:
    • API String ID: 1706434739-0
    • Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
    • Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
    • Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
    • Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A
    Function 03FF92C5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
    Download Yara Rule
    APIs
    • CreateProcessW.KERNELBASE(?,00000000), ref: 03FF9A83
    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03FF9B19
    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03FF9B3B
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$ContextCreateMemoryReadThreadWow64
    • String ID:
    • API String ID: 2438371351-0
    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
    • Instruction ID: 33f9f92b102b13ef6aed321cb97d11f1d626e02104403b32ab37ef9784a3621b
    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
    • Instruction Fuzzy Hash: 6512CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
    Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
    • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
    • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
    Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
    • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
    • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
    • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
    Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ProcWindow
    • String ID:
    • API String ID: 181713994-0
    • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
    • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
    • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
    • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
    Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
    • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
    • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
    • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
    Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
    • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: File$PointerWrite
    • String ID:
    • API String ID: 539440098-0
    • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
    • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
    • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
    • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
    Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
    Download Yara Rule
    APIs
    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ProcWindow
    • String ID:
    • API String ID: 181713994-0
    • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
    • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
    • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
    • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
    Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wfsopen
    • String ID:
    • API String ID: 197181222-0
    • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
    • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
    • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
    • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
    Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
    • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
    • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
    • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
    Function 03FFA2C4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNELBASE(000001F4), ref: 03FFA2D9
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
    • Instruction ID: f610971a49de1761271b7b89c4cf73f11f1590122aca9823e753caf4c38f5533
    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
    • Instruction Fuzzy Hash: 4AE0BF7494010EEFDB00DFB8D5496DD7BB4EF04301F1005A1FD05D7690DB719E648A62
    Function 03FFA2C8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNELBASE(000001F4), ref: 03FFA2D9
    Memory Dump Source
    • Source File: 00000000.00000002.2080579999.0000000003FF8000.00000040.00000020.00020000.00000000.sdmp, Offset: 03FF8000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3ff8000_rComprobantedepago.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
    • Instruction ID: c30a3d28335db658066ddaf6e2428b533c4fe8d94d3fb74c4d92c72946612c80
    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
    • Instruction Fuzzy Hash: ABE0E67494010EDFDB00DFB8D54969D7BB4EF04301F1001A1FD05D2280DA719D608A62

    Non-executed Functions

    Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
    • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
    • GetKeyState.USER32(00000011), ref: 0047C1A4
    • GetKeyState.USER32(00000009), ref: 0047C1AD
    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
    • GetKeyState.USER32(00000010), ref: 0047C1CA
    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
    • SendMessageW.USER32 ref: 0047C2FB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$State$LongProcWindow
    • String ID: @GUI_DRAGID$F
    • API String ID: 1562745308-4164748364
    • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
    • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
    • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
    • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
    Function 004045E0 Relevance: 46.9, Strings: 35, Instructions: 3193COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
    • API String ID: 0-3772701627
    • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
    • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
    • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
    • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
    Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
    • IsIconic.USER32(?), ref: 004375E1
    • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
    • SetForegroundWindow.USER32(?), ref: 004375FD
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
    • GetCurrentThreadId.KERNEL32 ref: 00437619
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
    • SetForegroundWindow.USER32(?), ref: 00437645
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
    • keybd_event.USER32(00000012,00000000), ref: 0043765D
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
    • keybd_event.USER32(00000012,00000000), ref: 00437674
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
    • keybd_event.USER32(00000012,00000000), ref: 0043768B
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
    • keybd_event.USER32(00000012,00000000), ref: 004376A2
    • SetForegroundWindow.USER32(?), ref: 004376AD
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
    • String ID: Shell_TrayWnd
    • API String ID: 3778422247-2988720461
    • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
    • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
    • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
    • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
    Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0044621B
    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
    • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
    • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
    • _wcslen.LIBCMT ref: 0044639E
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • _wcsncpy.LIBCMT ref: 004463C7
    • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
    • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
    • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
    • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
    • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
    • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
    • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
    • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
    • String ID: $default$winsta0
    • API String ID: 2173856841-1027155976
    • Opcode ID: e263ba8e85aff218e50a892128b4060fadcfb5aec64f81172343317cd63ca315
    • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
    • Opcode Fuzzy Hash: e263ba8e85aff218e50a892128b4060fadcfb5aec64f81172343317cd63ca315
    • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
    Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\rComprobantedepago.exe,?,C:\Users\user\Desktop\rComprobantedepago.exe,004A8E80,C:\Users\user\Desktop\rComprobantedepago.exe,0040F3D2), ref: 0040FFCA
      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
      • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
    • _wcscat.LIBCMT ref: 0044BD96
    • _wcscat.LIBCMT ref: 0044BDBF
    • __wsplitpath.LIBCMT ref: 0044BDEC
    • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
    • _wcscpy.LIBCMT ref: 0044BE73
    • _wcscat.LIBCMT ref: 0044BE85
    • _wcscat.LIBCMT ref: 0044BE97
    • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
    • DeleteFileW.KERNEL32(?), ref: 0044BED5
    • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
    • DeleteFileW.KERNEL32(?), ref: 0044BF17
    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
    • FindClose.KERNEL32(00000000), ref: 0044BF35
    • MoveFileW.KERNEL32(?,?), ref: 0044BF51
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
    • FindClose.KERNEL32(00000000), ref: 0044BF7E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
    • String ID: \*.*
    • API String ID: 2188072990-1173974218
    • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
    • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
    • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
    • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
    Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
    • __swprintf.LIBCMT ref: 00434D91
    • _wcslen.LIBCMT ref: 00434D9B
    • _wcslen.LIBCMT ref: 00434DB0
    • _wcslen.LIBCMT ref: 00434DC5
    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
    • _memset.LIBCMT ref: 00434E27
    • _wcslen.LIBCMT ref: 00434E3C
    • _wcsncpy.LIBCMT ref: 00434E6F
    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
    • CloseHandle.KERNEL32(00000000), ref: 00434EB4
    • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
    • CloseHandle.KERNEL32(00000000), ref: 00434ECE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
    • String ID: :$\$\??\%s
    • API String ID: 302090198-3457252023
    • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
    • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
    • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
    • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
    Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
    • GetLastError.KERNEL32 ref: 004644B4
    • GetCurrentThread.KERNEL32 ref: 004644C8
    • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
    • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
    • String ID: SeDebugPrivilege
    • API String ID: 1312810259-2896544425
    • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
    • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
    • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
    • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
    Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
    • __wsplitpath.LIBCMT ref: 004038B2
      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
    • _wcscpy.LIBCMT ref: 004038C7
    • _wcscat.LIBCMT ref: 004038DC
    • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
    • _wcscpy.LIBCMT ref: 004039C2
    • _wcslen.LIBCMT ref: 00403A53
    • _wcslen.LIBCMT ref: 00403AAA
    Strings
    • Unterminated string, xrefs: 0042B9BA
    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
    • _, xrefs: 00403B48
    • Error opening the file, xrefs: 0042B8AC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
    • API String ID: 4115725249-188983378
    • Opcode ID: 504ae14b68ae4f50757acf0c2e12cab9195c17a20a1e003f7b282d25dee8bfbe
    • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
    • Opcode Fuzzy Hash: 504ae14b68ae4f50757acf0c2e12cab9195c17a20a1e003f7b282d25dee8bfbe
    • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
    Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
    • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
    • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
    • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
    • FindClose.KERNEL32(00000000), ref: 00434C88
    • FindClose.KERNEL32(00000000), ref: 00434C9C
    • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
    • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
    • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
    • FindClose.KERNEL32(00000000), ref: 00434D35
    • FindClose.KERNEL32(00000000), ref: 00434D43
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
    • String ID: *.*
    • API String ID: 1409584000-438819550
    • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
    • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
    • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
    • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
    Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Timetime$Sleep
    • String ID: BUTTON
    • API String ID: 4176159691-3405671355
    • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
    • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
    • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
    • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
    Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
      • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
      • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
    • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
    • _memset.LIBCMT ref: 00445E61
    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
    • GetLengthSid.ADVAPI32(?), ref: 00445E92
    • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
    • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
    • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
    • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
    • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
    • String ID:
    • API String ID: 3490752873-0
    • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
    • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
    • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
    • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
    Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
    Download Yara Rule
    APIs
    • OleInitialize.OLE32(00000000), ref: 0047AA03
    • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
    • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
    • _memset.LIBCMT ref: 0047AB7C
    • _wcslen.LIBCMT ref: 0047AC68
    • _memset.LIBCMT ref: 0047ACCD
    • CoCreateInstanceEx.OLE32 ref: 0047AD06
    • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
    Strings
    • NULL Pointer assignment, xrefs: 0047AD84
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
    • String ID: NULL Pointer assignment
    • API String ID: 1588287285-2785691316
    • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
    • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
    • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
    • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
    Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
    • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
    • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
    • GetLastError.KERNEL32 ref: 00436504
    • ExitWindowsEx.USER32(?,00000000), ref: 00436527
    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 2938487562-3733053543
    • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
    • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
    • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
    • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
    Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • __swprintf.LIBCMT ref: 00436162
    • __swprintf.LIBCMT ref: 00436176
      • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
    • __wcsicoll.LIBCMT ref: 00436185
    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
    • LoadResource.KERNEL32(?,00000000), ref: 004361AE
    • LockResource.KERNEL32(00000000), ref: 004361B5
    • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
    • LoadResource.KERNEL32(?,00000000), ref: 004361E4
    • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
    • LockResource.KERNEL32(?), ref: 004361FD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
    • String ID:
    • API String ID: 2406429042-0
    • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
    • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
    • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
    • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
    Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 0045D522
    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
    • GetLastError.KERNEL32 ref: 0045D59D
    • SetErrorMode.KERNEL32(?), ref: 0045D629
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Error$Mode$DiskFreeLastSpace
    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
    • API String ID: 4194297153-14809454
    • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
    • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
    • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
    • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
    Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
    Download Yara Rule
    APIs
    • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
    • OleInitialize.OLE32(00000000), ref: 0047AE06
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • _wcslen.LIBCMT ref: 0047AE18
    • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
    • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
    • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
    • String ID: HH
    • API String ID: 1915432386-2761332787
    • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
    • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
    • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
    • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
    Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: DEFINE$`$h$h
    • API String ID: 0-4194577831
    • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
    • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
    • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
    • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
    Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
    • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
    • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
    • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLast$bindclosesocketsocket
    • String ID:
    • API String ID: 2609815416-0
    • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
    • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
    • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
    • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
    Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
    • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
    • Process32NextW.KERNEL32(00000000,?), ref: 00437075
    • __wsplitpath.LIBCMT ref: 004370A5
      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
    • _wcscat.LIBCMT ref: 004370BA
    • __wcsicoll.LIBCMT ref: 004370C8
    • CloseHandle.KERNEL32(00000000,?), ref: 00437105
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
    • String ID:
    • API String ID: 2547909840-0
    • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
    • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
    • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
    • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
    Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
    • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
    • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
    • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNextSleep_wcslen
    • String ID: *.*
    • API String ID: 2693929171-438819550
    • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
    • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
    • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
    • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
    Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
    Download Yara Rule
    APIs
    • OpenClipboard.USER32(?), ref: 0046C635
    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
    • GetClipboardData.USER32(0000000D), ref: 0046C64F
    • CloseClipboard.USER32 ref: 0046C65D
    • GlobalLock.KERNEL32(00000000), ref: 0046C688
    • CloseClipboard.USER32 ref: 0046C692
    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
    • GetClipboardData.USER32(00000001), ref: 0046C6DD
    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
    • CloseClipboard.USER32 ref: 0046C866
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
    • String ID: HH
    • API String ID: 589737431-2761332787
    • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
    • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
    • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
    • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
    Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
    Download Yara Rule
    APIs
    • __wcsicoll.LIBCMT ref: 0043643C
    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
    • __wcsicoll.LIBCMT ref: 00436466
    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicollmouse_event
    • String ID: DOWN
    • API String ID: 1033544147-711622031
    • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
    • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
    • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
    • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
    Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
    • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
    • WSAGetLastError.WSOCK32(00000000), ref: 00474233
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLastinet_addrsocket
    • String ID:
    • API String ID: 4170576061-0
    • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
    • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
    • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
    • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
    Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(004A83D8), ref: 0045636A
    • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
    • GetAsyncKeyState.USER32(?), ref: 004563D0
    • GetAsyncKeyState.USER32(?), ref: 004563DC
    • GetWindowLongW.USER32(?,000000F0), ref: 00456430
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AsyncState$ClientCursorLongScreenWindow
    • String ID:
    • API String ID: 3539004672-0
    • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
    • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
    • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
    • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
    Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
    • IsWindowVisible.USER32 ref: 00477314
    • IsWindowEnabled.USER32 ref: 00477324
    • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
    • IsIconic.USER32 ref: 0047733F
    • IsZoomed.USER32 ref: 0047734D
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$EnabledForegroundIconicVisibleZoomed
    • String ID:
    • API String ID: 292994002-0
    • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
    • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
    • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
    • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
    Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75923220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
    • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
    • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: File$CloseCreateHandleTime
    • String ID:
    • API String ID: 3397143404-0
    • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
    • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
    • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
    • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
    Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _strncmp
    • String ID: ACCEPT$^$h
    • API String ID: 909875538-4263704089
    • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
    • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
    • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
    • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
    Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: ERCP$VUUU$VUUU$VUUU
    • API String ID: 0-2165971703
    • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
    • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
    • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
    • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
    Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: ecd451ca94e8c171abf8b5376291faf96e6fe6c5ddeeb2909304e4b4baf54b28
    • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
    • Opcode Fuzzy Hash: ecd451ca94e8c171abf8b5376291faf96e6fe6c5ddeeb2909304e4b4baf54b28
    • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
    Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
    • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
    • FindClose.KERNEL32(00000000), ref: 00436B13
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FileFind$AttributesCloseFirst
    • String ID:
    • API String ID: 48322524-0
    • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
    • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
    • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
    • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
    Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • __time64.LIBCMT ref: 004433A2
      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Time$FileSystem__aulldiv__time64
    • String ID: rJ
    • API String ID: 2893107130-1865492326
    • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
    • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
    • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
    • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
    Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • __time64.LIBCMT ref: 004433A2
      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Time$FileSystem__aulldiv__time64
    • String ID: rJ
    • API String ID: 2893107130-1865492326
    • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
    • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
    • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
    • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
    Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
    Download Yara Rule
    APIs
    • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
    • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Internet$AvailableDataErrorFileLastQueryRead
    • String ID:
    • API String ID: 901099227-0
    • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
    • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
    • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
    • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
    Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
    • FindClose.KERNEL32(00000000), ref: 0045DDDD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
    • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
    • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
    • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
    Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: 0vH$HH
    • API String ID: 0-728391547
    • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
    • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
    • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
    • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
    Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _memset
    • String ID:
    • API String ID: 2102423945-0
    • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
    • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
    • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
    • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
    Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
    Download Yara Rule
    APIs
    • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Proc
    • String ID:
    • API String ID: 2346855178-0
    • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
    • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
    • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
    • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
    Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
    Download Yara Rule
    APIs
    • BlockInput.USER32(00000001), ref: 0045A272
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BlockInput
    • String ID:
    • API String ID: 3456056419-0
    • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
    • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
    • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
    • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
    Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: LogonUser
    • String ID:
    • API String ID: 1244722697-0
    • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
    • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
    • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
    • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
    Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: NameUser
    • String ID:
    • API String ID: 2645101109-0
    • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
    • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
    • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
    • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
    Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
    • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
    • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
    • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
    Function 00412C38 Relevance: .4, Instructions: 384COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
    • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
    • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
    • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
    Function 00412818 Relevance: .4, Instructions: 378COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
    • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
    • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
    • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
    Function 0041240C Relevance: .4, Instructions: 361COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
    • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
    • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
    • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
    Function 00412038 Relevance: .4, Instructions: 351COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
    • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
    • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
    • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
    Function 00410D10 Relevance: .0, Instructions: 19COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
    • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
    • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
    • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
    Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(?), ref: 004593D7
    • DeleteObject.GDI32(?), ref: 004593F1
    • DestroyWindow.USER32(?), ref: 00459407
    • GetDesktopWindow.USER32 ref: 0045942A
    • GetWindowRect.USER32(00000000), ref: 00459431
    • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
    • GetClientRect.USER32(00000000,?), ref: 004595C8
    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
    • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
    • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
    • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
    • GlobalLock.KERNEL32(00000000), ref: 00459668
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
    • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
    • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
    • GlobalFree.KERNEL32(00000000), ref: 004596C0
    • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
    • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
    • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
    • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
    • GetStockObject.GDI32(00000011), ref: 004597B7
    • SelectObject.GDI32(00000000,00000000), ref: 004597BF
    • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
    • DeleteDC.GDI32(00000000), ref: 004597E1
    • _wcslen.LIBCMT ref: 00459800
    • _wcscpy.LIBCMT ref: 0045981F
    • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
    • GetDC.USER32(?), ref: 004598DE
    • SelectObject.GDI32(00000000,?), ref: 004598EE
    • SelectObject.GDI32(00000000,?), ref: 00459919
    • ReleaseDC.USER32(?,00000000), ref: 00459925
    • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
    • String ID: $AutoIt v3$DISPLAY$static
    • API String ID: 4040870279-2373415609
    • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
    • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
    • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
    • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
    Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(00000012), ref: 00441E64
    • SetTextColor.GDI32(?,?), ref: 00441E6C
    • GetSysColorBrush.USER32(0000000F), ref: 00441E83
    • GetSysColor.USER32(0000000F), ref: 00441E8F
    • SetBkColor.GDI32(?,?), ref: 00441EAA
    • SelectObject.GDI32(?,?), ref: 00441EBA
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
    • GetSysColor.USER32(00000010), ref: 00441EF8
    • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
    • FrameRect.USER32(?,?,00000000), ref: 00441F10
    • DeleteObject.GDI32(?), ref: 00441F1B
    • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
    • FillRect.USER32(?,?,?), ref: 00441FB6
      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
      • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
      • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
      • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
      • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
      • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
      • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
      • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
      • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
      • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
      • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
      • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
    • String ID:
    • API String ID: 69173610-0
    • Opcode ID: 3785084d77aa542b4299aa9b37fda0bf58ba8d87453f8fab6dcd856d931d6f87
    • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
    • Opcode Fuzzy Hash: 3785084d77aa542b4299aa9b37fda0bf58ba8d87453f8fab6dcd856d931d6f87
    • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
    Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsnicmp
    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
    • API String ID: 1038674560-3360698832
    • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
    • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
    • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
    • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
    Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000E), ref: 00433D81
    • SetTextColor.GDI32(?,00000000), ref: 00433D89
    • GetSysColor.USER32(00000012), ref: 00433DA3
    • SetTextColor.GDI32(?,?), ref: 00433DAB
    • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
    • GetSysColor.USER32(0000000F), ref: 00433DCB
    • CreateSolidBrush.GDI32(?), ref: 00433DD4
    • GetSysColor.USER32(00000011), ref: 00433DEB
    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
    • SelectObject.GDI32(?,00000000), ref: 00433E0D
    • SetBkColor.GDI32(?,?), ref: 00433E19
    • SelectObject.GDI32(?,?), ref: 00433E29
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
    • GetWindowLongW.USER32 ref: 00433E8A
    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
    • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
    • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
    • DrawFocusRect.USER32(?,?), ref: 00433F1F
    • GetSysColor.USER32(00000011), ref: 00433F2E
    • SetTextColor.GDI32(?,00000000), ref: 00433F36
    • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
    • SelectObject.GDI32(?,?), ref: 00433F63
    • DeleteObject.GDI32(?), ref: 00433F70
    • SelectObject.GDI32(?,?), ref: 00433F78
    • DeleteObject.GDI32(00000000), ref: 00433F7B
    • SetTextColor.GDI32(?,?), ref: 00433F83
    • SetBkColor.GDI32(?,?), ref: 00433F8F
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
    • String ID:
    • API String ID: 1582027408-0
    • Opcode ID: 7ed77f446950918d02f431c38dd7fc91f66df66e86dd2f88ba36f04c0847d756
    • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
    • Opcode Fuzzy Hash: 7ed77f446950918d02f431c38dd7fc91f66df66e86dd2f88ba36f04c0847d756
    • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
    Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
    Download Yara Rule
    APIs
    • OpenClipboard.USER32(?), ref: 0046C635
    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
    • GetClipboardData.USER32(0000000D), ref: 0046C64F
    • CloseClipboard.USER32 ref: 0046C65D
    • GlobalLock.KERNEL32(00000000), ref: 0046C688
    • CloseClipboard.USER32 ref: 0046C692
    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
    • GetClipboardData.USER32(00000001), ref: 0046C6DD
    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
    • CloseClipboard.USER32 ref: 0046C866
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
    • String ID: HH
    • API String ID: 589737431-2761332787
    • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
    • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
    • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
    • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
    Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 00456692
    • GetDesktopWindow.USER32 ref: 004566AA
    • GetWindowRect.USER32(00000000), ref: 004566B1
    • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
    • GetWindowLongW.USER32(?,000000F0), ref: 00456720
    • DestroyWindow.USER32(?), ref: 00456731
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
    • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
    • IsWindowVisible.USER32(?), ref: 00456812
    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
    • GetWindowRect.USER32(?,?), ref: 0045685C
    • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
    • GetMonitorInfoW.USER32 ref: 00456894
    • CopyRect.USER32(?,?), ref: 004568A8
    • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
    • String ID: ($,$tooltips_class32
    • API String ID: 541082891-3320066284
    • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
    • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
    • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
    • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
    Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00454DCF
    • _wcslen.LIBCMT ref: 00454DE2
    • __wcsicoll.LIBCMT ref: 00454DEF
    • _wcslen.LIBCMT ref: 00454E04
    • __wcsicoll.LIBCMT ref: 00454E11
    • _wcslen.LIBCMT ref: 00454E24
    • __wcsicoll.LIBCMT ref: 00454E31
      • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
    • FreeLibrary.KERNEL32(00000000), ref: 00454F37
    • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
    • DestroyIcon.USER32(?), ref: 00454FA2
    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
    • String ID: .dll$.exe$.icl
    • API String ID: 2511167534-1154884017
    • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
    • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
    • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
    • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
    Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
    Download Yara Rule
    APIs
    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
    • _wcslen.LIBCMT ref: 00436B79
    • _wcscpy.LIBCMT ref: 00436B9F
    • _wcscat.LIBCMT ref: 00436BC0
    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
    • _wcscat.LIBCMT ref: 00436C2A
    • _wcscat.LIBCMT ref: 00436C31
    • __wcsicoll.LIBCMT ref: 00436C4B
    • _wcsncpy.LIBCMT ref: 00436C62
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
    • API String ID: 1503153545-1459072770
    • Opcode ID: d74c03819ee1efdcd2251804cc629a4b9e5109ebdb488953a246c56c3c93d766
    • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
    • Opcode Fuzzy Hash: d74c03819ee1efdcd2251804cc629a4b9e5109ebdb488953a246c56c3c93d766
    • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
    Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
    • _fseek.LIBCMT ref: 004527FC
    • __wsplitpath.LIBCMT ref: 0045285C
    • _wcscpy.LIBCMT ref: 00452871
    • _wcscat.LIBCMT ref: 00452886
    • __wsplitpath.LIBCMT ref: 004528B0
    • _wcscat.LIBCMT ref: 004528C8
    • _wcscat.LIBCMT ref: 004528DD
    • __fread_nolock.LIBCMT ref: 00452914
    • __fread_nolock.LIBCMT ref: 00452925
    • __fread_nolock.LIBCMT ref: 00452944
    • __fread_nolock.LIBCMT ref: 00452955
    • __fread_nolock.LIBCMT ref: 00452976
    • __fread_nolock.LIBCMT ref: 00452987
    • __fread_nolock.LIBCMT ref: 00452998
    • __fread_nolock.LIBCMT ref: 004529A9
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
    • __fread_nolock.LIBCMT ref: 00452A39
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
    • String ID:
    • API String ID: 2054058615-0
    • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
    • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
    • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
    • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
    Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 3a07867978c3f4dd6cc8e288545ee1fe655f38533b219bcbd12b7da8e0a06a4d
    • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
    • Opcode Fuzzy Hash: 3a07867978c3f4dd6cc8e288545ee1fe655f38533b219bcbd12b7da8e0a06a4d
    • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
    Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • GetWindowRect.USER32(?,?), ref: 004701EA
    • GetClientRect.USER32(?,?), ref: 004701FA
    • GetSystemMetrics.USER32(00000007), ref: 00470202
    • GetSystemMetrics.USER32(00000008), ref: 00470216
    • GetSystemMetrics.USER32(00000004), ref: 00470238
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
    • GetSystemMetrics.USER32(00000007), ref: 00470273
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
    • GetSystemMetrics.USER32(00000008), ref: 004702A8
    • GetSystemMetrics.USER32(00000004), ref: 004702CF
    • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
    • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
    • GetClientRect.USER32(?,?), ref: 00470371
    • GetStockObject.GDI32(00000011), ref: 00470391
    • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
    • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
    • String ID: AutoIt v3 GUI
    • API String ID: 867697134-248962490
    • Opcode ID: d55e600c822e439b47949a06877fabb75b0ca5e5f4e504dad133e10be055f9ae
    • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
    • Opcode Fuzzy Hash: d55e600c822e439b47949a06877fabb75b0ca5e5f4e504dad133e10be055f9ae
    • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
    Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window
    • String ID: 0
    • API String ID: 2353593579-4108050209
    • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
    • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
    • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
    • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
    Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32 ref: 0044A11D
    • GetClientRect.USER32(?,?), ref: 0044A18D
    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
    • GetWindowDC.USER32(?), ref: 0044A1B3
    • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
    • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
    • GetSysColor.USER32(0000000F), ref: 0044A1EC
    • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
    • GetSysColor.USER32(0000000F), ref: 0044A216
    • GetSysColor.USER32(00000005), ref: 0044A21E
    • GetWindowDC.USER32 ref: 0044A277
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
    • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
    • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
    • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
    • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
    • GetStockObject.GDI32(00000005), ref: 0044A312
    • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
    • String ID:
    • API String ID: 1744303182-0
    • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
    • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
    • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
    • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
    Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll$__wcsnicmp
    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
    • API String ID: 790654849-1810252412
    • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
    • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
    • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
    • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
    Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: >>>AUTOIT SCRIPT<<<$\
    • API String ID: 0-1896584978
    • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
    • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
    • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
    • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
    Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: InitVariant
    • String ID:
    • API String ID: 1927566239-0
    • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
    • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
    • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
    • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
    Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
    • GetForegroundWindow.USER32 ref: 0046DBA4
    • IsWindow.USER32(?), ref: 0046DBDE
    • GetDesktopWindow.USER32 ref: 0046DCB5
    • EnumChildWindows.USER32(00000000), ref: 0046DCBC
    • EnumWindows.USER32(00460772,?), ref: 0046DCC4
      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
    • API String ID: 1322021666-1919597938
    • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
    • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
    • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
    • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
    Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll$IconLoad
    • String ID: blank$info$question$stop$warning
    • API String ID: 2485277191-404129466
    • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
    • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
    • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
    • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
    Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
    • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
    • strncnt.LIBCMT ref: 00428646
    • strncnt.LIBCMT ref: 0042865A
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: strncnt$CompareErrorLastString
    • String ID:
    • API String ID: 1776594460-0
    • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
    • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
    • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
    • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
    Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
    Download Yara Rule
    APIs
    • LoadIconW.USER32(?,00000063), ref: 004545DA
    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
    • SetWindowTextW.USER32(?,?), ref: 00454606
    • GetDlgItem.USER32(?,000003EA), ref: 0045461F
    • SetWindowTextW.USER32(00000000,?), ref: 00454626
    • GetDlgItem.USER32(?,000003E9), ref: 00454637
    • SetWindowTextW.USER32(00000000,?), ref: 0045463E
    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
    • GetWindowRect.USER32(?,?), ref: 00454688
    • SetWindowTextW.USER32(?,?), ref: 004546FD
    • GetDesktopWindow.USER32 ref: 00454708
    • GetWindowRect.USER32(00000000), ref: 0045470F
    • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
    • GetClientRect.USER32(?,?), ref: 0045476F
    • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
    • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
    • String ID:
    • API String ID: 3869813825-0
    • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
    • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
    • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
    • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
    Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
    • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
    • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
    • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
    • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
    • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
    • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
    • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
    • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
    • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
    • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
    • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
    • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
    • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
    • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
    • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
    • GetCursorInfo.USER32 ref: 00458E03
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Cursor$Load$Info
    • String ID:
    • API String ID: 2577412497-0
    • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
    • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
    • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
    • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
    Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
    • GetFocus.USER32 ref: 004696E0
    • GetDlgCtrlID.USER32(00000000), ref: 004696EB
    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessagePost$CtrlFocus
    • String ID: 0
    • API String ID: 1534620443-4108050209
    • Opcode ID: 793a3fbe25267325d0b75a382176a94a61fe16f5f08314ff0fc4b35f1226808c
    • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
    • Opcode Fuzzy Hash: 793a3fbe25267325d0b75a382176a94a61fe16f5f08314ff0fc4b35f1226808c
    • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
    Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00468107
    • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
    • GetMenuItemCount.USER32(?), ref: 00468227
    • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
    • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
    • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
    • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
    • GetMenuItemCount.USER32 ref: 004682DC
    • SetMenuItemInfoW.USER32 ref: 00468317
    • GetCursorPos.USER32(00000000), ref: 00468322
    • SetForegroundWindow.USER32(?), ref: 0046832D
    • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
    • String ID: 0
    • API String ID: 3993528054-4108050209
    • Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
    • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
    • Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
    • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
    Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
    Download Yara Rule
    APIs
    • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
      • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
      • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
      • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
    • SendMessageW.USER32(?), ref: 0046F34C
    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
    • _wcscat.LIBCMT ref: 0046F3BC
    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
    • DragFinish.SHELL32(?), ref: 0046F414
    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
    • API String ID: 4085615965-3440237614
    • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
    • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
    • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
    • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
    Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll
    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
    • API String ID: 3832890014-4202584635
    • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
    • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
    • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
    • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
    Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 004669C4
    • _wcsncpy.LIBCMT ref: 00466A21
    • _wcsncpy.LIBCMT ref: 00466A4D
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • _wcstok.LIBCMT ref: 00466A90
      • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
    • _wcstok.LIBCMT ref: 00466B3F
    • _wcscpy.LIBCMT ref: 00466BC8
    • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
    • _wcslen.LIBCMT ref: 00466D1D
    • _memset.LIBCMT ref: 00466BEE
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • _wcslen.LIBCMT ref: 00466D4B
    • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
    • String ID: X$HH
    • API String ID: 3021350936-1944015008
    • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
    • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
    • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
    • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
    Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0045F4AE
    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
    • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
    • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: InfoItemMenu$Sleep_memset
    • String ID: 0
    • API String ID: 1504565804-4108050209
    • Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
    • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
    • Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
    • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
    Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$CreateDestroy
    • String ID: ,$tooltips_class32
    • API String ID: 1109047481-3856767331
    • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
    • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
    • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
    • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
    Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
    Download Yara Rule
    APIs
    • _wcsncpy.LIBCMT ref: 0045CCFA
    • __wsplitpath.LIBCMT ref: 0045CD3C
    • _wcscat.LIBCMT ref: 0045CD51
    • _wcscat.LIBCMT ref: 0045CD63
    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
    • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
    • _wcscpy.LIBCMT ref: 0045CE14
    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
    • String ID: *.*
    • API String ID: 1153243558-438819550
    • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
    • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
    • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
    • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
    Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00455127
    • GetMenuItemInfoW.USER32 ref: 00455146
    • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
    • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
    • GetMenuItemCount.USER32(?), ref: 004551D9
    • SetMenu.USER32(?,00000000), ref: 004551E7
    • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
    • DrawMenuBar.USER32 ref: 00455207
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
    • String ID: 0
    • API String ID: 1663942905-4108050209
    • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
    • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
    • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
    • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
    Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
    • String ID:
    • API String ID: 1481289235-0
    • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
    • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
    • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
    • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
    Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
    Download Yara Rule
    APIs
    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
    • SendMessageW.USER32 ref: 0046FBAF
    • SendMessageW.USER32 ref: 0046FBE2
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
    • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
    • SendMessageW.USER32 ref: 0046FD00
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$IconImageList_$CreateExtractReplace
    • String ID:
    • API String ID: 2632138820-0
    • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
    • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
    • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
    • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
    Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
    • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
    • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
    • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
    • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
    • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
    • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
    • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
    • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
    • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
    • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
    • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
    • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
    • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
    • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CursorLoad
    • String ID:
    • API String ID: 3238433803-0
    • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
    • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
    • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
    • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
    Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
    • _wcslen.LIBCMT ref: 00460B00
    • __swprintf.LIBCMT ref: 00460B9E
    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
    • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
    • GetDlgCtrlID.USER32(?), ref: 00460CE6
    • GetWindowRect.USER32(?,?), ref: 00460D21
    • GetParent.USER32(?), ref: 00460D40
    • ScreenToClient.USER32(00000000), ref: 00460D47
    • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
    • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
    • String ID: %s%u
    • API String ID: 1899580136-679674701
    • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
    • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
    • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
    • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
    Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
    Download Yara Rule
    APIs
    • CoTaskMemFree.OLE32(?), ref: 0047D6D3
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • StringFromIID.OLE32(?,?), ref: 0047D7F0
    • CoTaskMemFree.OLE32(?), ref: 0047D80A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FreeFromStringTask_wcslen$_wcscpy
    • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
    • API String ID: 2485709727-934586222
    • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
    • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
    • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
    • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
    Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
    • String ID: HH
    • API String ID: 3381189665-2761332787
    • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
    • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
    • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
    • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
    Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 00434585
    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
    • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
    • SelectObject.GDI32(00000000,?), ref: 004345A9
    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
    • String ID: (
    • API String ID: 3300687185-3887548279
    • Opcode ID: 9c38b5fe9aee99f5622f794ffb35a7588c555587df7d86ba6ece5d7c47b9decd
    • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
    • Opcode Fuzzy Hash: 9c38b5fe9aee99f5622f794ffb35a7588c555587df7d86ba6ece5d7c47b9decd
    • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
    Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
    • __swprintf.LIBCMT ref: 0045E4D9
    • _printf.LIBCMT ref: 0045E595
    • _printf.LIBCMT ref: 0045E5B7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: LoadString_printf$__swprintf_wcslen
    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
    • API String ID: 3590180749-2894483878
    • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
    • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
    • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
    • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
    Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
    • DeleteObject.GDI32(?), ref: 0046F950
    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
    • DeleteObject.GDI32(?), ref: 0046F9CF
    • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
    • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
    • DestroyIcon.USER32(?), ref: 0046FA4F
    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
    • DeleteObject.GDI32(?), ref: 0046FA68
    • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
    • String ID:
    • API String ID: 3412594756-0
    • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
    • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
    • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
    • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
    Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
    • GetDriveTypeW.KERNEL32 ref: 0045DA30
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: SendString$_wcslen$BuffCharDriveLowerType
    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
    • API String ID: 4013263488-4113822522
    • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
    • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
    • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
    • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
    Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
    • String ID:
    • API String ID: 228034949-0
    • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
    • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
    • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
    • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
    Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
    • GlobalLock.KERNEL32(00000000), ref: 00433523
    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
    • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
    • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
    • GlobalFree.KERNEL32(00000000), ref: 0043357B
    • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
    • DeleteObject.GDI32(?), ref: 00433603
    • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
    • String ID:
    • API String ID: 3969911579-0
    • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
    • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
    • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
    • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
    Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32 ref: 00445A8D
    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
    • __wcsicoll.LIBCMT ref: 00445AC4
    • __wcsicoll.LIBCMT ref: 00445AE0
    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll$ClassMessageNameParentSend
    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
    • API String ID: 3125838495-3381328864
    • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
    • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
    • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
    • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
    Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CopyVariant$ErrorLast
    • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
    • API String ID: 2286883814-4206948668
    • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
    • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
    • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
    • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
    Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
    • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
    • _wcscpy.LIBCMT ref: 00475F18
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
    • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
    • API String ID: 3052893215-4176887700
    • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
    • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
    • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
    • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
    Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
    Download Yara Rule
    APIs
    • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
    • RegQueryValueExW.ADVAPI32 ref: 00458381
    • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
    • RegQueryValueExW.ADVAPI32 ref: 004583E8
    • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
      • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
    • RegCloseKey.ADVAPI32(?), ref: 004584BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
    • String ID: Version$\TypeLib$interface\
    • API String ID: 656856066-939221531
    • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
    • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
    • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
    • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
    Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
    • __swprintf.LIBCMT ref: 0045E6EE
    • _printf.LIBCMT ref: 0045E7A9
    • _printf.LIBCMT ref: 0045E7D2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: LoadString_printf$__swprintf_wcslen
    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
    • API String ID: 3590180749-2354261254
    • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
    • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
    • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
    • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
    Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • _memset.LIBCMT ref: 00458194
    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
    • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
    • CLSIDFromString.OLE32(00000000,?), ref: 00458279
    • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
    • RegCloseKey.ADVAPI32(00000000), ref: 00458296
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
    • API String ID: 2255324689-22481851
    • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
    • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
    • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
    • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
    Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
    • RegCloseKey.ADVAPI32(?), ref: 00458615
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
    • __wcsicoll.LIBCMT ref: 004585D6
    • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
    • RegCloseKey.ADVAPI32(?), ref: 004585F8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
    • String ID: ($interface$interface\
    • API String ID: 2231185022-3327702407
    • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
    • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
    • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
    • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
    Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
    Download Yara Rule
    APIs
    • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
    • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
    • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
    • _wcscpy.LIBCMT ref: 004365F5
    • WSACleanup.WSOCK32 ref: 004365FD
    • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
    • _strcat.LIBCMT ref: 0043662F
    • _wcscpy.LIBCMT ref: 00436644
    • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
    • _wcscpy.LIBCMT ref: 00436666
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
    • String ID: 0.0.0.0
    • API String ID: 2691793716-3771769585
    • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
    • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
    • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
    • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
    Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
    • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
      • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
      • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
    • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
    • __lock.LIBCMT ref: 00416B8A
    • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
    • __lock.LIBCMT ref: 00416BAB
    • ___addlocaleref.LIBCMT ref: 00416BC9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
    • API String ID: 1028249917-2843748187
    • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
    • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
    • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
    • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
    Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
    • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
    • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
    • SendMessageW.USER32(?,00000402,?), ref: 0044941C
    • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$CharNext
    • String ID:
    • API String ID: 1350042424-0
    • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
    • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
    • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
    • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
    Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
    • SetKeyboardState.USER32(?), ref: 00453C5A
    • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
    • GetKeyState.USER32(000000A0), ref: 00453C99
    • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
    • GetKeyState.USER32(000000A1), ref: 00453CDA
    • GetAsyncKeyState.USER32(00000011), ref: 00453D07
    • GetKeyState.USER32(00000011), ref: 00453D15
    • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
    • GetKeyState.USER32(00000012), ref: 00453D4D
    • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
    • GetKeyState.USER32(0000005B), ref: 00453D85
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
    • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
    • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
    • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
    Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000001), ref: 00437DD7
    • GetWindowRect.USER32(00000000,?), ref: 00437DE9
    • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
    • GetDlgItem.USER32(?,00000002), ref: 00437E70
    • GetWindowRect.USER32(00000000,?), ref: 00437E82
    • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
    • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
    • GetWindowRect.USER32(00000000,?), ref: 00437EFC
    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
    • GetDlgItem.USER32(?,000003EA), ref: 00437F55
    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$ItemMoveRect$Invalidate
    • String ID:
    • API String ID: 3096461208-0
    • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
    • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
    • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
    • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
    Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
    • String ID:
    • API String ID: 136442275-0
    • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
    • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
    • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
    • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
    Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ConnectRegistry_wcslen
    • String ID: HH
    • API String ID: 535477410-2761332787
    • Opcode ID: 73ffc4045073595ae7e1e0ec8c569845a70343ab06b4b73234ab1ee97f02bf98
    • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
    • Opcode Fuzzy Hash: 73ffc4045073595ae7e1e0ec8c569845a70343ab06b4b73234ab1ee97f02bf98
    • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
    Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
    • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
    • _wcslen.LIBCMT ref: 00460502
    • CharUpperBuffW.USER32(?,00000000), ref: 00460510
    • GetClassNameW.USER32(?,?,00000400), ref: 00460589
    • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
    • GetClassNameW.USER32(?,?,00000400), ref: 00460606
    • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
    • GetWindowRect.USER32(?,?), ref: 004606AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
    • String ID: ThumbnailClass
    • API String ID: 4123061591-1241985126
    • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
    • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
    • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
    • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
    Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
      • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
    • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
    • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
    • ImageList_EndDrag.COMCTL32 ref: 0046F583
    • ReleaseCapture.USER32 ref: 0046F589
    • SetWindowTextW.USER32(?,00000000), ref: 0046F620
    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
    • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
    • API String ID: 2483343779-2060113733
    • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
    • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
    • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
    • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
    Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
    Download Yara Rule
    APIs
    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
    • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
    • GetClientRect.USER32(?,?), ref: 0046FEF2
    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
    • DestroyIcon.USER32(?), ref: 0046FFCC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
    • String ID: 2
    • API String ID: 1331449709-450215437
    • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
    • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
    • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
    • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
    Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID: static
    • API String ID: 3375834691-2160076837
    • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
    • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
    • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
    • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
    Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
    • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
    • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
    • _memcmp.LIBCMT ref: 004394A9
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
    Strings
    • SeIncreaseQuotaPrivilege, xrefs: 0043946A
    • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
    • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
    • API String ID: 1446985595-805462909
    • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
    • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
    • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
    • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
    Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 0045D848
    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorMode$DriveType
    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
    • API String ID: 2907320926-41864084
    • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
    • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
    • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
    • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
    Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
    Download Yara Rule
    APIs
    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
    • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID:
    • API String ID: 1932665248-0
    • Opcode ID: 728085738598baa76875e49cf4d4065a6f05a6b9a674c5020805c61219dc5e90
    • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
    • Opcode Fuzzy Hash: 728085738598baa76875e49cf4d4065a6f05a6b9a674c5020805c61219dc5e90
    • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
    Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
    • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
    • _memset.LIBCMT ref: 004481BA
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
    • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$LongWindow_memset
    • String ID:
    • API String ID: 830647256-0
    • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
    • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
    • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
    • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
    Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
    • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
    • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
    • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
    • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
    • DeleteObject.GDI32(00660000), ref: 0046EB4F
    • DestroyIcon.USER32(006E006F), ref: 0046EB67
    • DeleteObject.GDI32(FD9DC4F9), ref: 0046EB7F
    • DestroyWindow.USER32(003A0043), ref: 0046EB97
    • DestroyIcon.USER32(?), ref: 0046EBBF
    • DestroyIcon.USER32(?), ref: 0046EBCD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
    • String ID:
    • API String ID: 802431696-0
    • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
    • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
    • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
    • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
    Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
    • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
    • GetKeyState.USER32(000000A0), ref: 00444E26
    • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
    • GetKeyState.USER32(000000A1), ref: 00444E51
    • GetAsyncKeyState.USER32(00000011), ref: 00444E69
    • GetKeyState.USER32(00000011), ref: 00444E77
    • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
    • GetKeyState.USER32(00000012), ref: 00444E9D
    • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
    • GetKeyState.USER32(0000005B), ref: 00444EC3
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
    • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
    • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
    • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
    Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: HH
    • API String ID: 0-2761332787
    • Opcode ID: 62ae1ef38a80d257cfc96b7952d2597f9402fd6663ac117ac87ec897d1cdb8f8
    • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
    • Opcode Fuzzy Hash: 62ae1ef38a80d257cfc96b7952d2597f9402fd6663ac117ac87ec897d1cdb8f8
    • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
    Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
    • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
    • _wcslen.LIBCMT ref: 00450944
    • _wcscat.LIBCMT ref: 00450955
    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
    • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$Window_wcscat_wcslen
    • String ID: -----$SysListView32
    • API String ID: 4008455318-3975388722
    • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
    • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
    • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
    • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
    Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00448625
    • CreateMenu.USER32 ref: 0044863C
    • SetMenu.USER32(?,00000000), ref: 0044864C
    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
    • IsMenu.USER32(?), ref: 004486EB
    • CreatePopupMenu.USER32 ref: 004486F5
    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
    • DrawMenuBar.USER32 ref: 00448742
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
    • String ID: 0
    • API String ID: 176399719-4108050209
    • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
    • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
    • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
    • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
    Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
    • GetDlgCtrlID.USER32(00000000), ref: 00469289
    • GetParent.USER32 ref: 004692A4
    • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
    • GetDlgCtrlID.USER32(00000000), ref: 004692AE
    • GetParent.USER32 ref: 004692C7
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent$_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 2040099840-1403004172
    • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
    • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
    • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
    • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
    Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
    • GetDlgCtrlID.USER32(00000000), ref: 00469483
    • GetParent.USER32 ref: 0046949E
    • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
    • GetDlgCtrlID.USER32(00000000), ref: 004694A8
    • GetParent.USER32 ref: 004694C1
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent$_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 2040099840-1403004172
    • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
    • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
    • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
    • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
    Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
    • SendMessageW.USER32(75A923D0,00001001,00000000,00000000), ref: 00448E73
    • SendMessageW.USER32(75A923D0,00001026,00000000,00000000), ref: 00448E7E
      • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$BrushCreateDeleteObjectSolid
    • String ID:
    • API String ID: 3771399671-0
    • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
    • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
    • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
    • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
    Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: InitVariant$_malloc_wcscpy_wcslen
    • String ID:
    • API String ID: 3413494760-0
    • Opcode ID: 2c3aa911d3142a94611b5dd104ad418424d97c02f1276b65d2889a8cb8445575
    • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
    • Opcode Fuzzy Hash: 2c3aa911d3142a94611b5dd104ad418424d97c02f1276b65d2889a8cb8445575
    • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
    Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 004377D7
    • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
    • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
    • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
    • String ID:
    • API String ID: 2156557900-0
    • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
    • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
    • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
    • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
    Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll
    • String ID: 0%d$DOWN$OFF
    • API String ID: 3832890014-468733193
    • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
    • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
    • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
    • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
    Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(00000000), ref: 0045E959
    • VariantCopy.OLEAUT32(00000000), ref: 0045E963
    • VariantClear.OLEAUT32 ref: 0045E970
    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
    • __swprintf.LIBCMT ref: 0045EB1F
    • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
    • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
    Strings
    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
    • String ID: %4d%02d%02d%02d%02d%02d
    • API String ID: 43541914-1568723262
    • Opcode ID: c70300b369a5143aafc03cc8e30c18ef37066f122bdd0c4187c65b23208f0aa3
    • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
    • Opcode Fuzzy Hash: c70300b369a5143aafc03cc8e30c18ef37066f122bdd0c4187c65b23208f0aa3
    • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
    Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
    Download Yara Rule
    APIs
    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
    • Sleep.KERNEL32(0000000A), ref: 0042FE6E
    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DecrementInterlocked$Sleep
    • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
    • API String ID: 2250217261-3412429629
    • Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
    • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
    • Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
    • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
    Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
    • API String ID: 0-1603158881
    • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
    • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
    • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
    • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
    Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00479D1F
    • VariantInit.OLEAUT32(?), ref: 00479F06
    • VariantClear.OLEAUT32(?), ref: 00479F11
    • VariantInit.OLEAUT32(?), ref: 00479DF7
      • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
      • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
      • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
    • VariantClear.OLEAUT32(?), ref: 00479F9C
      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Variant$Copy$ClearInit$ErrorLast_memset
    • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
    • API String ID: 665237470-60002521
    • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
    • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
    • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
    • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
    Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ConnectRegistry_wcslen
    • String ID: HH
    • API String ID: 535477410-2761332787
    • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
    • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
    • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
    • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
    Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0045F317
    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
    • IsMenu.USER32(?), ref: 0045F380
    • CreatePopupMenu.USER32 ref: 0045F3C5
    • GetMenuItemCount.USER32(?), ref: 0045F42F
    • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
    • String ID: 0$2
    • API String ID: 3311875123-3793063076
    • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
    • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
    • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
    • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
    Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\rComprobantedepago.exe), ref: 0043719E
    • LoadStringW.USER32(00000000), ref: 004371A7
    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
    • LoadStringW.USER32(00000000), ref: 004371C0
    • _printf.LIBCMT ref: 004371EC
    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
    Strings
    • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
    • C:\Users\user\Desktop\rComprobantedepago.exe, xrefs: 00437189
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: HandleLoadModuleString$Message_printf
    • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\rComprobantedepago.exe
    • API String ID: 220974073-3574093773
    • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
    • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
    • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
    • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
    Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
    • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
    • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
    • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
    Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\rComprobantedepago.exe,?,C:\Users\user\Desktop\rComprobantedepago.exe,004A8E80,C:\Users\user\Desktop\rComprobantedepago.exe,0040F3D2), ref: 0040FFCA
      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
    • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
    • MoveFileW.KERNEL32(?,?), ref: 0045358E
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: File$AttributesFullMoveNamePathlstrcmpi
    • String ID:
    • API String ID: 978794511-0
    • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
    • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
    • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
    • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
    Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
    • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
    • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
    • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
    Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
      • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
      • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
    • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
    • Sleep.KERNEL32(00000000), ref: 00445D70
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
    • String ID:
    • API String ID: 2014098862-0
    • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
    • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
    • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
    • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
    Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressProc_malloc$_strcat_strlen
    • String ID: AU3_FreeVar
    • API String ID: 2184576858-771828931
    • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
    • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
    • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
    • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
    Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
    Download Yara Rule
    APIs
    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
    • DestroyWindow.USER32(?), ref: 0042A751
    • UnregisterHotKey.USER32(?), ref: 0042A778
    • FreeLibrary.KERNEL32(?), ref: 0042A822
    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
    • String ID: close all
    • API String ID: 4174999648-3243417748
    • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
    • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
    • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
    • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
    Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
    Download Yara Rule
    APIs
    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
    • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
    • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
    • String ID:
    • API String ID: 1291720006-3916222277
    • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
    • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
    • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
    • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
    Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLastselect
    • String ID: HH
    • API String ID: 215497628-2761332787
    • Opcode ID: eab9b7d45531dfae7f4c42ce01e12e43a924661b9eb7d3396a25de1a2cfb4001
    • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
    • Opcode Fuzzy Hash: eab9b7d45531dfae7f4c42ce01e12e43a924661b9eb7d3396a25de1a2cfb4001
    • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
    Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __snwprintf__wcsicoll_wcscpy
    • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
    • API String ID: 1729044348-3708979750
    • Opcode ID: 9ed61fbeea1866e8097e42bb68cbfcf5217e37ba34dc2149e076dc651e511868
    • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
    • Opcode Fuzzy Hash: 9ed61fbeea1866e8097e42bb68cbfcf5217e37ba34dc2149e076dc651e511868
    • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
    Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\rComprobantedepago.exe,?,C:\Users\user\Desktop\rComprobantedepago.exe,004A8E80,C:\Users\user\Desktop\rComprobantedepago.exe,0040F3D2), ref: 0040FFCA
    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
    • MoveFileW.KERNEL32(?,?), ref: 0044BC38
    • _wcscat.LIBCMT ref: 0044BCAA
    • _wcslen.LIBCMT ref: 0044BCB7
    • _wcslen.LIBCMT ref: 0044BCCB
    • SHFileOperationW.SHELL32 ref: 0044BD16
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
    • String ID: \*.*
    • API String ID: 2326526234-1173974218
    • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
    • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
    • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
    • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
    Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
    • _wcslen.LIBCMT ref: 004366DD
    • GetFileAttributesW.KERNEL32(?), ref: 00436700
    • GetLastError.KERNEL32 ref: 0043670F
    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
    • _wcsrchr.LIBCMT ref: 0043674C
      • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
    • String ID: \
    • API String ID: 321622961-2967466578
    • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
    • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
    • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
    • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
    Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsnicmp
    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
    • API String ID: 1038674560-2734436370
    • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
    • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
    • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
    • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
    Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(?), ref: 0044157D
    • GetDC.USER32(00000000), ref: 00441585
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
    • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
    • String ID:
    • API String ID: 3864802216-0
    • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
    • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
    • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
    • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
    Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 004140E1
      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
    • ___fls_getvalue@4.LIBCMT ref: 004140EC
      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
    • ___fls_setvalue@8.LIBCMT ref: 004140FF
      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
    • ExitThread.KERNEL32 ref: 0041410F
    • GetCurrentThreadId.KERNEL32 ref: 00414115
    • __freefls@4.LIBCMT ref: 00414135
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
    • String ID:
    • API String ID: 1925773019-0
    • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
    • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
    • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
    • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
    Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
    Download Yara Rule
    APIs
    • VariantClear.OLEAUT32(00000038), ref: 004357C3
    • VariantClear.OLEAUT32(00000058), ref: 004357C9
    • VariantClear.OLEAUT32(00000068), ref: 004357CF
    • VariantClear.OLEAUT32(00000078), ref: 004357D5
    • VariantClear.OLEAUT32(00000088), ref: 004357DE
    • VariantClear.OLEAUT32(00000048), ref: 004357E4
    • VariantClear.OLEAUT32(00000098), ref: 004357ED
    • VariantClear.OLEAUT32(000000A8), ref: 004357F6
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
    • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
    • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
    • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
    Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
    Download Yara Rule
    APIs
    • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
    • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
    • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
    • _memset.LIBCMT ref: 00464B92
    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
    • GlobalFree.KERNEL32(00000000), ref: 00464CDE
    • WSACleanup.WSOCK32 ref: 00464CE4
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
    • String ID:
    • API String ID: 3424476444-0
    • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
    • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
    • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
    • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
    Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MetricsSystem
    • String ID:
    • API String ID: 4116985748-0
    • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
    • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
    • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
    • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
    Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ConnectRegistry_wcslen
    • String ID:
    • API String ID: 535477410-0
    • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
    • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
    • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
    • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
    Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • _memset.LIBCMT ref: 004538C4
    • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
    • _wcslen.LIBCMT ref: 00453960
    • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
    • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
    • String ID: 0
    • API String ID: 3530711334-4108050209
    • Opcode ID: cbb5ed86f03288553fc825dd3ab8c57fafd64d2f50e393d98c7388e7e8691348
    • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
    • Opcode Fuzzy Hash: cbb5ed86f03288553fc825dd3ab8c57fafd64d2f50e393d98c7388e7e8691348
    • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
    Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
    • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$CloseCountersCurrentHandleOpen
    • String ID: HH
    • API String ID: 3488606520-2761332787
    • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
    • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
    • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
    • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
    Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
    • LineTo.GDI32(?,?), ref: 004474BF
    • CloseFigure.GDI32(?), ref: 004474C6
    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
    • Rectangle.GDI32(?,?), ref: 004474F3
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
    • String ID:
    • API String ID: 4082120231-0
    • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
    • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
    • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
    • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
    Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
    • LineTo.GDI32(?,?), ref: 004474BF
    • CloseFigure.GDI32(?), ref: 004474C6
    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
    • Rectangle.GDI32(?,?), ref: 004474F3
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
    • String ID:
    • API String ID: 4082120231-0
    • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
    • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
    • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
    • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
    Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
    • String ID:
    • API String ID: 288456094-0
    • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
    • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
    • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
    • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
    Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 004449B0
    • GetKeyboardState.USER32(?), ref: 004449C3
    • SetKeyboardState.USER32(?), ref: 00444A0F
    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
    • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
    • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
    • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
    Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00444BA9
    • GetKeyboardState.USER32(?), ref: 00444BBC
    • SetKeyboardState.USER32(?), ref: 00444C08
    • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
    • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
    • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
    • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
    • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
    Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
    • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
    • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
    • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
    Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ConnectRegistry_wcslen
    • String ID: HH
    • API String ID: 535477410-2761332787
    • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
    • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
    • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
    • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
    Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00457C34
    • _memset.LIBCMT ref: 00457CE8
    • ShellExecuteExW.SHELL32(?), ref: 00457D34
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • CloseHandle.KERNEL32(?), ref: 00457DDD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
    • String ID: <$@
    • API String ID: 1325244542-1426351568
    • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
    • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
    • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
    • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
    Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
    • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
    • __wsplitpath.LIBCMT ref: 004737E1
      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
    • _wcscat.LIBCMT ref: 004737F6
    • __wcsicoll.LIBCMT ref: 00473818
    • Process32NextW.KERNEL32(00000000,?), ref: 00473844
    • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
    • String ID:
    • API String ID: 2547909840-0
    • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
    • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
    • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
    • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
    Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
    • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
    • String ID:
    • API String ID: 2354583917-0
    • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
    • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
    • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
    • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
    Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
    • GetMenu.USER32 ref: 004776AA
    • GetMenuItemCount.USER32(00000000), ref: 004776CC
    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
    • _wcslen.LIBCMT ref: 0047771A
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$CountItemStringWindow_wcslen
    • String ID:
    • API String ID: 1823500076-0
    • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
    • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
    • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
    • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
    Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
    Download Yara Rule
    APIs
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
    • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Enable$Show$MessageMoveSend
    • String ID:
    • API String ID: 896007046-0
    • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
    • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
    • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
    • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
    Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
    • GetWindowLongW.USER32(?,000000F0), ref: 00441452
    • GetWindowLongW.USER32(?,000000F0), ref: 00441493
    • SendMessageW.USER32(00A31B58,000000F1,00000000,00000000), ref: 004414C6
    • SendMessageW.USER32(00A31B58,000000F1,00000001,00000000), ref: 004414F1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$LongWindow
    • String ID:
    • API String ID: 312131281-0
    • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
    • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
    • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
    • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
    Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 004484C4
    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
    • IsMenu.USER32(?), ref: 0044857B
    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
    • DrawMenuBar.USER32 ref: 004485E4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$Item$DrawInfoInsert_memset
    • String ID: 0
    • API String ID: 3866635326-4108050209
    • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
    • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
    • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
    • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
    Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32 ref: 0047247C
    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
    • Sleep.KERNEL32(0000000A), ref: 00472499
    • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement$Sleep
    • String ID: 0vH
    • API String ID: 327565842-3662162768
    • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
    • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
    • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
    • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
    Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
    • GetFocus.USER32 ref: 00448B1C
    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Enable$Show$FocusMessageSend
    • String ID:
    • API String ID: 3429747543-0
    • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
    • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
    • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
    • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
    Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
    • __swprintf.LIBCMT ref: 0045D3CC
    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorMode$InformationVolume__swprintf
    • String ID: %lu$HH
    • API String ID: 3164766367-3924996404
    • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
    • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
    • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
    • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
    Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: Msctls_Progress32
    • API String ID: 3850602802-3636473452
    • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
    • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
    • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
    • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
    Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 00415737
    • __calloc_crt.LIBCMT ref: 00415743
    • __getptd.LIBCMT ref: 00415750
    • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
    • __dosmaperr.LIBCMT ref: 004157A9
      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
    • String ID:
    • API String ID: 1269668773-0
    • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
    • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
    • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
    • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
    Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
      • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
    • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
    • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
    • String ID:
    • API String ID: 1957940570-0
    • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
    • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
    • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
    • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
    Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 00415690
      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
    • ___fls_getvalue@4.LIBCMT ref: 0041569B
      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
    • ___fls_setvalue@8.LIBCMT ref: 004156AD
      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
    • ExitThread.KERNEL32 ref: 004156BD
    • __freefls@4.LIBCMT ref: 004156D9
    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
    • String ID:
    • API String ID: 4166825349-0
    • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
    • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
    • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
    • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
    Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
    • API String ID: 2574300362-3261711971
    • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
    • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
    • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
    • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
    Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
    • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
    • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
    • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
    Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00433724
    • GetWindowRect.USER32(00000000,?), ref: 00433757
    • GetClientRect.USER32(0000001D,?), ref: 004337AC
    • GetSystemMetrics.USER32(0000000F), ref: 00433800
    • GetWindowRect.USER32(?,?), ref: 00433814
    • ScreenToClient.USER32(?,?), ref: 00433842
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Rect$Client$Window$MetricsScreenSystem
    • String ID:
    • API String ID: 3220332590-0
    • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
    • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
    • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
    • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
    Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _malloc_wcslen$_strcat_wcscpy
    • String ID:
    • API String ID: 1612042205-0
    • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
    • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
    • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
    • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
    Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
    • SetKeyboardState.USER32(00000080), ref: 0044C59B
    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
    • SendInput.USER32 ref: 0044C6E2
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$InputSend
    • String ID:
    • API String ID: 2221674350-0
    • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
    • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
    • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
    • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
    Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcscpy$_wcscat
    • String ID:
    • API String ID: 2037614760-0
    • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
    • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
    • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
    • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
    Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
    • GetWindowRect.USER32(?,?), ref: 00447C1B
    • ScreenToClient.USER32(?,?), ref: 00447C39
    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
    • EndPaint.USER32(?,?), ref: 00447CD1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
    • String ID:
    • API String ID: 4189319755-0
    • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
    • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
    • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
    • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
    Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
    Download Yara Rule
    APIs
    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
    • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
    • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID:
    • API String ID: 1726766782-0
    • Opcode ID: 3116fc199b7fcbba8b660e3f79d6193ca3803be91d9aea3391631e51c3b31549
    • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
    • Opcode Fuzzy Hash: 3116fc199b7fcbba8b660e3f79d6193ca3803be91d9aea3391631e51c3b31549
    • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
    Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
    • EnableWindow.USER32(?,00000000), ref: 0044111A
    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
    • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
    • EnableWindow.USER32(?,00000001), ref: 004411B3
    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Show$Enable$MessageSend
    • String ID:
    • API String ID: 642888154-0
    • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
    • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
    • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
    • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
    Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
    • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$LongWindow$InvalidateRect
    • String ID:
    • API String ID: 1976402638-0
    • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
    • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
    • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
    • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
    Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32 ref: 00442597
      • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
    • GetDesktopWindow.USER32 ref: 004425BF
    • GetWindowRect.USER32(00000000), ref: 004425C6
    • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
    • GetCursorPos.USER32(?), ref: 00442624
    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
    • String ID:
    • API String ID: 4137160315-0
    • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
    • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
    • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
    • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
    Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Enable$Show$MessageSend
    • String ID:
    • API String ID: 1871949834-0
    • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
    • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
    • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
    • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
    Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0044961A
    • SendMessageW.USER32 ref: 0044964A
      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
    • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
    • _wcslen.LIBCMT ref: 004496BA
    • _wcslen.LIBCMT ref: 004496C7
    • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$_wcslen$_memset_wcspbrk
    • String ID:
    • API String ID: 1624073603-0
    • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
    • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
    • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
    • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
    Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
    • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
    • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
    • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
    Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
    Download Yara Rule
    APIs
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DestroyWindow$DeleteObject$IconMove
    • String ID:
    • API String ID: 1640429340-0
    • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
    • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
    • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
    • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
    Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __fileno__setmode$DebugOutputString_fprintf
    • String ID:
    • API String ID: 3354276064-0
    • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
    • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
    • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
    • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
    Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$DeleteMenuObject$IconWindow
    • String ID:
    • API String ID: 752480666-0
    • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
    • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
    • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
    • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
    Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(00000000), ref: 0045527A
    • ImageList_Destroy.COMCTL32(?), ref: 0045528C
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$DeleteObjectWindow$IconImageList_
    • String ID:
    • API String ID: 3275902921-0
    • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
    • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
    • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
    • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
    Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
    • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
    • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
    • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
    • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
    • String ID:
    • API String ID: 1413079979-0
    • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
    • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
    • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
    • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
    Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
    Download Yara Rule
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 0041418F
    • __calloc_crt.LIBCMT ref: 0041419B
    • __getptd.LIBCMT ref: 004141A8
    • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
    • __dosmaperr.LIBCMT ref: 00414201
      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
    • String ID:
    • API String ID: 1803633139-0
    • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
    • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
    • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
    • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
    Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
    Download Yara Rule
    APIs
    • ImageList_Destroy.COMCTL32(?), ref: 004555E8
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$DeleteObjectWindow$IconImageList_
    • String ID:
    • API String ID: 3275902921-0
    • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
    • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
    • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
    • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
    Function 004554B5 Relevance: 9.1, APIs: 6, Instructions: 62windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32 ref: 004554DF
    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DeleteDestroyMessageObjectSend$IconWindow
    • String ID:
    • API String ID: 3691411573-0
    • Opcode ID: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
    • Instruction ID: 46bf5c356378f1810468ef4d8dfe2f1c399e91f4bdd480ef4a2643e810f8fbb4
    • Opcode Fuzzy Hash: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
    • Instruction Fuzzy Hash: 8B1108713047419BC710DF68DDC8B2A77A8BB14322F400A6AFD14DB2D2D778DC498769
    Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$_wcstok$ExtentPoint32Text
    • String ID:
    • API String ID: 1814673581-0
    • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
    • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
    • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
    • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
    Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: PerformanceQuery$CounterSleep$Frequency
    • String ID:
    • API String ID: 2833360925-0
    • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
    • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
    • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
    • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
    Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
    • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
    • LineTo.GDI32(?,?,?), ref: 00447227
    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
    • LineTo.GDI32(?,?,?), ref: 0044723D
    • EndPath.GDI32(?), ref: 0044724E
    • StrokePath.GDI32(?), ref: 0044725C
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
    • String ID:
    • API String ID: 372113273-0
    • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
    • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
    • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
    • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
    Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Virtual
    • String ID:
    • API String ID: 4278518827-0
    • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
    • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
    • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
    • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
    Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 0044CBEF
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
    • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
    • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
    • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
    Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
    Download Yara Rule
    APIs
    • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
    • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
      • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
    • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
    • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
    • String ID:
    • API String ID: 3495660284-0
    • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
    • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
    • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
    • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
    Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
    • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
    • CloseHandle.KERNEL32(00000000), ref: 00437174
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
    • String ID:
    • API String ID: 839392675-0
    • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
    • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
    • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
    • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
    Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\rComprobantedepago.exe,00000004), ref: 00436055
    • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
    • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
    • GetLastError.KERNEL32 ref: 00436081
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
    • String ID:
    • API String ID: 1690418490-0
    • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
    • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
    • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
    • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
    Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
    • CoInitialize.OLE32(00000000), ref: 00475B71
    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
    • CoUninitialize.OLE32 ref: 00475D71
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateInitializeInstanceUninitialize_wcslen
    • String ID: .lnk$HH
    • API String ID: 886957087-3121654589
    • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
    • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
    • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
    • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
    Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$Delete$InfoItem_memset
    • String ID: 0
    • API String ID: 1173514356-4108050209
    • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
    • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
    • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
    • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
    Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 763830540-1403004172
    • Opcode ID: 4ad7beea66527130140dc51f954f788da7417f2fae21e193330e90049e201333
    • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
    • Opcode Fuzzy Hash: 4ad7beea66527130140dc51f954f788da7417f2fae21e193330e90049e201333
    • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
    Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(?), ref: 004439B4
      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CurrentHandleProcess$Duplicate
    • String ID: nul
    • API String ID: 2124370227-2873401336
    • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
    • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
    • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
    • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
    Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CurrentHandleProcess$Duplicate
    • String ID: nul
    • API String ID: 2124370227-2873401336
    • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
    • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
    • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
    • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
    Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
    • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
    • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
    • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$DestroyLibraryLoadWindow
    • String ID: SysAnimate32
    • API String ID: 3529120543-1011021900
    • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
    • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
    • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
    • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
    Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
    • TranslateMessage.USER32(?), ref: 0044308B
    • DispatchMessageW.USER32(?), ref: 00443096
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Message$Peek$DispatchTranslate
    • String ID: *.*
    • API String ID: 1795658109-438819550
    • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
    • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
    • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
    • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
    Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
      • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
      • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
      • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
      • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
    • GetFocus.USER32 ref: 004609EF
      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
    • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
    • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
    • __swprintf.LIBCMT ref: 00460A7A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
    • String ID: %s%d
    • API String ID: 991886796-1110647743
    • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
    • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
    • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
    • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
    Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _memset$_sprintf
    • String ID: %02X
    • API String ID: 891462717-436463671
    • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
    • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
    • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
    • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
    Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0042CD00
    • GetOpenFileNameW.COMDLG32 ref: 0042CD51
      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\rComprobantedepago.exe,?,C:\Users\user\Desktop\rComprobantedepago.exe,004A8E80,C:\Users\user\Desktop\rComprobantedepago.exe,0040F3D2), ref: 0040FFCA
      • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
      • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
      • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
      • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
    • String ID: $OH$@OH$X
    • API String ID: 3491138722-1394974532
    • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
    • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
    • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
    • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
    Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
    • GetProcAddress.KERNEL32(?,?), ref: 00463E68
    • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
    • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
    • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressProc$Library$FreeLoad
    • String ID:
    • API String ID: 2449869053-0
    • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
    • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
    • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
    • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
    Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
    • SetKeyboardState.USER32(00000080), ref: 0044C3ED
    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
    • SendInput.USER32 ref: 0044C509
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: KeyboardMessagePostState$InputSend
    • String ID:
    • API String ID: 3031425849-0
    • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
    • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
    • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
    • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
    Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumKeyExW.ADVAPI32 ref: 004422F0
    • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
    • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
    • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Enum$CloseDeleteOpen
    • String ID:
    • API String ID: 2095303065-0
    • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
    • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
    • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
    • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
    Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: PrivateProfile$SectionWrite$String
    • String ID:
    • API String ID: 2832842796-0
    • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
    • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
    • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
    • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
    Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00447997
    • GetCursorPos.USER32(?), ref: 004479A2
    • ScreenToClient.USER32(?,?), ref: 004479BE
    • WindowFromPoint.USER32(?,?), ref: 004479FF
    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Client$CursorFromPointProcRectScreenWindow
    • String ID:
    • API String ID: 1822080540-0
    • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
    • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
    • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
    • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
    Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00447C1B
    • ScreenToClient.USER32(?,?), ref: 00447C39
    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
    • EndPaint.USER32(?,?), ref: 00447CD1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClientPaintRectRectangleScreenViewportWindow
    • String ID:
    • API String ID: 659298297-0
    • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
    • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
    • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
    • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
    Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 004478A7
    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
    • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
    • GetCursorPos.USER32(?), ref: 00447935
    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CursorMenuPopupTrack$Proc
    • String ID:
    • API String ID: 1300944170-0
    • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
    • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
    • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
    • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
    Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
    Download Yara Rule
    APIs
    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
      • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
      • Part of subcall function 004413F0: SendMessageW.USER32(00A31B58,000000F1,00000000,00000000), ref: 004414C6
      • Part of subcall function 004413F0: SendMessageW.USER32(00A31B58,000000F1,00000001,00000000), ref: 004414F1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$EnableMessageSend$LongShow
    • String ID:
    • API String ID: 142311417-0
    • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
    • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
    • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
    • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
    Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0044955A
      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
    • _wcslen.LIBCMT ref: 004495C1
    • _wcslen.LIBCMT ref: 004495CE
    • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend_wcslen$_memset_wcspbrk
    • String ID:
    • API String ID: 1843234404-0
    • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
    • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
    • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
    • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
    Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
    • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
    • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
    • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
    Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 00445721
    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
    • _wcslen.LIBCMT ref: 004457A3
    • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
    • String ID:
    • API String ID: 3087257052-0
    • Opcode ID: ca3913ba8b71073e0ce021836b700eedeffde7f07e4c33ae1321f48a2751b72e
    • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
    • Opcode Fuzzy Hash: ca3913ba8b71073e0ce021836b700eedeffde7f07e4c33ae1321f48a2751b72e
    • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
    Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(00000000), ref: 00459DEF
    • GetForegroundWindow.USER32 ref: 00459E07
    • GetDC.USER32(00000000), ref: 00459E44
    • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
    • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$ForegroundPixelRelease
    • String ID:
    • API String ID: 4156661090-0
    • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
    • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
    • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
    • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
    Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
    • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
    • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
    • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
    • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLast$closesocketconnectinet_addrsocket
    • String ID:
    • API String ID: 245547762-0
    • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
    • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
    • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
    • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
    Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(00000000), ref: 00447151
    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
    • SelectObject.GDI32(?,00000000), ref: 004471A2
    • BeginPath.GDI32(?), ref: 004471B7
    • SelectObject.GDI32(?,00000000), ref: 004471DC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Object$Select$BeginCreateDeletePath
    • String ID:
    • API String ID: 2338827641-0
    • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
    • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
    • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
    • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
    Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
    • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CounterPerformanceQuerySleep
    • String ID:
    • API String ID: 2875609808-0
    • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
    • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
    • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
    • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
    Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32 ref: 0046FD00
    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
    • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
    • DestroyIcon.USER32(?), ref: 0046FD58
    • DestroyIcon.USER32(?), ref: 0046FD5F
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$DestroyIcon
    • String ID:
    • API String ID: 3419509030-0
    • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
    • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
    • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
    • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
    Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 004175AE
      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
    • __amsg_exit.LIBCMT ref: 004175CE
    • __lock.LIBCMT ref: 004175DE
    • InterlockedDecrement.KERNEL32(?), ref: 004175FB
    • InterlockedIncrement.KERNEL32(00A32D10), ref: 00417626
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
    • String ID:
    • API String ID: 4271482742-0
    • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
    • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
    • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
    • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
    Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$DeleteObjectWindow$Icon
    • String ID:
    • API String ID: 4023252218-0
    • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
    • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
    • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
    • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
    Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003E9), ref: 00460342
    • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
    • MessageBeep.USER32(00000000), ref: 0046036D
    • KillTimer.USER32(?,0000040A), ref: 00460392
    • EndDialog.USER32(?,00000001), ref: 004603AB
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BeepDialogItemKillMessageTextTimerWindow
    • String ID:
    • API String ID: 3741023627-0
    • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
    • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
    • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
    • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
    Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DeleteDestroyObject$IconMessageSendWindow
    • String ID:
    • API String ID: 1489400265-0
    • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
    • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
    • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
    • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
    Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
    • String ID:
    • API String ID: 1042038666-0
    • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
    • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
    • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
    • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
    Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Path$ObjectStroke$DeleteFillSelect
    • String ID:
    • API String ID: 2625713937-0
    • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
    • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
    • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
    • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
    Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
    • ___set_flsgetvalue.LIBCMT ref: 004140E1
      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
    • ___fls_getvalue@4.LIBCMT ref: 004140EC
      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
    • ___fls_setvalue@8.LIBCMT ref: 004140FF
      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
    • ExitThread.KERNEL32 ref: 0041410F
    • GetCurrentThreadId.KERNEL32 ref: 00414115
    • __freefls@4.LIBCMT ref: 00414135
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
    • String ID:
    • API String ID: 132634196-0
    • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
    • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
    • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
    • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
    Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
    Download Yara Rule
    APIs
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
    • __getptd_noexit.LIBCMT ref: 00415620
    • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
    • __freeptd.LIBCMT ref: 0041563B
    • ExitThread.KERNEL32 ref: 00415643
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
    • String ID:
    • API String ID: 3798957060-0
    • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
    • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
    • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
    • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
    Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
    • ___set_flsgetvalue.LIBCMT ref: 00415690
      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
    • ___fls_getvalue@4.LIBCMT ref: 0041569B
      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
    • ___fls_setvalue@8.LIBCMT ref: 004156AD
      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
    • ExitThread.KERNEL32 ref: 004156BD
    • __freefls@4.LIBCMT ref: 004156D9
    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
    • String ID:
    • API String ID: 1537469427-0
    • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
    • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
    • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
    • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
    Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _malloc
    • String ID: Default$|k
    • API String ID: 1579825452-2254895183
    • Opcode ID: 40d6f10fdafea13a2bac6400c0178530cb596db9db489683ec588b92481aca89
    • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
    • Opcode Fuzzy Hash: 40d6f10fdafea13a2bac6400c0178530cb596db9db489683ec588b92481aca89
    • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
    Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _memcmp
    • String ID: '$[$h
    • API String ID: 2931989736-1224472061
    • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
    • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
    • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
    • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
    Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _strncmp
    • String ID: >$R$U
    • API String ID: 909875538-1924298640
    • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
    • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
    • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
    • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
    Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
    • CoInitialize.OLE32(00000000), ref: 0046CE18
    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
    • CoUninitialize.OLE32 ref: 0046CE50
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateInitializeInstanceUninitialize_wcslen
    • String ID: .lnk
    • API String ID: 886957087-24824748
    • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
    • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
    • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
    • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
    Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
    Download Yara Rule
    Strings
    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
    • API String ID: 176396367-557222456
    • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
    • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
    • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
    • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
    Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
    • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
    • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Variant$ClearCopyInit_malloc
    • String ID: 4RH
    • API String ID: 2981388473-749298218
    • Opcode ID: d7b27e83abb5149de728bcf4e8c63d83f5cbd7e7ed83da0db973c37358d4df76
    • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
    • Opcode Fuzzy Hash: d7b27e83abb5149de728bcf4e8c63d83f5cbd7e7ed83da0db973c37358d4df76
    • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
    Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
    • __wcsnicmp.LIBCMT ref: 0046681A
    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Connection__wcsnicmp_wcscpy_wcslen
    • String ID: LPT$HH
    • API String ID: 3035604524-2728063697
    • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
    • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
    • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
    • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
    Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
      • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$MemoryProcess$ReadWrite
    • String ID: @
    • API String ID: 4055202900-2766056989
    • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
    • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
    • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
    • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
    Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CrackInternet_memset_wcslen
    • String ID: |
    • API String ID: 915713708-2343686810
    • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
    • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
    • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
    • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
    Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
    Download Yara Rule
    APIs
    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
    • HttpQueryInfoW.WININET ref: 0044A892
      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
    • String ID:
    • API String ID: 3705125965-3916222277
    • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
    • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
    • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
    • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
    Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
    • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Long
    • String ID: SysTreeView32
    • API String ID: 847901565-1698111956
    • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
    • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
    • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
    • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
    Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 00437CB2
    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
    • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID: AU3_GetPluginDetails
    • API String ID: 145871493-4132174516
    • Opcode ID: e7557abc72873116063900f5871be513ef464a1812049b45f2b30b62e8db012b
    • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
    • Opcode Fuzzy Hash: e7557abc72873116063900f5871be513ef464a1812049b45f2b30b62e8db012b
    • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
    Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DestroyWindow
    • String ID: msctls_updown32
    • API String ID: 3375834691-2298589950
    • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
    • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
    • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
    • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
    Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
    • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
    • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$MoveWindow
    • String ID: Listbox
    • API String ID: 3315199576-2633736733
    • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
    • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
    • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
    • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
    Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 0045D243
    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorMode$InformationVolume
    • String ID: HH
    • API String ID: 2507767853-2761332787
    • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
    • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
    • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
    • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
    Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorMode$InformationVolume
    • String ID: HH
    • API String ID: 2507767853-2761332787
    • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
    • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
    • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
    • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
    Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: msctls_trackbar32
    • API String ID: 3850602802-1010561917
    • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
    • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
    • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
    • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
    Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
    • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
    • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
    • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
    • String ID: HH
    • API String ID: 1515696956-2761332787
    • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
    • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
    • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
    • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
    Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • GetMenuItemInfoW.USER32 ref: 004497EA
    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
    • DrawMenuBar.USER32 ref: 00449828
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Menu$InfoItem$Draw_malloc
    • String ID: 0
    • API String ID: 772068139-4108050209
    • Opcode ID: d9add1cbaf92f7fab451935aba180526067dee8b9d7c6d23a084de5e32576a3b
    • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
    • Opcode Fuzzy Hash: d9add1cbaf92f7fab451935aba180526067dee8b9d7c6d23a084de5e32576a3b
    • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
    Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AllocTask_wcslen
    • String ID: hkG
    • API String ID: 2651040394-3610518997
    • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
    • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
    • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
    • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
    Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetSystemWow64DirectoryW$kernel32.dll
    • API String ID: 2574300362-1816364905
    • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
    • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
    • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
    • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
    Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpSendEcho
    • API String ID: 2574300362-58917771
    • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
    • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
    • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
    • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
    Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpCloseHandle
    • API String ID: 2574300362-3530519716
    • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
    • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
    • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
    • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
    Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpCreateFile
    • API String ID: 2574300362-275556492
    • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
    • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
    • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
    • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
    Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsWow64Process$kernel32.dll
    • API String ID: 2574300362-3024904723
    • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
    • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
    • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
    • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
    Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: ff2b18dc2092f649b99598c2eb3d7d51a1cfaa69c3076c1d046361e9bc61ddcc
    • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
    • Opcode Fuzzy Hash: ff2b18dc2092f649b99598c2eb3d7d51a1cfaa69c3076c1d046361e9bc61ddcc
    • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
    Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
    Download Yara Rule
    APIs
    • __flush.LIBCMT ref: 00414630
    • __fileno.LIBCMT ref: 00414650
    • __locking.LIBCMT ref: 00414657
    • __flsbuf.LIBCMT ref: 00414682
      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
    • String ID:
    • API String ID: 3240763771-0
    • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
    • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
    • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
    • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
    Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
    • VariantCopy.OLEAUT32(?,?), ref: 00478259
    • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
    • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CopyVariant$ErrorLast
    • String ID:
    • API String ID: 2286883814-0
    • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
    • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
    • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
    • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
    Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
    • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
    • #21.WSOCK32 ref: 004740E0
    • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLast$socket
    • String ID:
    • API String ID: 1881357543-0
    • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
    • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
    • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
    • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
    Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(00000000,?), ref: 00441CDE
    • GetWindowRect.USER32(?,?), ref: 00441D5A
    • PtInRect.USER32(?,?,?), ref: 00441D6F
    • MessageBeep.USER32(00000000), ref: 00441DF2
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Rect$BeepClientMessageScreenWindow
    • String ID:
    • API String ID: 1352109105-0
    • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
    • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
    • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
    • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
    Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
    • __isleadbyte_l.LIBCMT ref: 004238B2
    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
    • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
    • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
    • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
    Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
    Download Yara Rule
    APIs
    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
    • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
    • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CreateHardLink$DeleteErrorFileLast
    • String ID:
    • API String ID: 3321077145-0
    • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
    • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
    • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
    • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
    Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 004505BF
    • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
    • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
    • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Proc$Parent
    • String ID:
    • API String ID: 2351499541-0
    • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
    • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
    • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
    • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
    Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
    • __itow.LIBCMT ref: 00461461
    • __itow.LIBCMT ref: 004614AB
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$__itow$_wcslen
    • String ID:
    • API String ID: 2875217250-0
    • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
    • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
    • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
    • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
    Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32 ref: 00472806
      • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
      • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
      • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
    • GetCaretPos.USER32(?), ref: 0047281A
    • ClientToScreen.USER32(00000000,?), ref: 00472856
    • GetForegroundWindow.USER32 ref: 0047285C
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
    • String ID:
    • API String ID: 2759813231-0
    • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
    • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
    • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
    • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
    Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
    • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$Long$AttributesLayered
    • String ID:
    • API String ID: 2169480361-0
    • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
    • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
    • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
    • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
    Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32 ref: 00448CB8
    • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend$LongWindow
    • String ID:
    • API String ID: 312131281-0
    • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
    • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
    • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
    • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
    Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
    Download Yara Rule
    APIs
    • select.WSOCK32 ref: 0045890A
    • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
    • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
    • WSAGetLastError.WSOCK32(00000000), ref: 00458952
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ErrorLastacceptselect
    • String ID:
    • API String ID: 385091864-0
    • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
    • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
    • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
    • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
    Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend
    • String ID:
    • API String ID: 3850602802-0
    • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
    • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
    • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
    • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
    Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
    • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
    • GetStockObject.GDI32(00000011), ref: 00433695
    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
    • ShowWindow.USER32(00000000,00000000), ref: 004336BA
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Window$CreateMessageObjectSendShowStock
    • String ID:
    • API String ID: 1358664141-0
    • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
    • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
    • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
    • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
    Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 004441B8
    • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
    • CloseHandle.KERNEL32(00000000), ref: 00444213
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
    • String ID:
    • API String ID: 2880819207-0
    • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
    • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
    • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
    • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
    Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00434037
    • ScreenToClient.USER32(?,?), ref: 0043405B
    • ScreenToClient.USER32(?,?), ref: 00434085
    • InvalidateRect.USER32(?,?,?), ref: 004340A4
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ClientRectScreen$InvalidateWindow
    • String ID:
    • API String ID: 357397906-0
    • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
    • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
    • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
    • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
    Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • __wsplitpath.LIBCMT ref: 00436A45
      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
    • __wsplitpath.LIBCMT ref: 00436A6C
    • __wcsicoll.LIBCMT ref: 00436A93
    • __wcsicoll.LIBCMT ref: 00436AB0
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
    • String ID:
    • API String ID: 1187119602-0
    • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
    • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
    • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
    • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
    Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _wcslen$_malloc_wcscat_wcscpy
    • String ID:
    • API String ID: 1597257046-0
    • Opcode ID: 9bf70feb9995e632ab5189473c5c1ff6d9059d763006822bbe4c9c6206c17556
    • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
    • Opcode Fuzzy Hash: 9bf70feb9995e632ab5189473c5c1ff6d9059d763006822bbe4c9c6206c17556
    • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
    Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(?), ref: 0045564E
    • DeleteObject.GDI32(?), ref: 0045565C
    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: DeleteDestroyObject$IconWindow
    • String ID:
    • API String ID: 3349847261-0
    • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
    • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
    • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
    • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
    Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
    • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
    • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
    • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
    • String ID:
    • API String ID: 2223660684-0
    • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
    • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
    • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
    • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
    Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
    • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
    • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
    • EndPath.GDI32(?), ref: 004472B0
    • StrokePath.GDI32(?), ref: 004472BE
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
    • String ID:
    • API String ID: 2783949968-0
    • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
    • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
    • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
    • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
    Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00417D1A
      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
    • __getptd.LIBCMT ref: 00417D31
    • __amsg_exit.LIBCMT ref: 00417D3F
    • __lock.LIBCMT ref: 00417D4F
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
    • String ID:
    • API String ID: 3521780317-0
    • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
    • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
    • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
    • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
    Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 00471144
    • GetDC.USER32(00000000), ref: 0047114D
    • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
    • ReleaseDC.USER32(00000000,?), ref: 0047117B
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CapsDesktopDeviceReleaseWindow
    • String ID:
    • API String ID: 2889604237-0
    • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
    • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
    • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
    • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
    Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 00471102
    • GetDC.USER32(00000000), ref: 0047110B
    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
    • ReleaseDC.USER32(00000000,?), ref: 00471139
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CapsDesktopDeviceReleaseWindow
    • String ID:
    • API String ID: 2889604237-0
    • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
    • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
    • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
    • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
    Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
    Download Yara Rule
    APIs
    • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
    • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
    • GetCurrentThreadId.KERNEL32 ref: 004389DA
    • AttachThreadInput.USER32(00000000), ref: 004389E1
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
    • String ID:
    • API String ID: 2710830443-0
    • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
    • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
    • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
    • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
    Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
    Download Yara Rule
    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
      • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
      • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
    • String ID:
    • API String ID: 146765662-0
    • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
    • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
    • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
    • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
    Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
    Download Yara Rule
    APIs
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
    • __getptd_noexit.LIBCMT ref: 00414080
    • __freeptd.LIBCMT ref: 0041408A
    • ExitThread.KERNEL32 ref: 00414093
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
    • String ID:
    • API String ID: 3182216644-0
    • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
    • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
    • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
    • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
    Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BuffCharLower
    • String ID: $8'I
    • API String ID: 2358735015-3608026889
    • Opcode ID: 5b489f3052d96109422c917d8a9fbac0302be8ad5a33661fb05fbe82f09871b4
    • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
    • Opcode Fuzzy Hash: 5b489f3052d96109422c917d8a9fbac0302be8ad5a33661fb05fbe82f09871b4
    • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
    Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
    Download Yara Rule
    APIs
    • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
      • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
    • String ID: AutoIt3GUI$Container
    • API String ID: 3380330463-3941886329
    • Opcode ID: 40d57a9443b987af8efa91babd9c31157e19955d9a2197ee8c51554929d21189
    • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
    • Opcode Fuzzy Hash: 40d57a9443b987af8efa91babd9c31157e19955d9a2197ee8c51554929d21189
    • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
    Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 00409A61
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
    • String ID: 0vH
    • API String ID: 1143807570-3662162768
    • Opcode ID: 09d17319a9c3feab7af87e16e284a386ef00b716e9ae614fc8a124a376b6d844
    • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
    • Opcode Fuzzy Hash: 09d17319a9c3feab7af87e16e284a386ef00b716e9ae614fc8a124a376b6d844
    • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
    Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: HH$HH
    • API String ID: 0-1787419579
    • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
    • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
    • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
    • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
    Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: InfoItemMenu_memset
    • String ID: 0
    • API String ID: 2223754486-4108050209
    • Opcode ID: 3f1555422277dddf6b9ada90f411b7a8332aec5e580065e88a858a17d5e64cc6
    • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
    • Opcode Fuzzy Hash: 3f1555422277dddf6b9ada90f411b7a8332aec5e580065e88a858a17d5e64cc6
    • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
    Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: '
    • API String ID: 3850602802-1997036262
    • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
    • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
    • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
    • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
    Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
    • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
    • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
    • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
    Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: Combobox
    • API String ID: 3850602802-2096851135
    • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
    • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
    • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
    • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
    Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: LengthMessageSendTextWindow
    • String ID: edit
    • API String ID: 2978978980-2167791130
    • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
    • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
    • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
    • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
    Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000), ref: 00474833
    • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: GlobalMemorySleepStatus
    • String ID: @
    • API String ID: 2783356886-2766056989
    • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
    • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
    • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
    • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
    Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: htonsinet_addr
    • String ID: 255.255.255.255
    • API String ID: 3832099526-2422070025
    • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
    • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
    • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
    • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
    Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 455545452-1403004172
    • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
    • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
    • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
    • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
    Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
    Download Yara Rule
    APIs
    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: InternetOpen
    • String ID: <local>
    • API String ID: 2038078732-4266983199
    • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
    • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
    • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
    • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
    Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 455545452-1403004172
    • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
    • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
    • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
    • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
    Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
    • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend_wcslen
    • String ID: ComboBox$ListBox
    • API String ID: 455545452-1403004172
    • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
    • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
    • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
    • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
    Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _strncmp
    • String ID: ,$UTF8)
    • API String ID: 909875538-2632631837
    • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
    • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
    • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
    • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
    Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: _strncmp
    • String ID: ,$UTF8)
    • API String ID: 909875538-2632631837
    • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
    • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
    • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
    • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
    Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
    • wsprintfW.USER32 ref: 004560E9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: MessageSend_mallocwsprintf
    • String ID: %d/%02d/%02d
    • API String ID: 1262938277-328681919
    • Opcode ID: 411b72ec73f8abaf5c9efec05356ecc40123998799e12abe29a9eff98d01c147
    • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
    • Opcode Fuzzy Hash: 411b72ec73f8abaf5c9efec05356ecc40123998799e12abe29a9eff98d01c147
    • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
    Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
    • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
    • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
    • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
    Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
    • PostMessageW.USER32(00000000), ref: 00442247
      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
    • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
    • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
    • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
    Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
      • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2079788880.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2079773772.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079827181.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079841919.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2079867912.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rComprobantedepago.jbxd
    Similarity
    • API ID: Message_doexit
    • String ID: AutoIt$Error allocating memory.
    • API String ID: 1993061046-4017498283
    • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
    • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
    • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
    • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E