Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pago devuelto #.Documentos#9787565789678675645767856843.exe

Overview

General Information

Sample name:Pago devuelto #.Documentos#9787565789678675645767856843.exe
Analysis ID:1587508
MD5:73ff62c5ec02105ddabfddd0b2a504db
SHA1:24dc9233dc9d095b51a4cfbcabcd68587ee72ed4
SHA256:638e107bf5c809f6ee00417883dd6c2dbf1506bfb05720fe3f66437ee96c315c
Tags:exeuser-Racco42
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Pago devuelto #.Documentos#9787565789678675645767856843.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe" MD5: 73FF62C5EC02105DDABFDDD0B2A504DB)
    • RegSvcs.exe (PID: 1868 cmdline: "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34431:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x344a3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3452d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x345bf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34629:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3469b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34731:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x347c1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x315a6:$s2: GetPrivateProfileString
                  • 0x30c83:$s3: get_OSFullName
                  • 0x322fb:$s5: remove_Key
                  • 0x324b5:$s5: remove_Key
                  • 0x333de:$s6: FtpWebRequest
                  • 0x34413:$s7: logins
                  • 0x34985:$s7: logins
                  • 0x37674:$s7: logins
                  • 0x37748:$s7: logins
                  • 0x3909d:$s7: logins
                  • 0x382e2:$s9: 1.85 (Hash, version 2, native byte-order)
                  Click to see the 9 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeAvira: detected
                  Found malware configuration
                  Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}
                  Multi AV Scanner detection for submitted file
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeVirustotal: Detection: 32%Perma Link
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeReversingLabs: Detection: 28%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeJoe Sandbox ML: detected
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060924101.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2061538692.0000000004430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060924101.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2061538692.0000000004430000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0100C2A2 FindFirstFileExW,0_2_0100C2A2
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0104698F
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010468EE FindFirstFileW,FindClose,0_2_010468EE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D076
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D3A9
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0104979D
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01049642
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01049B2B
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103DBBE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01045C97

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,0_2_0104CF1A
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: RegSvcs.exe, 00000002.00000002.3297380807.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296882924.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: RegSvcs.exe, 00000002.00000002.3297380807.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000028E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0104EAFF
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0104ED6A
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0104EAFF
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0103AB9C
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01069576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_01069576

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_eeebfe05-2
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1963116b-7
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a050ec6f-4
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_08e26454-2
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Pago devuelto #.Documentos#9787565789678675645767856843.exe
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0103D5EB
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01031201
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0103E8F6
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD80600_2_00FD8060
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010420460_2_01042046
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010382980_2_01038298
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0100E4FF0_2_0100E4FF
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0100676B0_2_0100676B
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010648730_2_01064873
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FDCAF00_2_00FDCAF0
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FFCAA00_2_00FFCAA0
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FECC390_2_00FECC39
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01006DD90_2_01006DD9
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD91C00_2_00FD91C0
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FEB1190_2_00FEB119
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF13940_2_00FF1394
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF17060_2_00FF1706
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF781B0_2_00FF781B
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF19B00_2_00FF19B0
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FE997D0_2_00FE997D
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD79200_2_00FD7920
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF7A4A0_2_00FF7A4A
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF7CA70_2_00FF7CA7
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF1C770_2_00FF1C77
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0105BE440_2_0105BE44
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF1F320_2_00FF1F32
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01009EEE0_2_01009EEE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_041736880_2_04173688
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7A6282_2_00B7A628
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B74A802_2_00B74A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B7DA602_2_00B7DA60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B73E682_2_00B73E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B741B02_2_00B741B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_04EC24902_2_04EC2490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_04EC12E02_2_04EC12E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_04EC3C302_2_04EC3C30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_04EC35482_2_04EC3548
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: String function: 00FF0A30 appears 46 times
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: String function: 00FD9CB3 appears 31 times
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: String function: 00FEF9F2 appears 40 times
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060504164.00000000046FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pago devuelto #.Documentos#9787565789678675645767856843.exe
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060354652.0000000004553000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Pago devuelto #.Documentos#9787565789678675645767856843.exe
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs Pago devuelto #.Documentos#9787565789678675645767856843.exe
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010437B5 GetLastError,FormatMessageW,0_2_010437B5
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010310BF AdjustTokenPrivileges,CloseHandle,0_2_010310BF
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_010316C3
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_010451CD
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0105A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0105A67C
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0104648E
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FD42A2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeFile created: C:\Users\user\AppData\Local\Temp\acrorrheumaJump to behavior
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.3297380807.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000029DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeVirustotal: Detection: 32%
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeReversingLabs: Detection: 28%
                  Source: unknownProcess created: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic file information: File size 80740352 > 1048576
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060924101.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2061538692.0000000004430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2060924101.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000003.2061538692.0000000004430000.00000004.00001000.00020000.00000000.sdmp
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF0A76 push ecx; ret 0_2_00FF0A89
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FEF98E
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01061C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01061C41
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Pago devuelto #.Documentos#9787565789678675645767856843.exe PID: 3648, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Found API chain indicative of sandbox detection
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96614
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeAPI/Special instruction interceptor: Address: 41732AC
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeAPI coverage: 3.4 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0100C2A2 FindFirstFileExW,0_2_0100C2A2
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0104698F
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_010468EE FindFirstFileW,FindClose,0_2_010468EE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D076
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D3A9
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0104979D
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01049642
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01049B2B
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103DBBE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01045C97
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                  Source: RegSvcs.exe, 00000002.00000002.3297380807.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: RegSvcs.exe, 00000002.00000002.3297380807.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: RegSvcs.exe, 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                  Source: RegSvcs.exe, 00000002.00000002.3298278101.0000000005C56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00B77068 CheckRemoteDebuggerPresent,2_2_00B77068
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0104EAA2 BlockInput,0_2_0104EAA2
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01002622
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF4CE8 mov eax, dword ptr fs:[00000030h]0_2_00FF4CE8
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_04173518 mov eax, dword ptr fs:[00000030h]0_2_04173518
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_04173578 mov eax, dword ptr fs:[00000030h]0_2_04173578
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_04171EB8 mov eax, dword ptr fs:[00000030h]0_2_04171EB8
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01030B62
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01002622
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FF083F
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF09D5 SetUnhandledExceptionFilter,0_2_00FF09D5
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FF0C21
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 797008Jump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01031201
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01012BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_01012BA5
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103B226 SendInput,keybd_event,0_2_0103B226
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0103E355 mouse_event,0_2_0103E355
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01030B62
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01031663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01031663
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FF0698 cpuid 0_2_00FF0698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01048195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_01048195
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0102D27A GetUserNameW,0_2_0102D27A
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_0100B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0100B952
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Pago devuelto #.Documentos#9787565789678675645767856843.exe PID: 3648, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1868, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_81
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_XP
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_XPe
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_VISTA
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_7
                  Source: Pago devuelto #.Documentos#9787565789678675645767856843.exeBinary or memory string: WIN_8
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.3297380807.0000000002915000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Pago devuelto #.Documentos#9787565789678675645767856843.exe PID: 3648, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1868, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Pago devuelto #.Documentos#9787565789678675645767856843.exe.2490000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Pago devuelto #.Documentos#9787565789678675645767856843.exe PID: 3648, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1868, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01051204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_01051204
                  Source: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exeCode function: 0_2_01051806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01051806

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts1
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets741
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts32
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials32
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Pago devuelto #.Documentos#9787565789678675645767856843.exe33%VirustotalBrowse
                  Pago devuelto #.Documentos#9787565789678675645767856843.exe29%ReversingLabsWin32.Trojan.AutoitInject
                  Pago devuelto #.Documentos#9787565789678675645767856843.exe100%AviraDR/AutoIt.Gen8
                  Pago devuelto #.Documentos#9787565789678675645767856843.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/Pago devuelto #.Documentos#9787565789678675645767856843.exe, 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3297380807.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ip-api.comRegSvcs.exe, 00000002.00000002.3297380807.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000029A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297380807.00000000028E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            		ip-api.comUnited States
                            		53334TUT-ASUSfalse

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1587508
                            Start date and time:2025-01-10 13:47:17 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 13s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:Pago devuelto #.Documentos#9787565789678675645767856843.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 42
                            • Number of non-executed functions: 309
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.1driver.exeGet hashmaliciousBlank GrabberBrowse
                            • ip-api.com/json/?fields=225545
                            XClient.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            p.exeGet hashmaliciousUnknownBrowse
                            • ip-api.com/csv/?fields=query
                            rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                            • ip-api.com/json/?fields=225545
                            startup_str_466.batGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            x.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comdriver.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            p.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                            • 208.95.112.1
                            startup_str_466.batGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            x.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TUT-ASUSdriver.exeGet hashmaliciousBlank GrabberBrowse
                            • 208.95.112.1
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            p.exeGet hashmaliciousUnknownBrowse
                            • 208.95.112.1
                            rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                            • 208.95.112.1
                            startup_str_466.batGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            x.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\acrorrheuma

                            Download File
                            Process:C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):244224
                            Entropy (8bit):6.682637646638713
                            Encrypted:false
                            SSDEEP:6144:cB3UmyRI2VW40ADP7HHyZcINbW2WBhLeWSO2IR0w+mYeaNuz5vF6FSwXevh:cRUmh2s40ADP7HHyZcINbW2WBhLeWSO5
                            MD5:F272A8A026F611BEF013CCB5E02AD349
                            SHA1:E202B447BC29C0FC229EDD00DB9DAAB6D98E2F01
                            SHA-256:022F0C6B1892242D163F942DDC30160BF54F53E753F0B514918872C79E96A50F
                            SHA-512:35AAEAB4FEDAEC69777BC843A2EF6F6457265F0BFC06E0837F48314433313636A309CD513F2FF15F54B239A909E8FE8A05B87B29191EF06BEDB4E3CE8AC6D4FE
                            Malicious:false
                            Reputation:low
                            Preview:...7KESWU7RS..QS.9MDNMNR.A0JFC7HESWQ7RSAEQSF9MDNMNRHA0JFC7HE.WQ7\L.KQ.O.l.O..s.)Y9f3E'"!6<.12/+>'f[(d<8 r!/.....%*72.:_YeEQSF9MD..NR.@3J....ESWQ7RSA.QQG2LONM.QHA8JFC7HE..R7RsAEQ.E9MD.MNrHA0HFC3HESWQ7RWAEQSF9MDnINRJA0JFC7JE..Q7BSAUQSF9]DN]NRHA0JVC7HESWQ7RSAM.PFjMDNM.QH.5JFC7HESWQ7RSAEQSF9MDJMBRHA0JFC7HESWQ7RSAEQSF9MDNMNRHA0JFC7HESWQ7RSAEQSF9MDNmNR@A0JFC7HESWQ?rSA.QSF9MDNMNRHoD/>77HE7.R7RsAEQ.E9MFNMNRHA0JFC7HESwQ72}36#0F9M.KMNR.B0J@C7H.PWQ7RSAEQSF9MD.MN.f3U&) 7HISWQ7RWAESSF9.GNMNRHA0JFC7HE.WQuRSAEQSF9MDNMNRHAp.EC7HES.Q7RQA@Q..;M.{LNQHA0KFC1HESWQ7RSAEQSF9MDNMNRHA0JFC7HESWQ7RSAEQSF9MDNMNRH\....{.*o=0T.c.4.:..]..+..?.S.L\...:....t3?..N.Ab...C...0._TNS....~YF5@%.%gNQ.[...nv%w..G+.)...:|. Tl......k....8&....'...+#c/"8-Ud."Q)7:.S.SSAEQ........;0.jgEL)|W+.....uW)...0MNR,A0J4C7H$SWQpRSA*QSFWMDN3NRH?0JF.7HE.WQ7eSAEtSF9 DNMjRHANJFC.5J\...; .QSF9Mq..~.%.......a .,.#}...]....K..NX.1.{...Y..9..R.8@...ILHVMC7NEO.F.....PWE@STB:Ay@....`.l....&..;.-SF9MDN.NR.A0J..7.ESW.7.S..QSF..D.M.R...J

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):0.2344994012762269
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:Pago devuelto #.Documentos#9787565789678675645767856843.exe
                            File size:80'740'352 bytes
                            MD5:73ff62c5ec02105ddabfddd0b2a504db
                            SHA1:24dc9233dc9d095b51a4cfbcabcd68587ee72ed4
                            SHA256:638e107bf5c809f6ee00417883dd6c2dbf1506bfb05720fe3f66437ee96c315c
                            SHA512:46adc5443579959498361e0bdaaf2be2c52e289492ca119c640673d9ca130e1cb75739cb5f867e8e669fcada5f13192a276282ff94ee588ee754b140651178d8
                            SSDEEP:24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8adwdC7T7Ob1wbWWWfepITovo:tTvC/MTQYxsWR7adwdC73W1wbWWaNov
                            TLSH:E408D00273D1C062FFABA2334B5AF6114BBD69660123E61F13981D79BE701B1563E7A3
                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                            File Icon

                            Icon Hash:aaf3e3e3938382a0

                            Static PE Info

                            General

                            Entrypoint:0x420577
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x677EECC3 [Wed Jan 8 21:23:15 2025 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:948cc502fe9226992dce9417f952fce3

                            Entrypoint Preview

                            Instruction
                            call 00007F7CB8D29CF3h
                            jmp 00007F7CB8D295FFh
                            push ebp
                            mov ebp, esp
                            push esi
                            push dword ptr [ebp+08h]
                            mov esi, ecx
                            call 00007F7CB8D297DDh
                            mov dword ptr [esi], 0049FDF0h
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            and dword ptr [ecx+04h], 00000000h
                            mov eax, ecx
                            and dword ptr [ecx+08h], 00000000h
                            mov dword ptr [ecx+04h], 0049FDF8h
                            mov dword ptr [ecx], 0049FDF0h
                            ret
                            push ebp
                            mov ebp, esp
                            push esi
                            push dword ptr [ebp+08h]
                            mov esi, ecx
                            call 00007F7CB8D297AAh
                            mov dword ptr [esi], 0049FE0Ch
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            and dword ptr [ecx+04h], 00000000h
                            mov eax, ecx
                            and dword ptr [ecx+08h], 00000000h
                            mov dword ptr [ecx+04h], 0049FE14h
                            mov dword ptr [ecx], 0049FE0Ch
                            ret
                            push ebp
                            mov ebp, esp
                            push esi
                            mov esi, ecx
                            lea eax, dword ptr [esi+04h]
                            mov dword ptr [esi], 0049FDD0h
                            and dword ptr [eax], 00000000h
                            and dword ptr [eax+04h], 00000000h
                            push eax
                            mov eax, dword ptr [ebp+08h]
                            add eax, 04h
                            push eax
                            call 00007F7CB8D2C39Dh
                            pop ecx
                            pop ecx
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            lea eax, dword ptr [ecx+04h]
                            mov dword ptr [ecx], 0049FDD0h
                            push eax
                            call 00007F7CB8D2C3E8h
                            pop ecx
                            ret
                            push ebp
                            mov ebp, esp
                            push esi
                            mov esi, ecx
                            lea eax, dword ptr [esi+04h]
                            mov dword ptr [esi], 0049FDD0h
                            push eax
                            call 00007F7CB8D2C3D1h
                            test byte ptr [ebp+08h], 00000001h
                            pop ecx

                            Rich Headers

                            Programming Language:
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x83c7c.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1580000x7594.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xd40000x83c7c0x83e00700bc7916f9043bbcfcccfd32d5e9776False0.9498648548578199data7.9404233052764335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1580000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                            RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                            RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                            RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                            RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                            RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                            RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                            RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                            RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                            RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                            RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                            RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                            RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                            RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                            RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                            RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                            RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                            RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                            RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                            RT_RCDATA0xdc7b80x7af42data1.0003196867467008
                            RT_GROUP_ICON0x1576fc0x76dataEnglishGreat Britain0.6610169491525424
                            RT_GROUP_ICON0x1577740x14dataEnglishGreat Britain1.25
                            RT_GROUP_ICON0x1577880x14dataEnglishGreat Britain1.15
                            RT_GROUP_ICON0x15779c0x14dataEnglishGreat Britain1.25
                            RT_VERSION0x1577b00xdcdataEnglishGreat Britain0.6181818181818182
                            RT_MANIFEST0x15788c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                            Imports

                            DLLImport
                            WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                            MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                            WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                            PSAPI.DLLGetProcessMemoryInfo
                            IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                            USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                            UxTheme.dllIsThemeActive
                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                            USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                            GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                            SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                            OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishGreat Britain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 10, 2025 13:48:11.026232004 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:48:11.031177998 CET8049704208.95.112.1192.168.2.5
                            Jan 10, 2025 13:48:11.031266928 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:48:11.033921957 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:48:11.038808107 CET8049704208.95.112.1192.168.2.5
                            Jan 10, 2025 13:48:11.505433083 CET8049704208.95.112.1192.168.2.5
                            Jan 10, 2025 13:48:11.556929111 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:49:47.189749956 CET8049704208.95.112.1192.168.2.5
                            Jan 10, 2025 13:49:47.190032959 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:49:51.516701937 CET4970480192.168.2.5208.95.112.1
                            Jan 10, 2025 13:49:51.521982908 CET8049704208.95.112.1192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 10, 2025 13:48:11.014533043 CET6252453192.168.2.51.1.1.1
                            Jan 10, 2025 13:48:11.021842957 CET53625241.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 10, 2025 13:48:11.014533043 CET192.168.2.51.1.1.10x4900Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 10, 2025 13:48:11.021842957 CET1.1.1.1192.168.2.50x4900No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ip-api.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704208.95.112.1801868C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            TimestampBytes transferredDirectionData
                            Jan 10, 2025 13:48:11.033921957 CET80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Jan 10, 2025 13:48:11.505433083 CET175INHTTP/1.1 200 OK
                            Date: Fri, 10 Jan 2025 12:48:10 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:07:48:09
                            Start date:10/01/2025
                            Path:C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"
                            Imagebase:0xfd0000
                            File size:80'740'352 bytes
                            MD5 hash:73FF62C5EC02105DDABFDDD0B2A504DB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2066366106.0000000002490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:07:48:09
                            Start date:10/01/2025
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe"
                            Imagebase:0x4a0000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3295964787.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3297380807.0000000002915000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:2.6%
                              Dynamic/Decrypted Code Coverage:1.2%
                              Signature Coverage:3.4%
                              Total number of Nodes:1555
                              Total number of Limit Nodes:35
                              execution_graph 96592 1022a00 96596 fdd7b0 ISource 96592->96596 96593 fdd9d5 96594 fddb11 PeekMessageW 96594->96596 96595 fdd807 GetInputState 96595->96594 96595->96596 96596->96593 96596->96594 96596->96595 96598 1021cbe TranslateAcceleratorW 96596->96598 96599 fdda04 timeGetTime 96596->96599 96600 fddb8f PeekMessageW 96596->96600 96601 fddb73 TranslateMessage DispatchMessageW 96596->96601 96602 fddbaf Sleep 96596->96602 96603 1022b74 Sleep 96596->96603 96605 1021dda timeGetTime 96596->96605 96624 fddd50 96596->96624 96631 fddfd0 96596->96631 96654 fe1310 96596->96654 96710 fdbf40 207 API calls 2 library calls 96596->96710 96711 feedf6 IsDialogMessageW GetClassLongW 96596->96711 96713 1043a2a 23 API calls 96596->96713 96714 fdec40 96596->96714 96738 104359c 82 API calls __wsopen_s 96596->96738 96598->96596 96599->96596 96600->96596 96601->96600 96604 fddbc0 96602->96604 96603->96604 96604->96593 96604->96596 96606 fee551 timeGetTime 96604->96606 96609 1022c0b GetExitCodeProcess 96604->96609 96613 1022a31 96604->96613 96614 10629bf GetForegroundWindow 96604->96614 96615 1022ca9 Sleep 96604->96615 96739 1055658 23 API calls 96604->96739 96740 103e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96604->96740 96741 103d4dc 47 API calls 96604->96741 96712 fee300 23 API calls 96605->96712 96606->96604 96611 1022c21 WaitForSingleObject 96609->96611 96612 1022c37 CloseHandle 96609->96612 96611->96596 96611->96612 96612->96604 96613->96593 96614->96604 96615->96596 96625 fddd6f 96624->96625 96626 fddd83 96624->96626 96742 fdd260 207 API calls 2 library calls 96625->96742 96743 104359c 82 API calls __wsopen_s 96626->96743 96628 fddd7a 96628->96596 96630 1022f75 96630->96630 96632 fde010 96631->96632 96649 fde0dc ISource 96632->96649 96747 ff0242 5 API calls __Init_thread_wait 96632->96747 96635 fde3e1 96635->96596 96636 1022fca 96636->96649 96748 fda961 96636->96748 96637 fda961 22 API calls 96637->96649 96643 1022fee 96754 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96643->96754 96646 fdec40 207 API calls 96646->96649 96649->96635 96649->96637 96649->96646 96650 fe04f0 22 API calls 96649->96650 96652 104359c 82 API calls 96649->96652 96744 fda8c7 22 API calls __fread_nolock 96649->96744 96745 fda81b 41 API calls 96649->96745 96746 fea308 207 API calls 96649->96746 96755 ff0242 5 API calls __Init_thread_wait 96649->96755 96756 ff00a3 29 API calls __onexit 96649->96756 96757 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96649->96757 96758 10547d4 207 API calls 96649->96758 96759 10568c1 207 API calls 96649->96759 96650->96649 96652->96649 96655 fe1376 96654->96655 96656 fe17b0 96654->96656 96658 1026331 96655->96658 96795 fe1940 96655->96795 96926 ff0242 5 API calls __Init_thread_wait 96656->96926 96885 105709c 96658->96885 96659 fe17ba 96668 fe17fb 96659->96668 96927 fd9cb3 96659->96927 96663 102633d 96663->96596 96665 fe1940 9 API calls 96666 fe13b6 96665->96666 96666->96668 96669 fe13ec 96666->96669 96667 1026346 96937 104359c 82 API calls __wsopen_s 96667->96937 96668->96667 96670 fe182c 96668->96670 96669->96667 96693 fe1408 __fread_nolock 96669->96693 96934 fdaceb 23 API calls ISource 96670->96934 96673 fe1839 96935 fed217 207 API calls 96673->96935 96674 fe17d4 96933 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96674->96933 96677 102636e 96698 1026369 96677->96698 96938 104359c 82 API calls __wsopen_s 96677->96938 96678 fe152f 96680 fe153c 96678->96680 96681 10263d1 96678->96681 96683 fe1940 9 API calls 96680->96683 96940 1055745 54 API calls _wcslen 96681->96940 96685 fe1549 96683->96685 96684 fefddb 22 API calls 96684->96693 96688 10264fa 96685->96688 96690 fe1940 9 API calls 96685->96690 96686 fe1872 96686->96658 96936 fefaeb 23 API calls 96686->96936 96687 fefe0b 22 API calls 96687->96693 96688->96698 96942 104359c 82 API calls __wsopen_s 96688->96942 96694 fe1563 96690->96694 96692 fdec40 207 API calls 96692->96693 96693->96673 96693->96677 96693->96678 96693->96684 96693->96687 96693->96692 96695 10263b2 96693->96695 96693->96698 96694->96688 96700 fe15c7 ISource 96694->96700 96941 fda8c7 22 API calls __fread_nolock 96694->96941 96939 104359c 82 API calls __wsopen_s 96695->96939 96698->96596 96699 fe1940 9 API calls 96699->96700 96700->96686 96700->96688 96700->96698 96700->96699 96702 fe167b ISource 96700->96702 96805 104f0ec 96700->96805 96814 fd6216 96700->96814 96819 fd6246 96700->96819 96823 10483da 96700->96823 96826 104744a 96700->96826 96882 105958b 96700->96882 96701 fe171d 96701->96596 96702->96701 96925 fece17 22 API calls ISource 96702->96925 96710->96596 96711->96596 96712->96596 96713->96596 96717 fdec76 ISource 96714->96717 96715 fefddb 22 API calls 96715->96717 96716 ff0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96716->96717 96717->96715 96717->96716 96718 1024beb 96717->96718 96720 fdfef7 96717->96720 96721 fded9d ISource 96717->96721 96723 1024b0b 96717->96723 96724 fda8c7 22 API calls 96717->96724 96728 1024600 96717->96728 96731 fdfbe3 96717->96731 96732 fda961 22 API calls 96717->96732 96734 ff00a3 29 API calls pre_c_initialization 96717->96734 96736 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96717->96736 96737 fdf3ae ISource 96717->96737 97274 fe01e0 207 API calls 2 library calls 96717->97274 97275 fe06a0 41 API calls ISource 96717->97275 97281 104359c 82 API calls __wsopen_s 96718->97281 96720->96721 97277 fda8c7 22 API calls __fread_nolock 96720->97277 96721->96596 97279 104359c 82 API calls __wsopen_s 96723->97279 96724->96717 96728->96721 97276 fda8c7 22 API calls __fread_nolock 96728->97276 96731->96721 96733 1024bdc 96731->96733 96731->96737 96732->96717 97280 104359c 82 API calls __wsopen_s 96733->97280 96734->96717 96736->96717 96737->96721 97278 104359c 82 API calls __wsopen_s 96737->97278 96738->96596 96739->96604 96740->96604 96741->96604 96742->96628 96743->96630 96744->96649 96745->96649 96746->96649 96747->96636 96760 fefe0b 96748->96760 96750 fda976 96770 fefddb 96750->96770 96752 fda984 96753 ff00a3 29 API calls __onexit 96752->96753 96753->96643 96754->96649 96755->96649 96756->96649 96757->96649 96758->96649 96759->96649 96763 fefddb 96760->96763 96762 fefdfa 96762->96750 96763->96762 96765 fefdfc 96763->96765 96780 ffea0c 96763->96780 96787 ff4ead 7 API calls 2 library calls 96763->96787 96766 ff066d 96765->96766 96788 ff32a4 RaiseException 96765->96788 96789 ff32a4 RaiseException 96766->96789 96768 ff068a 96768->96750 96773 fefde0 96770->96773 96771 ffea0c ___std_exception_copy 21 API calls 96771->96773 96772 fefdfa 96772->96752 96773->96771 96773->96772 96776 fefdfc 96773->96776 96792 ff4ead 7 API calls 2 library calls 96773->96792 96775 ff066d 96794 ff32a4 RaiseException 96775->96794 96776->96775 96793 ff32a4 RaiseException 96776->96793 96778 ff068a 96778->96752 96785 1003820 __FrameHandler3::FrameUnwindToState 96780->96785 96781 100385e 96791 fff2d9 20 API calls _abort 96781->96791 96783 1003849 RtlAllocateHeap 96784 100385c 96783->96784 96783->96785 96784->96763 96785->96781 96785->96783 96790 ff4ead 7 API calls 2 library calls 96785->96790 96787->96763 96788->96766 96789->96768 96790->96785 96791->96784 96792->96773 96793->96775 96794->96778 96796 fe1981 96795->96796 96802 fe195d 96795->96802 96943 ff0242 5 API calls __Init_thread_wait 96796->96943 96799 fe198b 96799->96802 96944 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96799->96944 96800 fe8727 96804 fe13a0 96800->96804 96946 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96800->96946 96802->96804 96945 ff0242 5 API calls __Init_thread_wait 96802->96945 96804->96665 96947 fd7510 96805->96947 96809 104f136 96810 104f15b 96809->96810 96811 fdec40 207 API calls 96809->96811 96813 104f15f 96810->96813 96998 fd9c6e 22 API calls 96810->96998 96811->96810 96813->96700 96815 fd6246 CloseHandle 96814->96815 96816 fd621e 96815->96816 96817 fd6246 CloseHandle 96816->96817 96818 fd622d ISource 96817->96818 96818->96700 96820 fd625f 96819->96820 96821 fd6250 96819->96821 96820->96821 96822 fd6264 CloseHandle 96820->96822 96821->96700 96822->96821 97034 10498e3 96823->97034 96825 10483ea 96825->96700 96827 1047469 96826->96827 96828 1047474 96826->96828 97129 fdb567 39 API calls 96827->97129 96831 fda961 22 API calls 96828->96831 96866 1047554 96828->96866 96830 fefddb 22 API calls 96832 1047587 96830->96832 96833 1047495 96831->96833 96834 fefe0b 22 API calls 96832->96834 96835 fda961 22 API calls 96833->96835 96836 1047598 96834->96836 96837 104749e 96835->96837 96838 fd6246 CloseHandle 96836->96838 96839 fd7510 53 API calls 96837->96839 96840 10475a3 96838->96840 96841 10474aa 96839->96841 96842 fda961 22 API calls 96840->96842 97130 fd525f 22 API calls 96841->97130 96844 10475ab 96842->96844 96846 fd6246 CloseHandle 96844->96846 96845 10474bf 97131 fd6350 96845->97131 96848 10475b2 96846->96848 96850 fd7510 53 API calls 96848->96850 96852 10475be 96850->96852 96851 104754a 97142 fdb567 39 API calls 96851->97142 96853 fd6246 CloseHandle 96852->96853 96855 10475c8 96853->96855 96859 fd5745 5 API calls 96855->96859 96857 1047502 96857->96851 96858 1047506 96857->96858 96860 fd9cb3 22 API calls 96858->96860 96861 10475e2 96859->96861 96862 1047513 96860->96862 96864 10476de GetLastError 96861->96864 96865 10475ea 96861->96865 97141 103d2c1 26 API calls 96862->97141 96868 10476f7 96864->96868 97143 fd53de 27 API calls ISource 96865->97143 96866->96830 96880 10476a4 96866->96880 96867 104751c 96867->96851 96870 fd6216 CloseHandle 96868->96870 96870->96880 96871 10475f8 97144 fd53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96871->97144 96873 1047645 96875 fefddb 22 API calls 96873->96875 96874 10475ff 96874->96873 96877 103ccff 4 API calls 96874->96877 96876 1047679 96875->96876 96878 fda961 22 API calls 96876->96878 96877->96873 96879 1047686 96878->96879 96879->96880 97145 103417d 22 API calls __fread_nolock 96879->97145 96880->96700 97158 1057f59 96882->97158 96884 105959b 96884->96700 96886 10570f5 96885->96886 96887 10570db 96885->96887 97255 1055689 96886->97255 97266 104359c 82 API calls __wsopen_s 96887->97266 96891 fdec40 206 API calls 96892 1057164 96891->96892 96893 10571ff 96892->96893 96896 10570ed 96892->96896 96898 10571a6 96892->96898 96894 1057205 96893->96894 96895 1057253 96893->96895 97267 1041119 22 API calls 96894->97267 96895->96896 96897 fd7510 53 API calls 96895->96897 96896->96663 96899 1057265 96897->96899 96903 1040acc 22 API calls 96898->96903 96901 fdaec9 22 API calls 96899->96901 96904 1057289 CharUpperBuffW 96901->96904 96902 1057228 97268 fda673 22 API calls 96902->97268 96906 10571de 96903->96906 96909 10572a3 96904->96909 96907 fe1310 206 API calls 96906->96907 96907->96896 96908 1057230 97269 fdbf40 207 API calls 2 library calls 96908->97269 96910 10572f6 96909->96910 96911 10572aa 96909->96911 96912 fd7510 53 API calls 96910->96912 97262 1040acc 96911->97262 96914 10572fe 96912->96914 97270 fee300 23 API calls 96914->97270 96918 fe1310 206 API calls 96918->96896 96919 1057308 96919->96896 96920 fd7510 53 API calls 96919->96920 96921 1057323 96920->96921 97271 fda673 22 API calls 96921->97271 96923 1057333 97272 fdbf40 207 API calls 2 library calls 96923->97272 96925->96702 96926->96659 96928 fd9cc2 _wcslen 96927->96928 96929 fefe0b 22 API calls 96928->96929 96930 fd9cea __fread_nolock 96929->96930 96931 fefddb 22 API calls 96930->96931 96932 fd9d00 96931->96932 96932->96674 96933->96668 96934->96673 96935->96686 96936->96686 96937->96698 96938->96698 96939->96698 96940->96694 96941->96700 96942->96698 96943->96799 96944->96802 96945->96800 96946->96804 96948 fd7525 96947->96948 96949 fd7522 96947->96949 96950 fd752d 96948->96950 96951 fd755b 96948->96951 96970 fd9e90 96949->96970 96999 ff51c6 26 API calls 96950->96999 96952 10150f6 96951->96952 96956 fd756d 96951->96956 96962 101500f 96951->96962 97002 ff5183 26 API calls 96952->97002 96954 fd753d 96959 fefddb 22 API calls 96954->96959 97000 fefb21 51 API calls 96956->97000 96957 101510e 96957->96957 96961 fd7547 96959->96961 96963 fd9cb3 22 API calls 96961->96963 96964 fefe0b 22 API calls 96962->96964 96969 1015088 96962->96969 96963->96949 96965 1015058 96964->96965 96966 fefddb 22 API calls 96965->96966 96967 101507f 96966->96967 96968 fd9cb3 22 API calls 96967->96968 96968->96969 97001 fefb21 51 API calls 96969->97001 97003 fd6270 96970->97003 96972 fd9fd2 97009 fda4a1 96972->97009 96974 fd9fec 96974->96809 96977 fda6c3 22 API calls 96997 fd9eb5 96977->96997 96978 101f7c4 97032 10396e2 84 API calls __wsopen_s 96978->97032 96979 101f699 96984 fefddb 22 API calls 96979->96984 96981 fda405 96981->96974 97033 10396e2 84 API calls __wsopen_s 96981->97033 96986 101f754 96984->96986 96985 101f7d2 96987 fda4a1 22 API calls 96985->96987 96989 fefe0b 22 API calls 96986->96989 96988 101f7e8 96987->96988 96988->96974 96991 fda12c __fread_nolock 96989->96991 96991->96978 96991->96981 96993 fda4a1 22 API calls 96993->96997 96995 fda0db CharUpperBuffW 97028 fda673 22 API calls 96995->97028 96997->96972 96997->96977 96997->96978 96997->96979 96997->96981 96997->96991 96997->96993 97008 fd4573 41 API calls _wcslen 96997->97008 97017 fda587 96997->97017 97022 fdaec9 96997->97022 97029 fd48c8 23 API calls 96997->97029 97030 fd49bd 22 API calls __fread_nolock 96997->97030 97031 fda673 22 API calls 96997->97031 96998->96813 96999->96954 97000->96954 97001->96952 97002->96957 97004 fefe0b 22 API calls 97003->97004 97005 fd6295 97004->97005 97006 fefddb 22 API calls 97005->97006 97007 fd62a3 97006->97007 97007->96997 97008->96997 97010 fda52b 97009->97010 97015 fda4b1 __fread_nolock 97009->97015 97012 fefe0b 22 API calls 97010->97012 97011 fefddb 22 API calls 97013 fda4b8 97011->97013 97012->97015 97014 fefddb 22 API calls 97013->97014 97016 fda4d6 97013->97016 97014->97016 97015->97011 97016->96974 97018 fda59d 97017->97018 97021 fda598 __fread_nolock 97017->97021 97019 101f80f 97018->97019 97020 fefe0b 22 API calls 97018->97020 97020->97021 97021->96997 97023 fdaedc 97022->97023 97024 fdaed9 __fread_nolock 97022->97024 97025 fefddb 22 API calls 97023->97025 97024->96995 97026 fdaee7 97025->97026 97027 fefe0b 22 API calls 97026->97027 97027->97024 97028->96997 97029->96997 97030->96997 97031->96997 97032->96985 97033->96974 97035 1049902 97034->97035 97036 10499e8 97034->97036 97038 fefddb 22 API calls 97035->97038 97103 1049caa 39 API calls 97036->97103 97039 1049909 97038->97039 97040 fefe0b 22 API calls 97039->97040 97042 104991a 97040->97042 97041 10499ca 97041->96825 97043 fd6246 CloseHandle 97042->97043 97045 1049925 97043->97045 97044 1049ac5 97085 1041e96 97044->97085 97047 fda961 22 API calls 97045->97047 97050 104992d 97047->97050 97048 1049acc 97089 103ccff 97048->97089 97049 10499a2 97049->97041 97049->97044 97051 1049a33 97049->97051 97052 fd6246 CloseHandle 97050->97052 97053 fd7510 53 API calls 97051->97053 97054 1049934 97052->97054 97061 1049a3a 97053->97061 97057 fd7510 53 API calls 97054->97057 97056 1049abb 97115 103cd57 30 API calls 97056->97115 97059 1049940 97057->97059 97063 fd6246 CloseHandle 97059->97063 97060 1049aa8 97060->97041 97064 fd6246 CloseHandle 97060->97064 97061->97056 97079 1049a6e 97061->97079 97062 fd6270 22 API calls 97065 1049a7e 97062->97065 97066 104994a 97063->97066 97067 1049b1e 97064->97067 97068 1049a8e 97065->97068 97104 fda8c7 22 API calls __fread_nolock 97065->97104 97093 fd5745 97066->97093 97070 fd6216 CloseHandle 97067->97070 97105 fd33c6 97068->97105 97070->97041 97075 10499c2 97078 fd6216 CloseHandle 97075->97078 97076 104995d 97101 fd53de 27 API calls ISource 97076->97101 97078->97041 97079->97062 97081 104996b 97102 fd53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97081->97102 97083 1049972 97083->97049 97084 103ccff 4 API calls 97083->97084 97084->97049 97086 1041ea4 97085->97086 97087 1041e9f 97085->97087 97086->97048 97116 1040f67 24 API calls __fread_nolock 97087->97116 97090 103cd19 WriteFile 97089->97090 97091 103cd0e 97089->97091 97090->97060 97117 103cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97091->97117 97094 fd575c CreateFileW 97093->97094 97095 1014035 97093->97095 97096 fd577b 97094->97096 97095->97096 97097 101403b CreateFileW 97095->97097 97096->97075 97096->97076 97097->97096 97098 1014063 97097->97098 97118 fd54c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97098->97118 97100 101406e 97100->97096 97101->97081 97102->97083 97103->97049 97104->97068 97106 fd33dd 97105->97106 97107 10130bb 97105->97107 97119 fd33ee 97106->97119 97109 fefddb 22 API calls 97107->97109 97111 10130c5 _wcslen 97109->97111 97110 fd33e8 97114 103cd57 30 API calls 97110->97114 97112 fefe0b 22 API calls 97111->97112 97113 10130fe __fread_nolock 97112->97113 97114->97060 97115->97060 97116->97086 97117->97090 97118->97100 97120 fd33fe _wcslen 97119->97120 97121 101311d 97120->97121 97122 fd3411 97120->97122 97124 fefddb 22 API calls 97121->97124 97123 fda587 22 API calls 97122->97123 97125 fd341e __fread_nolock 97123->97125 97126 1013127 97124->97126 97125->97110 97127 fefe0b 22 API calls 97126->97127 97128 1013157 __fread_nolock 97127->97128 97129->96828 97130->96845 97132 1014a51 97131->97132 97133 fd6362 97131->97133 97156 fd4a88 22 API calls __fread_nolock 97132->97156 97146 fd6373 97133->97146 97136 fd636e 97136->96851 97140 103d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 97136->97140 97137 1014a5b 97138 1014a67 97137->97138 97157 fda8c7 22 API calls __fread_nolock 97137->97157 97140->96857 97141->96867 97142->96866 97143->96871 97144->96874 97145->96880 97148 fd6382 97146->97148 97153 fd63b6 __fread_nolock 97146->97153 97147 1014a82 97150 fefddb 22 API calls 97147->97150 97148->97147 97149 fd63a9 97148->97149 97148->97153 97151 fda587 22 API calls 97149->97151 97152 1014a91 97150->97152 97151->97153 97154 fefe0b 22 API calls 97152->97154 97153->97136 97155 1014ac5 __fread_nolock 97154->97155 97156->97137 97157->97138 97159 fd7510 53 API calls 97158->97159 97160 1057f90 97159->97160 97177 1057fd5 ISource 97160->97177 97196 1058cd3 97160->97196 97162 105844f 97237 1058ee4 60 API calls 97162->97237 97165 105845e 97166 105828f 97165->97166 97167 105846a 97165->97167 97209 1057e86 97166->97209 97167->97177 97168 fd7510 53 API calls 97174 1058049 97168->97174 97173 10582c8 97224 fefc70 97173->97224 97174->97168 97174->97177 97183 1058281 97174->97183 97228 103417d 22 API calls __fread_nolock 97174->97228 97229 105851d 42 API calls _strftime 97174->97229 97177->96884 97178 1058302 97231 fd63eb 22 API calls 97178->97231 97179 10582e8 97230 104359c 82 API calls __wsopen_s 97179->97230 97182 10582f3 GetCurrentProcess TerminateProcess 97182->97178 97183->97162 97183->97166 97184 1058311 97232 fd6a50 22 API calls 97184->97232 97186 105832a 97195 1058352 97186->97195 97233 fe04f0 22 API calls 97186->97233 97188 10584c5 97188->97177 97190 10584d9 FreeLibrary 97188->97190 97189 1058341 97234 1058b7b 75 API calls 97189->97234 97190->97177 97195->97188 97235 fe04f0 22 API calls 97195->97235 97236 fdaceb 23 API calls ISource 97195->97236 97238 1058b7b 75 API calls 97195->97238 97197 fdaec9 22 API calls 97196->97197 97198 1058cee CharLowerBuffW 97197->97198 97239 1038e54 97198->97239 97202 fda961 22 API calls 97203 1058d2a 97202->97203 97246 fd6d25 22 API calls __fread_nolock 97203->97246 97205 1058d3e 97247 fd93b2 97205->97247 97207 1058e5e _wcslen 97207->97174 97208 1058d48 _wcslen 97208->97207 97251 105851d 42 API calls _strftime 97208->97251 97210 1057ea1 97209->97210 97214 1057eec 97209->97214 97211 fefe0b 22 API calls 97210->97211 97212 1057ec3 97211->97212 97213 fefddb 22 API calls 97212->97213 97212->97214 97213->97212 97215 1059096 97214->97215 97216 10592ab ISource 97215->97216 97222 10590ba _strcat _wcslen 97215->97222 97216->97173 97217 fdb567 39 API calls 97217->97222 97218 fdb38f 39 API calls 97218->97222 97219 fdb6b5 39 API calls 97219->97222 97220 fd7510 53 API calls 97220->97222 97221 ffea0c 21 API calls ___std_exception_copy 97221->97222 97222->97216 97222->97217 97222->97218 97222->97219 97222->97220 97222->97221 97254 103efae 24 API calls _wcslen 97222->97254 97225 fefc85 97224->97225 97226 fefd1d VirtualProtect 97225->97226 97227 fefceb 97225->97227 97226->97227 97227->97178 97227->97179 97228->97174 97229->97174 97230->97182 97231->97184 97232->97186 97233->97189 97234->97195 97235->97195 97236->97195 97237->97165 97238->97195 97240 1038e74 _wcslen 97239->97240 97241 1038f63 97240->97241 97244 1038ea9 97240->97244 97245 1038f68 97240->97245 97241->97202 97241->97208 97244->97241 97252 fece60 41 API calls 97244->97252 97245->97241 97253 fece60 41 API calls 97245->97253 97246->97205 97248 fd93c9 __fread_nolock 97247->97248 97249 fd93c0 97247->97249 97248->97208 97249->97248 97250 fdaec9 22 API calls 97249->97250 97250->97248 97251->97207 97252->97244 97253->97245 97254->97222 97256 10556a4 97255->97256 97261 10556f2 97255->97261 97257 fefe0b 22 API calls 97256->97257 97258 10556c6 97257->97258 97259 fefddb 22 API calls 97258->97259 97258->97261 97273 1040a59 22 API calls 97258->97273 97259->97258 97261->96891 97263 1040b13 97262->97263 97264 1040ada 97262->97264 97263->96918 97264->97263 97265 fefddb 22 API calls 97264->97265 97265->97263 97266->96896 97267->96902 97268->96908 97269->96896 97270->96919 97271->96923 97272->96896 97273->97258 97274->96717 97275->96717 97276->96721 97277->96721 97278->96721 97279->96721 97280->96718 97281->96721 97282 1008402 97287 10081be 97282->97287 97285 100842a 97292 10081ef try_get_first_available_module 97287->97292 97289 10083ee 97306 10027ec 26 API calls pre_c_initialization 97289->97306 97291 1008343 97291->97285 97299 1010984 97291->97299 97295 1008338 97292->97295 97302 ff8e0b 40 API calls 2 library calls 97292->97302 97294 100838c 97294->97295 97303 ff8e0b 40 API calls 2 library calls 97294->97303 97295->97291 97305 fff2d9 20 API calls _abort 97295->97305 97297 10083ab 97297->97295 97304 ff8e0b 40 API calls 2 library calls 97297->97304 97307 1010081 97299->97307 97301 101099f 97301->97285 97302->97294 97303->97297 97304->97295 97305->97289 97306->97291 97309 101008d ___BuildCatchObject 97307->97309 97308 101009b 97365 fff2d9 20 API calls _abort 97308->97365 97309->97308 97312 10100d4 97309->97312 97311 10100a0 97366 10027ec 26 API calls pre_c_initialization 97311->97366 97318 101065b 97312->97318 97317 10100aa __fread_nolock 97317->97301 97368 101042f 97318->97368 97321 10106a6 97386 1005221 97321->97386 97322 101068d 97400 fff2c6 20 API calls _abort 97322->97400 97325 1010692 97401 fff2d9 20 API calls _abort 97325->97401 97326 10106ab 97327 10106b4 97326->97327 97328 10106cb 97326->97328 97402 fff2c6 20 API calls _abort 97327->97402 97399 101039a CreateFileW 97328->97399 97332 10106b9 97403 fff2d9 20 API calls _abort 97332->97403 97333 1010781 GetFileType 97336 10107d3 97333->97336 97337 101078c GetLastError 97333->97337 97335 1010756 GetLastError 97405 fff2a3 20 API calls 2 library calls 97335->97405 97408 100516a 21 API calls 3 library calls 97336->97408 97406 fff2a3 20 API calls 2 library calls 97337->97406 97338 1010704 97338->97333 97338->97335 97404 101039a CreateFileW 97338->97404 97342 101079a CloseHandle 97342->97325 97345 10107c3 97342->97345 97344 1010749 97344->97333 97344->97335 97407 fff2d9 20 API calls _abort 97345->97407 97346 10107f4 97349 1010840 97346->97349 97409 10105ab 72 API calls 4 library calls 97346->97409 97348 10107c8 97348->97325 97353 101086d 97349->97353 97410 101014d 72 API calls 4 library calls 97349->97410 97352 1010866 97352->97353 97354 101087e 97352->97354 97411 10086ae 97353->97411 97356 10100f8 97354->97356 97357 10108fc CloseHandle 97354->97357 97367 1010121 LeaveCriticalSection __wsopen_s 97356->97367 97426 101039a CreateFileW 97357->97426 97359 1010927 97360 1010931 GetLastError 97359->97360 97361 101095d 97359->97361 97427 fff2a3 20 API calls 2 library calls 97360->97427 97361->97356 97363 101093d 97428 1005333 21 API calls 3 library calls 97363->97428 97365->97311 97366->97317 97367->97317 97369 1010450 97368->97369 97376 101046a 97368->97376 97369->97376 97436 fff2d9 20 API calls _abort 97369->97436 97372 101045f 97437 10027ec 26 API calls pre_c_initialization 97372->97437 97374 10104d1 97383 1010524 97374->97383 97440 ffd70d 26 API calls 2 library calls 97374->97440 97375 10104a2 97375->97374 97438 fff2d9 20 API calls _abort 97375->97438 97429 10103bf 97376->97429 97379 101051f 97381 101059e 97379->97381 97379->97383 97380 10104c6 97439 10027ec 26 API calls pre_c_initialization 97380->97439 97441 10027fc 11 API calls _abort 97381->97441 97383->97321 97383->97322 97385 10105aa 97387 100522d ___BuildCatchObject 97386->97387 97444 1002f5e EnterCriticalSection 97387->97444 97389 100527b 97445 100532a 97389->97445 97390 1005259 97448 1005000 97390->97448 97391 1005234 97391->97389 97391->97390 97396 10052c7 EnterCriticalSection 97391->97396 97394 10052a4 __fread_nolock 97394->97326 97396->97389 97397 10052d4 LeaveCriticalSection 97396->97397 97397->97391 97399->97338 97400->97325 97401->97356 97402->97332 97403->97325 97404->97344 97405->97325 97406->97342 97407->97348 97408->97346 97409->97349 97410->97352 97474 10053c4 97411->97474 97413 10086c4 97487 1005333 21 API calls 3 library calls 97413->97487 97415 10086be 97415->97413 97416 10086f6 97415->97416 97419 10053c4 __wsopen_s 26 API calls 97415->97419 97416->97413 97417 10053c4 __wsopen_s 26 API calls 97416->97417 97420 1008702 CloseHandle 97417->97420 97418 100871c 97421 100873e 97418->97421 97488 fff2a3 20 API calls 2 library calls 97418->97488 97422 10086ed 97419->97422 97420->97413 97424 100870e GetLastError 97420->97424 97421->97356 97423 10053c4 __wsopen_s 26 API calls 97422->97423 97423->97416 97424->97413 97426->97359 97427->97363 97428->97361 97430 10103d7 97429->97430 97431 10103f2 97430->97431 97442 fff2d9 20 API calls _abort 97430->97442 97431->97375 97433 1010416 97443 10027ec 26 API calls pre_c_initialization 97433->97443 97435 1010421 97435->97375 97436->97372 97437->97376 97438->97380 97439->97374 97440->97379 97441->97385 97442->97433 97443->97435 97444->97391 97456 1002fa6 LeaveCriticalSection 97445->97456 97447 1005331 97447->97394 97457 1004c7d 97448->97457 97450 100501f 97465 10029c8 97450->97465 97452 1005012 97452->97450 97464 1003405 11 API calls 2 library calls 97452->97464 97453 1005071 97453->97389 97455 1005147 EnterCriticalSection 97453->97455 97455->97389 97456->97447 97458 1004c8a __FrameHandler3::FrameUnwindToState 97457->97458 97459 1004cca 97458->97459 97460 1004cb5 RtlAllocateHeap 97458->97460 97471 ff4ead 7 API calls 2 library calls 97458->97471 97472 fff2d9 20 API calls _abort 97459->97472 97460->97458 97462 1004cc8 97460->97462 97462->97452 97464->97452 97466 10029d3 RtlFreeHeap 97465->97466 97470 10029fc _free 97465->97470 97467 10029e8 97466->97467 97466->97470 97473 fff2d9 20 API calls _abort 97467->97473 97469 10029ee GetLastError 97469->97470 97470->97453 97471->97458 97472->97462 97473->97469 97475 10053d1 97474->97475 97477 10053e6 97474->97477 97489 fff2c6 20 API calls _abort 97475->97489 97480 100540b 97477->97480 97491 fff2c6 20 API calls _abort 97477->97491 97479 10053d6 97490 fff2d9 20 API calls _abort 97479->97490 97480->97415 97481 1005416 97492 fff2d9 20 API calls _abort 97481->97492 97484 10053de 97484->97415 97485 100541e 97493 10027ec 26 API calls pre_c_initialization 97485->97493 97487->97418 97488->97421 97489->97479 97490->97484 97491->97481 97492->97485 97493->97484 97494 fdf7bf 97495 fdfcb6 97494->97495 97496 fdf7d3 97494->97496 97531 fdaceb 23 API calls ISource 97495->97531 97498 fdfcc2 97496->97498 97499 fefddb 22 API calls 97496->97499 97532 fdaceb 23 API calls ISource 97498->97532 97501 fdf7e5 97499->97501 97501->97498 97502 fdf83e 97501->97502 97503 fdfd3d 97501->97503 97505 fe1310 207 API calls 97502->97505 97526 fded9d ISource 97502->97526 97533 1041155 22 API calls 97503->97533 97525 fdec76 ISource 97505->97525 97507 fdfef7 97507->97526 97535 fda8c7 22 API calls __fread_nolock 97507->97535 97509 1024600 97509->97526 97534 fda8c7 22 API calls __fread_nolock 97509->97534 97510 1024b0b 97537 104359c 82 API calls __wsopen_s 97510->97537 97516 fda8c7 22 API calls 97516->97525 97517 fdfbe3 97519 1024bdc 97517->97519 97517->97526 97527 fdf3ae ISource 97517->97527 97518 fda961 22 API calls 97518->97525 97538 104359c 82 API calls __wsopen_s 97519->97538 97521 ff0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97521->97525 97522 1024beb 97539 104359c 82 API calls __wsopen_s 97522->97539 97523 fefddb 22 API calls 97523->97525 97524 ff00a3 29 API calls pre_c_initialization 97524->97525 97525->97507 97525->97509 97525->97510 97525->97516 97525->97517 97525->97518 97525->97521 97525->97522 97525->97523 97525->97524 97525->97526 97525->97527 97528 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97525->97528 97529 fe01e0 207 API calls 2 library calls 97525->97529 97530 fe06a0 41 API calls ISource 97525->97530 97527->97526 97536 104359c 82 API calls __wsopen_s 97527->97536 97528->97525 97529->97525 97530->97525 97531->97498 97532->97503 97533->97526 97534->97526 97535->97526 97536->97526 97537->97526 97538->97522 97539->97526 97540 1023a41 97544 10410c0 97540->97544 97542 1023a4c 97543 10410c0 53 API calls 97542->97543 97543->97542 97545 10410cd 97544->97545 97554 10410fa 97544->97554 97546 10410fc 97545->97546 97548 1041101 97545->97548 97552 10410f4 97545->97552 97545->97554 97556 fefa11 53 API calls 97546->97556 97549 fd7510 53 API calls 97548->97549 97550 1041108 97549->97550 97551 fd6350 22 API calls 97550->97551 97551->97554 97555 fdb270 39 API calls 97552->97555 97554->97542 97555->97554 97556->97548 97557 1012ba5 97558 fd2b25 97557->97558 97559 1012baf 97557->97559 97585 fd2b83 7 API calls 97558->97585 97600 fd3a5a 97559->97600 97563 1012bb8 97565 fd9cb3 22 API calls 97563->97565 97567 1012bc6 97565->97567 97566 fd2b2f 97574 fd2b44 97566->97574 97589 fd3837 97566->97589 97568 1012bf5 97567->97568 97569 1012bce 97567->97569 97572 fd33c6 22 API calls 97568->97572 97571 fd33c6 22 API calls 97569->97571 97575 1012bd9 97571->97575 97573 1012bf1 GetForegroundWindow ShellExecuteW 97572->97573 97579 1012c26 97573->97579 97577 fd2b5f 97574->97577 97599 fd30f2 Shell_NotifyIconW ___scrt_fastfail 97574->97599 97578 fd6350 22 API calls 97575->97578 97583 fd2b66 SetCurrentDirectoryW 97577->97583 97581 1012be7 97578->97581 97579->97577 97582 fd33c6 22 API calls 97581->97582 97582->97573 97584 fd2b7a 97583->97584 97607 fd2cd4 7 API calls 97585->97607 97587 fd2b2a 97588 fd2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97587->97588 97588->97566 97590 fd3862 ___scrt_fastfail 97589->97590 97608 fd4212 97590->97608 97594 1013386 Shell_NotifyIconW 97595 fd3906 Shell_NotifyIconW 97612 fd3923 97595->97612 97596 fd38e8 97596->97594 97596->97595 97598 fd391c 97598->97574 97599->97577 97649 1011f50 97600->97649 97603 fd9cb3 22 API calls 97604 fd3a8d 97603->97604 97651 fd3aa2 97604->97651 97606 fd3a97 97606->97563 97607->97587 97609 10135a4 97608->97609 97610 fd38b7 97608->97610 97609->97610 97611 10135ad DestroyIcon 97609->97611 97610->97596 97634 103c874 42 API calls _strftime 97610->97634 97611->97610 97613 fd393f 97612->97613 97632 fd3a13 97612->97632 97614 fd6270 22 API calls 97613->97614 97615 fd394d 97614->97615 97616 1013393 LoadStringW 97615->97616 97617 fd395a 97615->97617 97619 10133ad 97616->97619 97635 fd6b57 97617->97635 97627 fd3994 ___scrt_fastfail 97619->97627 97647 fda8c7 22 API calls __fread_nolock 97619->97647 97620 fd396f 97621 fd397c 97620->97621 97622 10133c9 97620->97622 97621->97619 97624 fd3986 97621->97624 97625 fd6350 22 API calls 97622->97625 97626 fd6350 22 API calls 97624->97626 97628 10133d7 97625->97628 97626->97627 97630 fd39f9 Shell_NotifyIconW 97627->97630 97628->97627 97629 fd33c6 22 API calls 97628->97629 97631 10133f9 97629->97631 97630->97632 97633 fd33c6 22 API calls 97631->97633 97632->97598 97633->97627 97634->97596 97636 1014ba1 97635->97636 97637 fd6b67 _wcslen 97635->97637 97638 fd93b2 22 API calls 97636->97638 97640 fd6b7d 97637->97640 97641 fd6ba2 97637->97641 97639 1014baa 97638->97639 97639->97639 97648 fd6f34 22 API calls 97640->97648 97642 fefddb 22 API calls 97641->97642 97644 fd6bae 97642->97644 97645 fefe0b 22 API calls 97644->97645 97646 fd6b85 __fread_nolock 97645->97646 97646->97620 97647->97627 97648->97646 97650 fd3a67 GetModuleFileNameW 97649->97650 97650->97603 97652 1011f50 __wsopen_s 97651->97652 97653 fd3aaf GetFullPathNameW 97652->97653 97654 fd3ace 97653->97654 97655 fd3ae9 97653->97655 97656 fd6b57 22 API calls 97654->97656 97665 fda6c3 97655->97665 97658 fd3ada 97656->97658 97661 fd37a0 97658->97661 97662 fd37ae 97661->97662 97663 fd93b2 22 API calls 97662->97663 97664 fd37c2 97663->97664 97664->97606 97666 fda6dd 97665->97666 97667 fda6d0 97665->97667 97668 fefddb 22 API calls 97666->97668 97667->97658 97669 fda6e7 97668->97669 97670 fefe0b 22 API calls 97669->97670 97670->97667 97671 ff03fb 97672 ff0407 ___BuildCatchObject 97671->97672 97700 fefeb1 97672->97700 97674 ff040e 97675 ff0561 97674->97675 97678 ff0438 97674->97678 97727 ff083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97675->97727 97677 ff0568 97728 ff4e52 28 API calls _abort 97677->97728 97686 ff0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97678->97686 97711 100247d 97678->97711 97680 ff056e 97729 ff4e04 28 API calls _abort 97680->97729 97684 ff0576 97685 ff0457 97688 ff04d8 97686->97688 97723 ff4e1a 38 API calls 3 library calls 97686->97723 97719 ff0959 97688->97719 97691 ff04de 97692 ff04f3 97691->97692 97724 ff0992 GetModuleHandleW 97692->97724 97694 ff04fa 97694->97677 97695 ff04fe 97694->97695 97696 ff0507 97695->97696 97725 ff4df5 28 API calls _abort 97695->97725 97726 ff0040 13 API calls 2 library calls 97696->97726 97699 ff050f 97699->97685 97701 fefeba 97700->97701 97730 ff0698 IsProcessorFeaturePresent 97701->97730 97703 fefec6 97731 ff2c94 10 API calls 3 library calls 97703->97731 97705 fefecb 97710 fefecf 97705->97710 97732 1002317 97705->97732 97708 fefee6 97708->97674 97710->97674 97712 1002494 97711->97712 97713 ff0a8c _ValidateLocalCookies 5 API calls 97712->97713 97714 ff0451 97713->97714 97714->97685 97715 1002421 97714->97715 97716 1002450 97715->97716 97717 ff0a8c _ValidateLocalCookies 5 API calls 97716->97717 97718 1002479 97717->97718 97718->97686 97783 ff2340 97719->97783 97721 ff096c GetStartupInfoW 97722 ff097f 97721->97722 97722->97691 97723->97688 97724->97694 97725->97696 97726->97699 97727->97677 97728->97680 97729->97684 97730->97703 97731->97705 97736 100d1f6 97732->97736 97735 ff2cbd 8 API calls 3 library calls 97735->97710 97739 100d213 97736->97739 97740 100d20f 97736->97740 97738 fefed8 97738->97708 97738->97735 97739->97740 97742 1004bfb 97739->97742 97754 ff0a8c 97740->97754 97743 1004c07 ___BuildCatchObject 97742->97743 97761 1002f5e EnterCriticalSection 97743->97761 97745 1004c0e 97762 10050af 97745->97762 97747 1004c1d 97748 1004c2c 97747->97748 97775 1004a8f 29 API calls 97747->97775 97777 1004c48 LeaveCriticalSection _abort 97748->97777 97751 1004c27 97776 1004b45 GetStdHandle GetFileType 97751->97776 97753 1004c3d __fread_nolock 97753->97739 97755 ff0a97 IsProcessorFeaturePresent 97754->97755 97756 ff0a95 97754->97756 97758 ff0c5d 97755->97758 97756->97738 97782 ff0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97758->97782 97760 ff0d40 97760->97738 97761->97745 97763 10050bb ___BuildCatchObject 97762->97763 97764 10050c8 97763->97764 97765 10050df 97763->97765 97779 fff2d9 20 API calls _abort 97764->97779 97778 1002f5e EnterCriticalSection 97765->97778 97768 10050cd 97780 10027ec 26 API calls pre_c_initialization 97768->97780 97770 10050d7 __fread_nolock 97770->97747 97771 1005117 97781 100513e LeaveCriticalSection _abort 97771->97781 97773 1005000 __wsopen_s 21 API calls 97774 10050eb 97773->97774 97774->97771 97774->97773 97775->97751 97776->97748 97777->97753 97778->97774 97779->97768 97780->97770 97781->97770 97782->97760 97784 ff2357 97783->97784 97784->97721 97784->97784 97785 fd1098 97790 fd42de 97785->97790 97789 fd10a7 97791 fda961 22 API calls 97790->97791 97792 fd42f5 GetVersionExW 97791->97792 97793 fd6b57 22 API calls 97792->97793 97794 fd4342 97793->97794 97795 fd93b2 22 API calls 97794->97795 97807 fd4378 97794->97807 97796 fd436c 97795->97796 97797 fd37a0 22 API calls 97796->97797 97797->97807 97798 fd441b GetCurrentProcess IsWow64Process 97799 fd4437 97798->97799 97800 fd444f LoadLibraryA 97799->97800 97801 1013824 GetSystemInfo 97799->97801 97802 fd449c GetSystemInfo 97800->97802 97803 fd4460 GetProcAddress 97800->97803 97804 fd4476 97802->97804 97803->97802 97806 fd4470 GetNativeSystemInfo 97803->97806 97808 fd447a FreeLibrary 97804->97808 97809 fd109d 97804->97809 97805 10137df 97806->97804 97807->97798 97807->97805 97808->97809 97810 ff00a3 29 API calls __onexit 97809->97810 97810->97789 97811 fd105b 97816 fd344d 97811->97816 97813 fd106a 97847 ff00a3 29 API calls __onexit 97813->97847 97815 fd1074 97817 fd345d __wsopen_s 97816->97817 97818 fda961 22 API calls 97817->97818 97819 fd3513 97818->97819 97820 fd3a5a 24 API calls 97819->97820 97821 fd351c 97820->97821 97848 fd3357 97821->97848 97824 fd33c6 22 API calls 97825 fd3535 97824->97825 97854 fd515f 97825->97854 97828 fda961 22 API calls 97829 fd354d 97828->97829 97830 fda6c3 22 API calls 97829->97830 97831 fd3556 RegOpenKeyExW 97830->97831 97832 1013176 RegQueryValueExW 97831->97832 97838 fd3578 97831->97838 97833 1013193 97832->97833 97834 101320c RegCloseKey 97832->97834 97836 fefe0b 22 API calls 97833->97836 97835 101321e _wcslen 97834->97835 97834->97838 97835->97838 97844 fd9cb3 22 API calls 97835->97844 97845 fd515f 22 API calls 97835->97845 97846 fd4c6d 22 API calls 97835->97846 97837 10131ac 97836->97837 97860 fd5722 97837->97860 97838->97813 97841 10131d4 97842 fd6b57 22 API calls 97841->97842 97843 10131ee ISource 97842->97843 97843->97834 97844->97835 97845->97835 97846->97835 97847->97815 97849 1011f50 __wsopen_s 97848->97849 97850 fd3364 GetFullPathNameW 97849->97850 97851 fd3386 97850->97851 97852 fd6b57 22 API calls 97851->97852 97853 fd33a4 97852->97853 97853->97824 97855 fd516e 97854->97855 97859 fd518f __fread_nolock 97854->97859 97857 fefe0b 22 API calls 97855->97857 97856 fefddb 22 API calls 97858 fd3544 97856->97858 97857->97859 97858->97828 97859->97856 97861 fefddb 22 API calls 97860->97861 97862 fd5734 RegQueryValueExW 97861->97862 97862->97841 97862->97843 97863 fd2e37 97864 fda961 22 API calls 97863->97864 97865 fd2e4d 97864->97865 97942 fd4ae3 97865->97942 97867 fd2e6b 97868 fd3a5a 24 API calls 97867->97868 97869 fd2e7f 97868->97869 97870 fd9cb3 22 API calls 97869->97870 97871 fd2e8c 97870->97871 97956 fd4ecb 97871->97956 97874 fd2ead 97978 fda8c7 22 API calls __fread_nolock 97874->97978 97875 1012cb0 97996 1042cf9 97875->97996 97877 1012cc3 97879 1012ccf 97877->97879 98022 fd4f39 97877->98022 97883 fd4f39 68 API calls 97879->97883 97881 fd2ec3 97979 fd6f88 22 API calls 97881->97979 97885 1012ce5 97883->97885 97884 fd2ecf 97886 fd9cb3 22 API calls 97884->97886 98028 fd3084 22 API calls 97885->98028 97887 fd2edc 97886->97887 97980 fda81b 41 API calls 97887->97980 97890 fd2eec 97892 fd9cb3 22 API calls 97890->97892 97891 1012d02 98029 fd3084 22 API calls 97891->98029 97893 fd2f12 97892->97893 97981 fda81b 41 API calls 97893->97981 97896 1012d1e 97897 fd3a5a 24 API calls 97896->97897 97898 1012d44 97897->97898 98030 fd3084 22 API calls 97898->98030 97899 fd2f21 97902 fda961 22 API calls 97899->97902 97901 1012d50 98031 fda8c7 22 API calls __fread_nolock 97901->98031 97904 fd2f3f 97902->97904 97982 fd3084 22 API calls 97904->97982 97905 1012d5e 98032 fd3084 22 API calls 97905->98032 97908 fd2f4b 97983 ff4a28 40 API calls 3 library calls 97908->97983 97909 1012d6d 98033 fda8c7 22 API calls __fread_nolock 97909->98033 97911 fd2f59 97911->97885 97912 fd2f63 97911->97912 97984 ff4a28 40 API calls 3 library calls 97912->97984 97915 fd2f6e 97915->97891 97917 fd2f78 97915->97917 97916 1012d83 98034 fd3084 22 API calls 97916->98034 97985 ff4a28 40 API calls 3 library calls 97917->97985 97920 1012d90 97921 fd2f83 97921->97896 97922 fd2f8d 97921->97922 97986 ff4a28 40 API calls 3 library calls 97922->97986 97924 fd2f98 97925 fd2fdc 97924->97925 97987 fd3084 22 API calls 97924->97987 97925->97909 97926 fd2fe8 97925->97926 97926->97920 97990 fd63eb 22 API calls 97926->97990 97929 fd2fbf 97988 fda8c7 22 API calls __fread_nolock 97929->97988 97930 fd2ff8 97991 fd6a50 22 API calls 97930->97991 97933 fd2fcd 97989 fd3084 22 API calls 97933->97989 97935 fd3006 97992 fd70b0 23 API calls 97935->97992 97937 fd3021 97940 fd3065 97937->97940 97993 fd6f88 22 API calls 97937->97993 97994 fd70b0 23 API calls 97937->97994 97995 fd3084 22 API calls 97937->97995 97943 fd4af0 __wsopen_s 97942->97943 97944 fd6b57 22 API calls 97943->97944 97945 fd4b22 97943->97945 97944->97945 97953 fd4b58 97945->97953 98035 fd4c6d 97945->98035 97947 fd9cb3 22 API calls 97949 fd4c52 97947->97949 97948 fd9cb3 22 API calls 97948->97953 97950 fd515f 22 API calls 97949->97950 97952 fd4c5e 97950->97952 97951 fd515f 22 API calls 97951->97953 97952->97867 97953->97948 97953->97951 97954 fd4c29 97953->97954 97955 fd4c6d 22 API calls 97953->97955 97954->97947 97954->97952 97955->97953 98038 fd4e90 LoadLibraryA 97956->98038 97961 fd4ef6 LoadLibraryExW 98046 fd4e59 LoadLibraryA 97961->98046 97962 1013ccf 97963 fd4f39 68 API calls 97962->97963 97965 1013cd6 97963->97965 97967 fd4e59 3 API calls 97965->97967 97969 1013cde 97967->97969 98068 fd50f5 97969->98068 97970 fd4f20 97970->97969 97971 fd4f2c 97970->97971 97973 fd4f39 68 API calls 97971->97973 97974 fd2ea5 97973->97974 97974->97874 97974->97875 97977 1013d05 97978->97881 97979->97884 97980->97890 97981->97899 97982->97908 97983->97911 97984->97915 97985->97921 97986->97924 97987->97929 97988->97933 97989->97925 97990->97930 97991->97935 97992->97937 97993->97937 97994->97937 97995->97937 97997 1042d15 97996->97997 97998 fd511f 64 API calls 97997->97998 97999 1042d29 97998->97999 98199 1042e66 97999->98199 98002 fd50f5 40 API calls 98003 1042d56 98002->98003 98004 fd50f5 40 API calls 98003->98004 98005 1042d66 98004->98005 98006 fd50f5 40 API calls 98005->98006 98007 1042d81 98006->98007 98008 fd50f5 40 API calls 98007->98008 98009 1042d9c 98008->98009 98010 fd511f 64 API calls 98009->98010 98011 1042db3 98010->98011 98012 ffea0c ___std_exception_copy 21 API calls 98011->98012 98013 1042dba 98012->98013 98014 ffea0c ___std_exception_copy 21 API calls 98013->98014 98015 1042dc4 98014->98015 98016 fd50f5 40 API calls 98015->98016 98017 1042dd8 98016->98017 98018 10428fe 27 API calls 98017->98018 98019 1042dee 98018->98019 98020 1042d3f 98019->98020 98205 10422ce 79 API calls 98019->98205 98020->97877 98023 fd4f43 98022->98023 98025 fd4f4a 98022->98025 98206 ffe678 98023->98206 98026 fd4f59 98025->98026 98027 fd4f6a FreeLibrary 98025->98027 98026->97879 98027->98026 98028->97891 98029->97896 98030->97901 98031->97905 98032->97909 98033->97916 98034->97920 98036 fdaec9 22 API calls 98035->98036 98037 fd4c78 98036->98037 98037->97945 98039 fd4ea8 GetProcAddress 98038->98039 98040 fd4ec6 98038->98040 98041 fd4eb8 98039->98041 98043 ffe5eb 98040->98043 98041->98040 98042 fd4ebf FreeLibrary 98041->98042 98042->98040 98076 ffe52a 98043->98076 98045 fd4eea 98045->97961 98045->97962 98047 fd4e8d 98046->98047 98048 fd4e6e GetProcAddress 98046->98048 98051 fd4f80 98047->98051 98049 fd4e7e 98048->98049 98049->98047 98050 fd4e86 FreeLibrary 98049->98050 98050->98047 98052 fefe0b 22 API calls 98051->98052 98053 fd4f95 98052->98053 98054 fd5722 22 API calls 98053->98054 98055 fd4fa1 __fread_nolock 98054->98055 98056 fd50a5 98055->98056 98057 1013d1d 98055->98057 98066 fd4fdc 98055->98066 98128 fd42a2 CreateStreamOnHGlobal 98056->98128 98139 104304d 74 API calls 98057->98139 98060 1013d22 98062 fd511f 64 API calls 98060->98062 98061 fd50f5 40 API calls 98061->98066 98063 1013d45 98062->98063 98064 fd50f5 40 API calls 98063->98064 98067 fd506e ISource 98064->98067 98066->98060 98066->98061 98066->98067 98134 fd511f 98066->98134 98067->97970 98069 fd5107 98068->98069 98072 1013d70 98068->98072 98161 ffe8c4 98069->98161 98073 10428fe 98182 104274e 98073->98182 98075 1042919 98075->97977 98078 ffe536 ___BuildCatchObject 98076->98078 98077 ffe544 98101 fff2d9 20 API calls _abort 98077->98101 98078->98077 98080 ffe574 98078->98080 98082 ffe579 98080->98082 98083 ffe586 98080->98083 98081 ffe549 98102 10027ec 26 API calls pre_c_initialization 98081->98102 98103 fff2d9 20 API calls _abort 98082->98103 98093 1008061 98083->98093 98087 ffe58f 98088 ffe595 98087->98088 98091 ffe5a2 98087->98091 98104 fff2d9 20 API calls _abort 98088->98104 98089 ffe554 __fread_nolock 98089->98045 98105 ffe5d4 LeaveCriticalSection __fread_nolock 98091->98105 98094 100806d ___BuildCatchObject 98093->98094 98106 1002f5e EnterCriticalSection 98094->98106 98096 100807b 98107 10080fb 98096->98107 98100 10080ac __fread_nolock 98100->98087 98101->98081 98102->98089 98103->98089 98104->98089 98105->98089 98106->98096 98110 100811e 98107->98110 98108 1008177 98109 1004c7d __FrameHandler3::FrameUnwindToState 20 API calls 98108->98109 98111 1008180 98109->98111 98110->98108 98116 1008088 98110->98116 98123 ff918d EnterCriticalSection 98110->98123 98124 ff91a1 LeaveCriticalSection 98110->98124 98113 10029c8 _free 20 API calls 98111->98113 98114 1008189 98113->98114 98114->98116 98125 1003405 11 API calls 2 library calls 98114->98125 98120 10080b7 98116->98120 98117 10081a8 98126 ff918d EnterCriticalSection 98117->98126 98127 1002fa6 LeaveCriticalSection 98120->98127 98122 10080be 98122->98100 98123->98110 98124->98110 98125->98117 98126->98116 98127->98122 98129 fd42bc FindResourceExW 98128->98129 98133 fd42d9 98128->98133 98130 10135ba LoadResource 98129->98130 98129->98133 98131 10135cf SizeofResource 98130->98131 98130->98133 98132 10135e3 LockResource 98131->98132 98131->98133 98132->98133 98133->98066 98135 1013d90 98134->98135 98136 fd512e 98134->98136 98140 ffece3 98136->98140 98139->98060 98143 ffeaaa 98140->98143 98142 fd513c 98142->98066 98146 ffeab6 ___BuildCatchObject 98143->98146 98144 ffeac2 98156 fff2d9 20 API calls _abort 98144->98156 98146->98144 98147 ffeae8 98146->98147 98158 ff918d EnterCriticalSection 98147->98158 98148 ffeac7 98157 10027ec 26 API calls pre_c_initialization 98148->98157 98151 ffeaf4 98159 ffec0a 62 API calls 2 library calls 98151->98159 98153 ffeb08 98160 ffeb27 LeaveCriticalSection __fread_nolock 98153->98160 98155 ffead2 __fread_nolock 98155->98142 98156->98148 98157->98155 98158->98151 98159->98153 98160->98155 98164 ffe8e1 98161->98164 98163 fd5118 98163->98073 98165 ffe8ed ___BuildCatchObject 98164->98165 98166 ffe92d 98165->98166 98167 ffe900 ___scrt_fastfail 98165->98167 98168 ffe925 __fread_nolock 98165->98168 98179 ff918d EnterCriticalSection 98166->98179 98177 fff2d9 20 API calls _abort 98167->98177 98168->98163 98171 ffe937 98180 ffe6f8 38 API calls 4 library calls 98171->98180 98172 ffe91a 98178 10027ec 26 API calls pre_c_initialization 98172->98178 98175 ffe94e 98181 ffe96c LeaveCriticalSection __fread_nolock 98175->98181 98177->98172 98178->98168 98179->98171 98180->98175 98181->98168 98185 ffe4e8 98182->98185 98184 104275d 98184->98075 98188 ffe469 98185->98188 98187 ffe505 98187->98184 98189 ffe48c 98188->98189 98190 ffe478 98188->98190 98195 ffe488 __alldvrm 98189->98195 98198 100333f 11 API calls 2 library calls 98189->98198 98196 fff2d9 20 API calls _abort 98190->98196 98192 ffe47d 98197 10027ec 26 API calls pre_c_initialization 98192->98197 98195->98187 98196->98192 98197->98195 98198->98195 98204 1042e7a 98199->98204 98200 fd50f5 40 API calls 98200->98204 98201 1042d3b 98201->98002 98201->98020 98202 10428fe 27 API calls 98202->98204 98203 fd511f 64 API calls 98203->98204 98204->98200 98204->98201 98204->98202 98204->98203 98205->98020 98207 ffe684 ___BuildCatchObject 98206->98207 98208 ffe6aa 98207->98208 98209 ffe695 98207->98209 98211 ffe6a5 __fread_nolock 98208->98211 98219 ff918d EnterCriticalSection 98208->98219 98236 fff2d9 20 API calls _abort 98209->98236 98211->98025 98212 ffe69a 98237 10027ec 26 API calls pre_c_initialization 98212->98237 98215 ffe6c6 98220 ffe602 98215->98220 98217 ffe6d1 98238 ffe6ee LeaveCriticalSection __fread_nolock 98217->98238 98219->98215 98221 ffe60f 98220->98221 98222 ffe624 98220->98222 98271 fff2d9 20 API calls _abort 98221->98271 98228 ffe61f 98222->98228 98239 ffdc0b 98222->98239 98225 ffe614 98272 10027ec 26 API calls pre_c_initialization 98225->98272 98228->98217 98232 ffe646 98256 100862f 98232->98256 98235 10029c8 _free 20 API calls 98235->98228 98236->98212 98237->98211 98238->98211 98240 ffdc23 98239->98240 98244 ffdc1f 98239->98244 98241 ffd955 __fread_nolock 26 API calls 98240->98241 98240->98244 98242 ffdc43 98241->98242 98273 10059be 62 API calls 6 library calls 98242->98273 98245 1004d7a 98244->98245 98246 1004d90 98245->98246 98247 ffe640 98245->98247 98246->98247 98248 10029c8 _free 20 API calls 98246->98248 98249 ffd955 98247->98249 98248->98247 98250 ffd976 98249->98250 98251 ffd961 98249->98251 98250->98232 98274 fff2d9 20 API calls _abort 98251->98274 98253 ffd966 98275 10027ec 26 API calls pre_c_initialization 98253->98275 98255 ffd971 98255->98232 98257 1008653 98256->98257 98258 100863e 98256->98258 98260 100868e 98257->98260 98265 100867a 98257->98265 98279 fff2c6 20 API calls _abort 98258->98279 98281 fff2c6 20 API calls _abort 98260->98281 98261 1008643 98280 fff2d9 20 API calls _abort 98261->98280 98263 1008693 98282 fff2d9 20 API calls _abort 98263->98282 98276 1008607 98265->98276 98268 100869b 98283 10027ec 26 API calls pre_c_initialization 98268->98283 98269 ffe64c 98269->98228 98269->98235 98271->98225 98272->98228 98273->98244 98274->98253 98275->98255 98284 1008585 98276->98284 98278 100862b 98278->98269 98279->98261 98280->98269 98281->98263 98282->98268 98283->98269 98285 1008591 ___BuildCatchObject 98284->98285 98295 1005147 EnterCriticalSection 98285->98295 98287 100859f 98288 10085d1 98287->98288 98289 10085c6 98287->98289 98296 fff2d9 20 API calls _abort 98288->98296 98291 10086ae __wsopen_s 29 API calls 98289->98291 98292 10085cc 98291->98292 98297 10085fb LeaveCriticalSection __wsopen_s 98292->98297 98294 10085ee __fread_nolock 98294->98278 98295->98287 98296->98292 98297->98294 98298 fd3156 98301 fd3170 98298->98301 98302 fd3187 98301->98302 98303 fd318c 98302->98303 98304 fd31eb 98302->98304 98341 fd31e9 98302->98341 98308 fd3199 98303->98308 98309 fd3265 PostQuitMessage 98303->98309 98306 1012dfb 98304->98306 98307 fd31f1 98304->98307 98305 fd31d0 DefWindowProcW 98343 fd316a 98305->98343 98350 fd18e2 10 API calls 98306->98350 98310 fd321d SetTimer RegisterWindowMessageW 98307->98310 98311 fd31f8 98307->98311 98313 fd31a4 98308->98313 98314 1012e7c 98308->98314 98309->98343 98315 fd3246 CreatePopupMenu 98310->98315 98310->98343 98319 fd3201 KillTimer 98311->98319 98320 1012d9c 98311->98320 98316 fd31ae 98313->98316 98317 1012e68 98313->98317 98355 103bf30 34 API calls ___scrt_fastfail 98314->98355 98315->98343 98323 fd31b9 98316->98323 98324 1012e4d 98316->98324 98354 103c161 27 API calls ___scrt_fastfail 98317->98354 98346 fd30f2 Shell_NotifyIconW ___scrt_fastfail 98319->98346 98326 1012da1 98320->98326 98327 1012dd7 MoveWindow 98320->98327 98321 1012e1c 98351 fee499 42 API calls 98321->98351 98330 fd31c4 98323->98330 98331 fd3253 98323->98331 98324->98305 98353 1030ad7 22 API calls 98324->98353 98325 1012e8e 98325->98305 98325->98343 98332 1012da7 98326->98332 98333 1012dc6 SetFocus 98326->98333 98327->98343 98330->98305 98352 fd30f2 Shell_NotifyIconW ___scrt_fastfail 98330->98352 98348 fd326f 44 API calls ___scrt_fastfail 98331->98348 98332->98330 98337 1012db0 98332->98337 98333->98343 98334 fd3214 98347 fd3c50 DeleteObject DestroyWindow 98334->98347 98335 fd3263 98335->98343 98349 fd18e2 10 API calls 98337->98349 98341->98305 98344 1012e41 98345 fd3837 49 API calls 98344->98345 98345->98341 98346->98334 98347->98343 98348->98335 98349->98343 98350->98321 98351->98330 98352->98344 98353->98341 98354->98335 98355->98325 98356 fd1033 98361 fd4c91 98356->98361 98360 fd1042 98362 fda961 22 API calls 98361->98362 98363 fd4cff 98362->98363 98369 fd3af0 98363->98369 98365 fd4d9c 98367 fd1038 98365->98367 98372 fd51f7 22 API calls __fread_nolock 98365->98372 98368 ff00a3 29 API calls __onexit 98367->98368 98368->98360 98373 fd3b1c 98369->98373 98372->98365 98374 fd3b0f 98373->98374 98375 fd3b29 98373->98375 98374->98365 98375->98374 98376 fd3b30 RegOpenKeyExW 98375->98376 98376->98374 98377 fd3b4a RegQueryValueExW 98376->98377 98378 fd3b80 RegCloseKey 98377->98378 98379 fd3b6b 98377->98379 98378->98374 98379->98378 98380 41723f8 98394 4170048 98380->98394 98382 41724eb 98397 41722e8 98382->98397 98384 4172514 CreateFileW 98386 4172563 98384->98386 98387 4172568 98384->98387 98387->98386 98388 417257f VirtualAlloc 98387->98388 98388->98386 98389 417259d ReadFile 98388->98389 98389->98386 98390 41725b8 98389->98390 98391 41712e8 13 API calls 98390->98391 98392 41725eb 98391->98392 98393 417260e ExitProcess 98392->98393 98393->98386 98400 4173518 GetPEB 98394->98400 98396 41706d3 98396->98382 98398 41722f1 Sleep 98397->98398 98399 41722ff 98398->98399 98401 4173542 98400->98401 98401->98396 98402 fd1cad SystemParametersInfoW 98403 fddee5 98406 fdb710 98403->98406 98407 fdb72b 98406->98407 98408 1020146 98407->98408 98409 10200f8 98407->98409 98430 fdb750 98407->98430 98448 10558a2 207 API calls 2 library calls 98408->98448 98412 1020102 98409->98412 98415 102010f 98409->98415 98409->98430 98446 1055d33 207 API calls 98412->98446 98429 fdba20 98415->98429 98447 10561d0 207 API calls 2 library calls 98415->98447 98419 fdbbe0 40 API calls 98419->98430 98420 fed336 40 API calls 98420->98430 98421 10203d9 98421->98421 98423 fdba4e 98425 1020322 98452 1055c0c 82 API calls 98425->98452 98429->98423 98453 104359c 82 API calls __wsopen_s 98429->98453 98430->98419 98430->98420 98430->98423 98430->98425 98430->98429 98434 fdec40 207 API calls 98430->98434 98437 fda81b 41 API calls 98430->98437 98438 fed2f0 40 API calls 98430->98438 98439 fea01b 207 API calls 98430->98439 98440 ff0242 5 API calls __Init_thread_wait 98430->98440 98441 feedcd 22 API calls 98430->98441 98442 ff00a3 29 API calls __onexit 98430->98442 98443 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98430->98443 98444 feee53 82 API calls 98430->98444 98445 fee5ca 207 API calls 98430->98445 98449 fdaceb 23 API calls ISource 98430->98449 98450 102f6bf 23 API calls 98430->98450 98451 fda8c7 22 API calls __fread_nolock 98430->98451 98434->98430 98437->98430 98438->98430 98439->98430 98440->98430 98441->98430 98442->98430 98443->98430 98444->98430 98445->98430 98446->98415 98447->98429 98448->98430 98449->98430 98450->98430 98451->98430 98452->98429 98453->98421 98454 fd1044 98459 fd10f3 98454->98459 98456 fd104a 98495 ff00a3 29 API calls __onexit 98456->98495 98458 fd1054 98496 fd1398 98459->98496 98463 fd116a 98464 fda961 22 API calls 98463->98464 98465 fd1174 98464->98465 98466 fda961 22 API calls 98465->98466 98467 fd117e 98466->98467 98468 fda961 22 API calls 98467->98468 98469 fd1188 98468->98469 98470 fda961 22 API calls 98469->98470 98471 fd11c6 98470->98471 98472 fda961 22 API calls 98471->98472 98473 fd1292 98472->98473 98506 fd171c 98473->98506 98477 fd12c4 98478 fda961 22 API calls 98477->98478 98479 fd12ce 98478->98479 98480 fe1940 9 API calls 98479->98480 98481 fd12f9 98480->98481 98527 fd1aab 98481->98527 98483 fd1315 98484 fd1325 GetStdHandle 98483->98484 98485 1012485 98484->98485 98487 fd137a 98484->98487 98486 101248e 98485->98486 98485->98487 98488 fefddb 22 API calls 98486->98488 98490 fd1387 OleInitialize 98487->98490 98489 1012495 98488->98489 98534 104011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98489->98534 98490->98456 98492 101249e 98535 1040944 CreateThread 98492->98535 98494 10124aa CloseHandle 98494->98487 98495->98458 98536 fd13f1 98496->98536 98499 fd13f1 22 API calls 98500 fd13d0 98499->98500 98501 fda961 22 API calls 98500->98501 98502 fd13dc 98501->98502 98503 fd6b57 22 API calls 98502->98503 98504 fd1129 98503->98504 98505 fd1bc3 6 API calls 98504->98505 98505->98463 98507 fda961 22 API calls 98506->98507 98508 fd172c 98507->98508 98509 fda961 22 API calls 98508->98509 98510 fd1734 98509->98510 98511 fda961 22 API calls 98510->98511 98512 fd174f 98511->98512 98513 fefddb 22 API calls 98512->98513 98514 fd129c 98513->98514 98515 fd1b4a 98514->98515 98516 fd1b58 98515->98516 98517 fda961 22 API calls 98516->98517 98518 fd1b63 98517->98518 98519 fda961 22 API calls 98518->98519 98520 fd1b6e 98519->98520 98521 fda961 22 API calls 98520->98521 98522 fd1b79 98521->98522 98523 fda961 22 API calls 98522->98523 98524 fd1b84 98523->98524 98525 fefddb 22 API calls 98524->98525 98526 fd1b96 RegisterWindowMessageW 98525->98526 98526->98477 98528 fd1abb 98527->98528 98529 101272d 98527->98529 98530 fefddb 22 API calls 98528->98530 98543 1043209 23 API calls 98529->98543 98532 fd1ac3 98530->98532 98532->98483 98533 1012738 98534->98492 98535->98494 98544 104092a 28 API calls 98535->98544 98537 fda961 22 API calls 98536->98537 98538 fd13fc 98537->98538 98539 fda961 22 API calls 98538->98539 98540 fd1404 98539->98540 98541 fda961 22 API calls 98540->98541 98542 fd13c6 98541->98542 98542->98499 98543->98533 98545 fd2de3 98546 fd2df0 __wsopen_s 98545->98546 98547 fd2e09 98546->98547 98548 1012c2b ___scrt_fastfail 98546->98548 98549 fd3aa2 23 API calls 98547->98549 98551 1012c47 GetOpenFileNameW 98548->98551 98550 fd2e12 98549->98550 98561 fd2da5 98550->98561 98553 1012c96 98551->98553 98555 fd6b57 22 API calls 98553->98555 98556 1012cab 98555->98556 98556->98556 98558 fd2e27 98579 fd44a8 98558->98579 98562 1011f50 __wsopen_s 98561->98562 98563 fd2db2 GetLongPathNameW 98562->98563 98564 fd6b57 22 API calls 98563->98564 98565 fd2dda 98564->98565 98566 fd3598 98565->98566 98567 fda961 22 API calls 98566->98567 98568 fd35aa 98567->98568 98569 fd3aa2 23 API calls 98568->98569 98570 fd35b5 98569->98570 98571 fd35c0 98570->98571 98574 10132eb 98570->98574 98573 fd515f 22 API calls 98571->98573 98575 fd35cc 98573->98575 98576 101330d 98574->98576 98615 fece60 41 API calls 98574->98615 98609 fd35f3 98575->98609 98578 fd35df 98578->98558 98580 fd4ecb 94 API calls 98579->98580 98581 fd44cd 98580->98581 98582 1013833 98581->98582 98583 fd4ecb 94 API calls 98581->98583 98584 1042cf9 80 API calls 98582->98584 98585 fd44e1 98583->98585 98586 1013848 98584->98586 98585->98582 98587 fd44e9 98585->98587 98588 1013869 98586->98588 98589 101384c 98586->98589 98591 1013854 98587->98591 98592 fd44f5 98587->98592 98590 fefe0b 22 API calls 98588->98590 98593 fd4f39 68 API calls 98589->98593 98608 10138ae 98590->98608 98626 103da5a 82 API calls 98591->98626 98625 fd940c 136 API calls 2 library calls 98592->98625 98593->98591 98596 1013862 98596->98588 98597 fd2e31 98598 1013a5f 98605 1013a67 98598->98605 98599 fd4f39 68 API calls 98599->98605 98600 fda4a1 22 API calls 98600->98608 98604 fd9cb3 22 API calls 98604->98608 98605->98599 98629 103989b 82 API calls __wsopen_s 98605->98629 98608->98598 98608->98600 98608->98604 98608->98605 98616 103967e 98608->98616 98619 fd3ff7 98608->98619 98627 10395ad 42 API calls _wcslen 98608->98627 98628 1040b5a 22 API calls 98608->98628 98610 fd3605 98609->98610 98614 fd3624 __fread_nolock 98609->98614 98612 fefe0b 22 API calls 98610->98612 98611 fefddb 22 API calls 98613 fd363b 98611->98613 98612->98614 98613->98578 98614->98611 98615->98574 98617 fefe0b 22 API calls 98616->98617 98618 10396ae __fread_nolock 98617->98618 98618->98608 98620 fd400a 98619->98620 98623 fd40ae 98619->98623 98621 fefe0b 22 API calls 98620->98621 98624 fd403c 98620->98624 98621->98624 98622 fefddb 22 API calls 98622->98624 98623->98608 98624->98622 98624->98623 98625->98597 98626->98596 98627->98608 98628->98608 98629->98605

                              Executed Functions

                              Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 234 fd42de-fd434d call fda961 GetVersionExW call fd6b57 239 1013617-101362a 234->239 240 fd4353 234->240 241 101362b-101362f 239->241 242 fd4355-fd4357 240->242 243 1013631 241->243 244 1013632-101363e 241->244 245 fd435d-fd43bc call fd93b2 call fd37a0 242->245 246 1013656 242->246 243->244 244->241 247 1013640-1013642 244->247 262 10137df-10137e6 245->262 263 fd43c2-fd43c4 245->263 250 101365d-1013660 246->250 247->242 249 1013648-101364f 247->249 249->239 253 1013651 249->253 254 fd441b-fd4435 GetCurrentProcess IsWow64Process 250->254 255 1013666-10136a8 250->255 253->246 257 fd4494-fd449a 254->257 258 fd4437 254->258 255->254 259 10136ae-10136b1 255->259 264 fd443d-fd4449 257->264 258->264 260 10136b3-10136bd 259->260 261 10136db-10136e5 259->261 265 10136ca-10136d6 260->265 266 10136bf-10136c5 260->266 268 10136e7-10136f3 261->268 269 10136f8-1013702 261->269 270 1013806-1013809 262->270 271 10137e8 262->271 263->250 267 fd43ca-fd43dd 263->267 272 fd444f-fd445e LoadLibraryA 264->272 273 1013824-1013828 GetSystemInfo 264->273 265->254 266->254 274 1013726-101372f 267->274 275 fd43e3-fd43e5 267->275 268->254 277 1013715-1013721 269->277 278 1013704-1013710 269->278 279 10137f4-10137fc 270->279 280 101380b-101381a 270->280 276 10137ee 271->276 281 fd449c-fd44a6 GetSystemInfo 272->281 282 fd4460-fd446e GetProcAddress 272->282 286 1013731-1013737 274->286 287 101373c-1013748 274->287 284 fd43eb-fd43ee 275->284 285 101374d-1013762 275->285 276->279 277->254 278->254 279->270 280->276 288 101381c-1013822 280->288 283 fd4476-fd4478 281->283 282->281 289 fd4470-fd4474 GetNativeSystemInfo 282->289 294 fd447a-fd447b FreeLibrary 283->294 295 fd4481-fd4493 283->295 290 1013791-1013794 284->290 291 fd43f4-fd440f 284->291 292 1013764-101376a 285->292 293 101376f-101377b 285->293 286->254 287->254 288->279 289->283 290->254 296 101379a-10137c1 290->296 297 1013780-101378c 291->297 298 fd4415 291->298 292->254 293->254 294->295 299 10137c3-10137c9 296->299 300 10137ce-10137da 296->300 297->254 298->254 299->254 300->254
                              APIs
                              • GetVersionExW.KERNEL32(?), ref: 00FD430D
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              • GetCurrentProcess.KERNEL32(?,0106CB64,00000000,?,?), ref: 00FD4422
                              • IsWow64Process.KERNEL32(00000000,?,?), ref: 00FD4429
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FD4454
                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4466
                              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FD4474
                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00FD447B
                              • GetSystemInfo.KERNEL32(?,?,?), ref: 00FD44A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                              • String ID: GetNativeSystemInfo$kernel32.dll$|O
                              • API String ID: 3290436268-3101561225
                              • Opcode ID: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
                              • Instruction ID: ca300ab538dcda7dbadbaa2887573ff95459bdb70cb7c037a97528c6edc60007
                              • Opcode Fuzzy Hash: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
                              • Instruction Fuzzy Hash: 54A17E3790EAC0DFC732CF6974402997EE57B26250F88D89AD4C1ABB0ED63E4548DB61
                              Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 553 fd42a2-fd42ba CreateStreamOnHGlobal 554 fd42bc-fd42d3 FindResourceExW 553->554 555 fd42da-fd42dd 553->555 556 fd42d9 554->556 557 10135ba-10135c9 LoadResource 554->557 556->555 557->556 558 10135cf-10135dd SizeofResource 557->558 558->556 559 10135e3-10135ee LockResource 558->559 559->556 560 10135f4-1013612 559->560 560->556
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42B2
                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42C9
                              • LoadResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135BE
                              • SizeofResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135D3
                              • LockResource.KERNEL32(00FD50AA,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20,?), ref: 010135E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                              • String ID: SCRIPT
                              • API String ID: 3051347437-3967369404
                              • Opcode ID: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
                              • Instruction ID: 9a20dce47b81f62748ad2d0d4817700ed697be4a802990822c8061a239cd0dd6
                              • Opcode Fuzzy Hash: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
                              • Instruction Fuzzy Hash: 29117C71200701BFE7218B65DD48F277BBAEBC5B62F14416AF886D7254DB76E8009670
                              Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B
                                • Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • GetForegroundWindow.USER32(runas,?,?,?,?,?,01092224), ref: 01012C10
                              • ShellExecuteW.SHELL32(00000000,?,?,01092224), ref: 01012C17
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                              • String ID: runas
                              • API String ID: 448630720-4000483414
                              • Opcode ID: b708a938706d578b68b873b3d0f3d33a0548f615897fa0fed58028e9b43f2578
                              • Instruction ID: 2195e01886312c64bc9bf9f35f8201d0d7d9f5d7834452a629c22947a2c6263f
                              • Opcode Fuzzy Hash: b708a938706d578b68b873b3d0f3d33a0548f615897fa0fed58028e9b43f2578
                              • Instruction Fuzzy Hash: 6911D2316082016AC715FF64DD5196EBBA6ABA1750F4C041FF2C2462A2CF7D8A09B752
                              Function 00FDD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetInputState.USER32 ref: 00FDD807
                              • timeGetTime.WINMM ref: 00FDDA07
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB28
                              • TranslateMessage.USER32(?), ref: 00FDDB7B
                              • DispatchMessageW.USER32(?), ref: 00FDDB89
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB9F
                              • Sleep.KERNEL32(0000000A), ref: 00FDDBB1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                              • String ID:
                              • API String ID: 2189390790-0
                              • Opcode ID: b5a714eb7b6f0f46a1698b2c6ac81da310a384fac9c1ce3bb9e34371606c9655
                              • Instruction ID: 1de6216cec3ae3ca10fdb80e23ff6325f78efa3a025fc81343fa39cfd9737e23
                              • Opcode Fuzzy Hash: b5a714eb7b6f0f46a1698b2c6ac81da310a384fac9c1ce3bb9e34371606c9655
                              • Instruction Fuzzy Hash: AA421330608342DFD739DF24C894BAABBE2BF85314F18855AE4D587391D775E844EB82
                              Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
                              • RegisterClassExW.USER32(00000030), ref: 00FD2D31
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
                              • InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
                              • LoadIconW.USER32(000000A9), ref: 00FD2D85
                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
                              • Instruction ID: c3f78532a1c807ba05fda7af368226b56545a90e939e9de83918291335868e68
                              • Opcode Fuzzy Hash: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
                              • Instruction Fuzzy Hash: 632117B5D01358AFEB20DFA4E949BDDBBB8FB08700F00811AF591A6294D7BA0544CF91
                              Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 302 101065b-101068b call 101042f 305 10106a6-10106b2 call 1005221 302->305 306 101068d-1010698 call fff2c6 302->306 312 10106b4-10106c9 call fff2c6 call fff2d9 305->312 313 10106cb-1010714 call 101039a 305->313 311 101069a-10106a1 call fff2d9 306->311 322 101097d-1010983 311->322 312->311 320 1010781-101078a GetFileType 313->320 321 1010716-101071f 313->321 326 10107d3-10107d6 320->326 327 101078c-10107bd GetLastError call fff2a3 CloseHandle 320->327 324 1010721-1010725 321->324 325 1010756-101077c GetLastError call fff2a3 321->325 324->325 331 1010727-1010754 call 101039a 324->331 325->311 329 10107d8-10107dd 326->329 330 10107df-10107e5 326->330 327->311 341 10107c3-10107ce call fff2d9 327->341 334 10107e9-1010837 call 100516a 329->334 330->334 335 10107e7 330->335 331->320 331->325 345 1010847-101086b call 101014d 334->345 346 1010839-1010845 call 10105ab 334->346 335->334 341->311 352 101086d 345->352 353 101087e-10108c1 345->353 346->345 351 101086f-1010879 call 10086ae 346->351 351->322 352->351 355 10108c3-10108c7 353->355 356 10108e2-10108f0 353->356 355->356 358 10108c9-10108dd 355->358 359 10108f6-10108fa 356->359 360 101097b 356->360 358->356 359->360 361 10108fc-101092f CloseHandle call 101039a 359->361 360->322 364 1010931-101095d GetLastError call fff2a3 call 1005333 361->364 365 1010963-1010977 361->365 364->365 365->360
                              APIs
                                • Part of subcall function 0101039A: CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7
                              • GetLastError.KERNEL32 ref: 0101076F
                              • __dosmaperr.LIBCMT ref: 01010776
                              • GetFileType.KERNELBASE(00000000), ref: 01010782
                              • GetLastError.KERNEL32 ref: 0101078C
                              • __dosmaperr.LIBCMT ref: 01010795
                              • CloseHandle.KERNEL32(00000000), ref: 010107B5
                              • CloseHandle.KERNEL32(?), ref: 010108FF
                              • GetLastError.KERNEL32 ref: 01010931
                              • __dosmaperr.LIBCMT ref: 01010938
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
                              • Instruction ID: c046e7d17304479e691a7d271609d77846a4ff5abb0683aa099704938a0cfe78
                              • Opcode Fuzzy Hash: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
                              • Instruction Fuzzy Hash: 99A13832A041098FDF19EF68D851BAE3BE0AF06324F14419DF8D5EB2D9D7398952CB91
                              Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78
                                • Part of subcall function 00FD3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FD3379
                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD356A
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0101318D
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010131CE
                              • RegCloseKey.ADVAPI32(?), ref: 01013210
                              • _wcslen.LIBCMT ref: 01013277
                              • _wcslen.LIBCMT ref: 01013286
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                              • API String ID: 98802146-2727554177
                              • Opcode ID: 964dfca740a047ebe90bb2f624106ef648d8ae710888828b31ecfa46de1a3446
                              • Instruction ID: 18256a687bb4a9c0a6c31cf53867051ef4c9a8c7b127a713bc0eed05d661d3c7
                              • Opcode Fuzzy Hash: 964dfca740a047ebe90bb2f624106ef648d8ae710888828b31ecfa46de1a3446
                              • Instruction Fuzzy Hash: 9971E4724043019ED324EF69DC818ABBBE8FF86750F84843EF5C497264EB7A9548DB52
                              Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00FD2B8E
                              • LoadCursorW.USER32(00000000,00007F00), ref: 00FD2B9D
                              • LoadIconW.USER32(00000063), ref: 00FD2BB3
                              • LoadIconW.USER32(000000A4), ref: 00FD2BC5
                              • LoadIconW.USER32(000000A2), ref: 00FD2BD7
                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD2BEF
                              • RegisterClassExW.USER32(?), ref: 00FD2C40
                                • Part of subcall function 00FD2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
                                • Part of subcall function 00FD2CD4: RegisterClassExW.USER32(00000030), ref: 00FD2D31
                                • Part of subcall function 00FD2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
                                • Part of subcall function 00FD2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
                                • Part of subcall function 00FD2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
                                • Part of subcall function 00FD2CD4: LoadIconW.USER32(000000A9), ref: 00FD2D85
                                • Part of subcall function 00FD2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                              • String ID: #$0$AutoIt v3
                              • API String ID: 423443420-4155596026
                              • Opcode ID: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
                              • Instruction ID: db43bd0a8cc39adac1eed36ab4823e4ee7809fb39f5c15c2a3acca650c6475ba
                              • Opcode Fuzzy Hash: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
                              • Instruction Fuzzy Hash: AA218E76E00314AFDB209FA5E944B9D7FF5FB08B50F40801AF584A2394D3BA0540DF90
                              Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 443 fd3170-fd3185 444 fd31e5-fd31e7 443->444 445 fd3187-fd318a 443->445 444->445 446 fd31e9 444->446 447 fd318c-fd3193 445->447 448 fd31eb 445->448 449 fd31d0-fd31d8 DefWindowProcW 446->449 452 fd3199-fd319e 447->452 453 fd3265-fd326d PostQuitMessage 447->453 450 1012dfb-1012e23 call fd18e2 call fee499 448->450 451 fd31f1-fd31f6 448->451 454 fd31de-fd31e4 449->454 486 1012e28-1012e2f 450->486 456 fd321d-fd3244 SetTimer RegisterWindowMessageW 451->456 457 fd31f8-fd31fb 451->457 459 fd31a4-fd31a8 452->459 460 1012e7c-1012e90 call 103bf30 452->460 455 fd3219-fd321b 453->455 455->454 456->455 461 fd3246-fd3251 CreatePopupMenu 456->461 465 fd3201-fd3214 KillTimer call fd30f2 call fd3c50 457->465 466 1012d9c-1012d9f 457->466 462 fd31ae-fd31b3 459->462 463 1012e68-1012e77 call 103c161 459->463 460->455 479 1012e96 460->479 461->455 469 fd31b9-fd31be 462->469 470 1012e4d-1012e54 462->470 463->455 465->455 472 1012da1-1012da5 466->472 473 1012dd7-1012df6 MoveWindow 466->473 477 fd31c4-fd31ca 469->477 478 fd3253-fd3263 call fd326f 469->478 470->449 482 1012e5a-1012e63 call 1030ad7 470->482 480 1012da7-1012daa 472->480 481 1012dc6-1012dd2 SetFocus 472->481 473->455 477->449 477->486 478->455 479->449 480->477 487 1012db0-1012dc1 call fd18e2 480->487 481->455 482->449 486->449 491 1012e35-1012e48 call fd30f2 call fd3837 486->491 487->455 491->449
                              APIs
                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FD316A,?,?), ref: 00FD31D8
                              • KillTimer.USER32(?,00000001,?,?,?,?,?,00FD316A,?,?), ref: 00FD3204
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD3227
                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FD316A,?,?), ref: 00FD3232
                              • CreatePopupMenu.USER32 ref: 00FD3246
                              • PostQuitMessage.USER32(00000000), ref: 00FD3267
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                              • String ID: TaskbarCreated
                              • API String ID: 129472671-2362178303
                              • Opcode ID: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
                              • Instruction ID: b44e235fa34e885523597182ec83334bbf163cb4746656d8545beef21e235f4c
                              • Opcode Fuzzy Hash: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
                              • Instruction Fuzzy Hash: 6941E437A00201AAEB246FB8DD09B793A5AF705351F5C411BF7D2C6395CA7E9A40B362
                              Function 04172668 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 499 4172668-4172716 call 4170048 502 417271d-4172743 call 4173578 CreateFileW 499->502 505 4172745 502->505 506 417274a-417275a 502->506 507 4172895-4172899 505->507 514 4172761-417277b VirtualAlloc 506->514 515 417275c 506->515 508 41728db-41728de 507->508 509 417289b-417289f 507->509 511 41728e1-41728e8 508->511 512 41728a1-41728a4 509->512 513 41728ab-41728af 509->513 518 417293d-4172952 511->518 519 41728ea-41728f5 511->519 512->513 520 41728b1-41728bb 513->520 521 41728bf-41728c3 513->521 516 4172782-4172799 ReadFile 514->516 517 417277d 514->517 515->507 522 41727a0-41727e0 VirtualAlloc 516->522 523 417279b 516->523 517->507 526 4172954-417295f VirtualFree 518->526 527 4172962-417296a 518->527 524 41728f7 519->524 525 41728f9-4172905 519->525 520->521 528 41728c5-41728cf 521->528 529 41728d3 521->529 530 41727e7-4172802 call 41737c8 522->530 531 41727e2 522->531 523->507 524->518 532 4172907-4172917 525->532 533 4172919-4172925 525->533 526->527 528->529 529->508 539 417280d-4172817 530->539 531->507 535 417293b 532->535 536 4172927-4172930 533->536 537 4172932-4172938 533->537 535->511 536->535 537->535 540 417284a-417285e call 41735d8 539->540 541 4172819-4172848 call 41737c8 539->541 546 4172862-4172866 540->546 547 4172860 540->547 541->539 549 4172872-4172876 546->549 550 4172868-417286c CloseHandle 546->550 547->507 551 4172886-417288f 549->551 552 4172878-4172883 VirtualFree 549->552 550->549 551->502 551->507 552->551
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04172739
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0417295F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateFileFreeVirtual
                              • String ID:
                              • API String ID: 204039940-0
                              • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                              • Instruction ID: 02a846d032e5373adef918b1fac3dd7c03350541529f87eda7472dd0e4ff3985
                              • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                              • Instruction Fuzzy Hash: 03A12A70E40209EBDB14CFA4C994BEEB7B5FF48304F208599E515BB280D779AA81DF50
                              Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 563 fd2c63-fd2cd3 CreateWindowExW * 2 ShowWindow * 2
                              APIs
                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD2C91
                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD2CB2
                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CC6
                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CCF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$CreateShow
                              • String ID: AutoIt v3$edit
                              • API String ID: 1584632944-3779509399
                              • Opcode ID: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
                              • Instruction ID: a93a18b714e900f76310d983049d1f86ebff188efbb9c3ffd160354d1955f61a
                              • Opcode Fuzzy Hash: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
                              • Instruction Fuzzy Hash: 83F0DA765406A07AEB311B17AC0CE772EBDE7C6F60F40805EF980A6554C6BA1850DBB0
                              Function 041723F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 678 41723f8-4172561 call 4170048 call 41722e8 CreateFileW 685 4172563 678->685 686 4172568-4172578 678->686 687 4172618-417261d 685->687 689 417257f-4172599 VirtualAlloc 686->689 690 417257a 686->690 691 417259d-41725b4 ReadFile 689->691 692 417259b 689->692 690->687 693 41725b6 691->693 694 41725b8-41725f2 call 4172328 call 41712e8 691->694 692->687 693->687 699 41725f4-4172609 call 4172378 694->699 700 417260e-4172616 ExitProcess 694->700 699->700 700->687
                              APIs
                                • Part of subcall function 041722E8: Sleep.KERNELBASE(000001F4), ref: 041722F9
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 04172557
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateFileSleep
                              • String ID: JFC7HESWQ7RSAEQSF9MDNMNRHA0
                              • API String ID: 2694422964-3822831128
                              • Opcode ID: e66793ffc4a6189b964e01788b01a5c9fcf04795afb8661014e1065d63030031
                              • Instruction ID: a0f1e8b69b40280f0365029172b9dff54de800e75c9ec484ed5ee7fd8a6886d2
                              • Opcode Fuzzy Hash: e66793ffc4a6189b964e01788b01a5c9fcf04795afb8661014e1065d63030031
                              • Instruction Fuzzy Hash: 9461A570D04288DAEF11DBF4C848BEEBB75AF19304F044199E648BB2C1D7B91B49CB66
                              Function 00FD3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 738 fd3b1c-fd3b27 739 fd3b99-fd3b9b 738->739 740 fd3b29-fd3b2e 738->740 741 fd3b8c-fd3b8f 739->741 740->739 742 fd3b30-fd3b48 RegOpenKeyExW 740->742 742->739 743 fd3b4a-fd3b69 RegQueryValueExW 742->743 744 fd3b6b-fd3b76 743->744 745 fd3b80-fd3b8b RegCloseKey 743->745 746 fd3b78-fd3b7a 744->746 747 fd3b90-fd3b97 744->747 745->741 748 fd3b7e 746->748 747->748 748->745
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B40
                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B61
                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B83
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: Control Panel\Mouse
                              • API String ID: 3677997916-824357125
                              • Opcode ID: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
                              • Instruction ID: 39c419590c175170c2e9e2ae6e5a0efa0853f9fd37f2d10228e1dc9b1e5fdf20
                              • Opcode Fuzzy Hash: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
                              • Instruction Fuzzy Hash: B8115AB5510208FFEB208FA4DC44AAEB7B9EF41750B14446BF941D7214D2319F40A760
                              Function 041712E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 749 41712e8-4171388 call 41737a8 * 3 756 417139f 749->756 757 417138a-4171394 749->757 759 41713a6-41713af 756->759 757->756 758 4171396-417139d 757->758 758->759 760 41713b6-4171a68 759->760 761 4171a7b-4171aa8 760->761 762 4171a6a-4171a6e 760->762 776 4171ab2 761->776 777 4171aaa-4171aad 761->777 763 4171ab4-4171ae1 762->763 764 4171a70-4171a74 762->764 784 4171ae3-4171ae6 763->784 785 4171aeb 763->785 765 4171a76 764->765 766 4171aed-4171b1a CreateProcessW 764->766 769 4171b24-4171b3e Wow64GetThreadContext 765->769 766->769 780 4171b1c-4171b1f 766->780 771 4171b45-4171b60 ReadProcessMemory 769->771 772 4171b40 769->772 774 4171b67-4171b70 771->774 775 4171b62 771->775 779 4171e52-4171e56 772->779 781 4171b72-4171b81 774->781 782 4171b99-4171bb8 call 4172e28 774->782 775->779 776->769 783 4171ea9-4171eab 777->783 786 4171ea7 779->786 787 4171e58-4171e5c 779->787 780->769 780->783 781->782 788 4171b83-4171b92 call 4172d78 781->788 799 4171bbf-4171be2 call 4172f68 782->799 800 4171bba 782->800 784->783 785->769 786->783 790 4171e71-4171e75 787->790 791 4171e5e-4171e6a 787->791 788->782 804 4171b94 788->804 792 4171e77-4171e7a 790->792 793 4171e81-4171e85 790->793 791->790 792->793 796 4171e87-4171e8a 793->796 797 4171e91-4171e95 793->797 796->797 802 4171e97-4171e9d call 4172d78 797->802 803 4171ea2-4171ea5 797->803 808 4171be4-4171beb 799->808 809 4171c2c-4171c4d call 4172f68 799->809 800->779 802->803 803->783 804->779 810 4171c27 808->810 811 4171bed-4171c1e call 4172f68 808->811 816 4171c54-4171c72 call 41737c8 809->816 817 4171c4f 809->817 810->779 818 4171c25 811->818 819 4171c20 811->819 822 4171c7d-4171c87 816->822 817->779 818->809 819->779 823 4171cbd-4171cc1 822->823 824 4171c89-4171cbb call 41737c8 822->824 826 4171cc7-4171cd7 823->826 827 4171dac-4171dc9 call 4172978 823->827 824->822 826->827 829 4171cdd-4171ced 826->829 834 4171dd0-4171def Wow64SetThreadContext 827->834 835 4171dcb 827->835 829->827 833 4171cf3-4171d17 829->833 836 4171d1a-4171d1e 833->836 837 4171df3-4171dfe call 4172ca8 834->837 838 4171df1 834->838 835->779 836->827 839 4171d24-4171d39 836->839 845 4171e02-4171e06 837->845 846 4171e00 837->846 838->779 841 4171d4d-4171d51 839->841 843 4171d53-4171d5f 841->843 844 4171d8f-4171da7 841->844 847 4171d61-4171d8b 843->847 848 4171d8d 843->848 844->836 849 4171e12-4171e16 845->849 850 4171e08-4171e0b 845->850 846->779 847->848 848->841 852 4171e22-4171e26 849->852 853 4171e18-4171e1b 849->853 850->849 854 4171e32-4171e36 852->854 855 4171e28-4171e2b 852->855 853->852 856 4171e43-4171e4c 854->856 857 4171e38-4171e3e call 4172d78 854->857 855->854 856->760 856->779 857->856
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 04171B15
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04171B39
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04171B5B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                              • Instruction ID: ab6ea56348406fc87dc9fa5f903ec2ee0202c8e5f395b6dd666e98121c485e82
                              • Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                              • Instruction Fuzzy Hash: D262EC30A14658DBEB24CFA4C890BDEB376EF58700F1091A9D10DEB390EB759E85CB59
                              Function 00FD3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010133A2
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD3A04
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: IconLoadNotifyShell_String_wcslen
                              • String ID: Line:
                              • API String ID: 2289894680-1585850449
                              • Opcode ID: c40cf3647c785b3d4f73978239ad2967b4d3af6fcd398ac73093cb48dee996a7
                              • Instruction ID: a30fad9011d538f131692e8177828903b99432fb2e9a0dafff3da6383c6931ad
                              • Opcode Fuzzy Hash: c40cf3647c785b3d4f73978239ad2967b4d3af6fcd398ac73093cb48dee996a7
                              • Instruction Fuzzy Hash: 9131E272508304AAD325EB20DC45BEFB7DAAF40720F08452FF6D982285DB789A48D7D3
                              Function 00FEFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
                                • Part of subcall function 00FF32A4: RaiseException.KERNEL32(?,?,?,00FF068A,?,010A1444,?,?,?,?,?,?,00FF068A,00FD1129,01098738,00FD1129), ref: 00FF3304
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Exception@8Throw$ExceptionRaise
                              • String ID: Unknown exception
                              • API String ID: 3476068407-410509341
                              • Opcode ID: 77ff278bf788128f6e27b766c51b2a75ae87a7fd4674eb2c2eeaa24b2c25ed10
                              • Instruction ID: 6549ce84ff6b2fa1da23615da2e789f0c6d8cd7ba87a70eb96777c81d314ab7b
                              • Opcode Fuzzy Hash: 77ff278bf788128f6e27b766c51b2a75ae87a7fd4674eb2c2eeaa24b2c25ed10
                              • Instruction Fuzzy Hash: 10F02835D0020D738F10BA65DC46D7E7B6C5E00320B504071BA14C55B2EF74EA29F5C0
                              Function 01057F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010582F5
                              • TerminateProcess.KERNEL32(00000000), ref: 010582FC
                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 010584DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$CurrentFreeLibraryTerminate
                              • String ID:
                              • API String ID: 146820519-0
                              • Opcode ID: 8c657696924c0148bf905c2837e8d632d9ed538c8f997ba7682709e4ba8e9e1c
                              • Instruction ID: 0b227fbe29a2293085e8124056c631bc4286e5785783f961b1b12418b94dd0e1
                              • Opcode Fuzzy Hash: 8c657696924c0148bf905c2837e8d632d9ed538c8f997ba7682709e4ba8e9e1c
                              • Instruction Fuzzy Hash: BE127A71A083419FD754DF29C484B6ABBE5BF88318F04895EEC898B352CB35E945CF92
                              Function 00FD10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
                                • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22
                                • Part of subcall function 00FD1B4A: RegisterWindowMessageW.USER32(00000004,?,00FD12C4), ref: 00FD1BA2
                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FD136A
                              • OleInitialize.OLE32 ref: 00FD1388
                              • CloseHandle.KERNEL32(00000000,00000000), ref: 010124AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                              • String ID:
                              • API String ID: 1986988660-0
                              • Opcode ID: 170fb01820fc612200cebe44679959c0c14f181d9825a65d0a17c3ccc159b4a4
                              • Instruction ID: 030bfdad99d34ac0324d188fe46c93549dcb644099facb2f25f28600ffb19069
                              • Opcode Fuzzy Hash: 170fb01820fc612200cebe44679959c0c14f181d9825a65d0a17c3ccc159b4a4
                              • Instruction Fuzzy Hash: A271CBB8901A10CFC3A8EF79E5456953AE5FB49384FD8822AD0DAC7389EB3E4401CF51
                              Function 010086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,00000000,?,?,010085CC,?,01098CC8,0000000C), ref: 01008704
                              • GetLastError.KERNEL32(?,010085CC,?,01098CC8,0000000C), ref: 0100870E
                              • __dosmaperr.LIBCMT ref: 01008739
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
                              • Instruction ID: 3e572dd623319e50030c0fa135d6f1f4783bc1fad326ff9ccf954bb002b2149a
                              • Opcode Fuzzy Hash: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
                              • Instruction Fuzzy Hash: 45018232E0426016F6B36238AC4477E2FC96B95734F26819BE9C89B0D7DE65C4818750
                              Function 00FE1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 00FE17F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Init_thread_footer
                              • String ID: CALL
                              • API String ID: 1385522511-4196123274
                              • Opcode ID: c4c8b302d8628193b410b0c33896c6dd6f074e252541860da821863b3a09434e
                              • Instruction ID: 21eb903e0b337c4cfcd7d80fa3aa37b832fa298c8769b48ce0f4b0675d37913a
                              • Opcode Fuzzy Hash: c4c8b302d8628193b410b0c33896c6dd6f074e252541860da821863b3a09434e
                              • Instruction Fuzzy Hash: ED227D706083819FC714DF16C880B2ABBF1BF85314F18896DF8968B362D776E945DB92
                              Function 00FD2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • GetOpenFileNameW.COMDLG32(?), ref: 01012C8C
                                • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                                • Part of subcall function 00FD2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Name$Path$FileFullLongOpen
                              • String ID: X
                              • API String ID: 779396738-3081909835
                              • Opcode ID: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
                              • Instruction ID: d88c40635c814e1cb6dde71213d9c3ef727d5bd3fb8b241054bbfeeb2507fd93
                              • Opcode Fuzzy Hash: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
                              • Instruction Fuzzy Hash: 1A21F371A002489BDF41EF94CC45BEE7BF9AF49304F04805AE544E7345DBB856899BA1
                              Function 00FD3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                              Download Yara Rule
                              APIs
                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: IconNotifyShell_
                              • String ID:
                              • API String ID: 1144537725-0
                              • Opcode ID: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
                              • Instruction ID: c3d448abb41be867d5d0b24c8ca225ffe8be12ad6ee3bbb6f6bc5c81f8e8629c
                              • Opcode Fuzzy Hash: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
                              • Instruction Fuzzy Hash: 373193729047019FE720DF24D484797BBE8FB49718F04092EF6DA97340E7B6AA44DB52
                              Function 00FD5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FD949C,?,00008000), ref: 00FD5773
                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00FD949C,?,00008000), ref: 01014052
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 4c02e32ee8ecdd936705eff384764d7a5334f4ae782e341226a4ad4c5591dc1e
                              • Instruction ID: 4b1ec6c776d8e587085088f6b1ec1ced24e5e739d52b196d21442d3c7f62354f
                              • Opcode Fuzzy Hash: 4c02e32ee8ecdd936705eff384764d7a5334f4ae782e341226a4ad4c5591dc1e
                              • Instruction Fuzzy Hash: 3B018031145225B6E3714A2ACC0EF977F99EF02BB0F248201BEAD5A1E0C7B45854DB90
                              Function 00FDB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 00FDBB4E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Init_thread_footer
                              • String ID:
                              • API String ID: 1385522511-0
                              • Opcode ID: 99a3d867b8e5dcfc5facfe98950336bb8a3d2ea4ef1d8322450223d5114c9484
                              • Instruction ID: 74f70b8f6bf049271a868a4353392cef63fbf68a4fbe97bab7272c6edcaf19ad
                              • Opcode Fuzzy Hash: 99a3d867b8e5dcfc5facfe98950336bb8a3d2ea4ef1d8322450223d5114c9484
                              • Instruction Fuzzy Hash: 0832EC31A00219DFDB20CF58C894BBEB7BAEF44310F19805AF985AB355C778AD41EB91
                              Function 041712E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 04171B15
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04171B39
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04171B5B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                              • Instruction ID: 9dc697f13e87af949c2f01b95b032ba1d6ccf6da8aa00aba40861093ee9e0153
                              • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                              • Instruction Fuzzy Hash: 0612DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A5F81CF5A
                              Function 0105709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LoadString
                              • String ID:
                              • API String ID: 2948472770-0
                              • Opcode ID: 13ced2b39b6c35ee3d38a1e24fa1e04b2db0596ef03e543d50c70c8bc4d1ce8a
                              • Instruction ID: 68bbbbb488797126db84d1d403a6ac761e239f56d88caf56238a66c6133ffe43
                              • Opcode Fuzzy Hash: 13ced2b39b6c35ee3d38a1e24fa1e04b2db0596ef03e543d50c70c8bc4d1ce8a
                              • Instruction Fuzzy Hash: C4D17E74A00209DFCF54DF98D8819AEBBB6FF48310F54815AE945AB392DB30AD81DF94
                              Function 00FEFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction ID: 058c9a025ae5baf8904e757122ea37850947b6cd739bb39bdb1a4f095e395d93
                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction Fuzzy Hash: D9311A75A00149DBD728CF5AD480A69FBA1FF49310B7486A5E809CF651E731EEC5EBC0
                              Function 00FD4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
                                • Part of subcall function 00FD4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
                                • Part of subcall function 00FD4E90: FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0
                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD
                                • Part of subcall function 00FD4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
                                • Part of subcall function 00FD4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
                                • Part of subcall function 00FD4E59: FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Library$Load$AddressFreeProc
                              • String ID:
                              • API String ID: 2632591731-0
                              • Opcode ID: a20515a98b7c1e4946c9404c1175bad113af056837bbfcd19a457f904dd50e99
                              • Instruction ID: 531c4ac09412a6fc11e8cc4abc51feda5b6f890c6eea477f5dfed4a20dac05b3
                              • Opcode Fuzzy Hash: a20515a98b7c1e4946c9404c1175bad113af056837bbfcd19a457f904dd50e99
                              • Instruction Fuzzy Hash: DC110A32600205ABDF14FF64DD16FAD77A6AF40B10F14442FF592AB2E1DE78AA05B750
                              Function 01008402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
                              • Instruction ID: 88115d139422b21e92edd4a02dad9b110e91a9222586bb2933ccadbb71cc8f35
                              • Opcode Fuzzy Hash: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
                              • Instruction Fuzzy Hash: 8211487190410AAFDB06DF58E9409DE7BF9FF48300F01809AF848AB341DB31DA11CBA4
                              Function 01005000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01004C7D: RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE
                              • _free.LIBCMT ref: 0100506C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AllocateHeap_free
                              • String ID:
                              • API String ID: 614378929-0
                              • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                              • Instruction ID: 5e8dca7e150cf7d344b10f94ded27be0a59cbca9c17a02b67e705159b1b4137a
                              • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                              • Instruction Fuzzy Hash: 7E012B722043055BF323CE599C4499EFBECFB85270F25051DE1C4872C0EA306805CA74
                              Function 00FFE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                              • Instruction ID: 2870e560871c4e9d6c1568b27c5cd85f9a547272a3a8b62ad37626ae1d7dc924
                              • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                              • Instruction Fuzzy Hash: F6F02D32920E1C96D7333E658C04BBA33989F62330F100716F665D71F0DB74D401A9A5
                              Function 01004C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
                              • Instruction ID: 807cca69f80908dd42bc034b934ae2fbcc20a3f088263ea11cd351e962c9dfce
                              • Opcode Fuzzy Hash: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
                              • Instruction Fuzzy Hash: CDF0B43160022C67FBA35E669C09F6B3BC8AF417A0F084161FB99EA1D4CB35D40046E8
                              Function 01003820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
                              • Instruction ID: d5884f2b058cbf24406a722b06812c2019f863f25db3f4f51ab3928b72c925c2
                              • Opcode Fuzzy Hash: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
                              • Instruction Fuzzy Hash: 77E065311017299EF7732A6A9C05BAB3A89BF426B0F0501E1FED59E5D1DB25EA0183F1
                              Function 00FD4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(?,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4F6D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID:
                              • API String ID: 3664257935-0
                              • Opcode ID: e482138ec1420e9f8b8278e2ebf4c33047d9e7ea831bcbcfdfd1ef9c4175ab63
                              • Instruction ID: 758da958ad098c2cfab47a6241142af78be3d9bcc26c12b3670cf7f4fd82b309
                              • Opcode Fuzzy Hash: e482138ec1420e9f8b8278e2ebf4c33047d9e7ea831bcbcfdfd1ef9c4175ab63
                              • Instruction Fuzzy Hash: 4FF03071505751CFDB359F64D490922BBF5AF14329318897FE1EA83630C731A844EF10
                              Function 0103CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0101EE51,01093630,00000002), ref: 0103CD26
                                • Part of subcall function 0103CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0103CD19,?,?,?), ref: 0103CC59
                                • Part of subcall function 0103CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0103CD19,?,?,?,?,0101EE51,01093630,00000002), ref: 0103CC6E
                                • Part of subcall function 0103CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0103CD19,?,?,?,?,0101EE51,01093630,00000002), ref: 0103CC7A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: File$Pointer$Write
                              • String ID:
                              • API String ID: 3847668363-0
                              • Opcode ID: 4060b4801ccb3f6b9c1051565ea7f517d0d397fc61e4bda6c14a5eb3531a0b4c
                              • Instruction ID: db3b2c30660300fc9c079c24c698416a88ea182df80f4a0ceea2e47debbefbbb
                              • Opcode Fuzzy Hash: 4060b4801ccb3f6b9c1051565ea7f517d0d397fc61e4bda6c14a5eb3531a0b4c
                              • Instruction Fuzzy Hash: 1DE0657A400704EFD7219F4AD90089ABBFCFFC5250710852FE996D2110D375AA14DF60
                              Function 00FD2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LongNamePath_wcslen
                              • String ID:
                              • API String ID: 541455249-0
                              • Opcode ID: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
                              • Instruction ID: 48ac6af07303ca716591873c3471a1a5e296cb743c86dd32b97bc22756cb9cfe
                              • Opcode Fuzzy Hash: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
                              • Instruction Fuzzy Hash: EFE0CD726041245BC721A2589C05FDA77DDDFC8790F040076FD49D724CD974AD808650
                              Function 00FD2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908
                                • Part of subcall function 00FDD730: GetInputState.USER32 ref: 00FDD807
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B
                                • Part of subcall function 00FD30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FD314E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: IconNotifyShell_$CurrentDirectoryInputState
                              • String ID:
                              • API String ID: 3667716007-0
                              • Opcode ID: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
                              • Instruction ID: 79fa7a0aa32b944c6d4863f1f671b04a94e653d01f646aca1beb22feb4051445
                              • Opcode Fuzzy Hash: 532a4879d5e4bb721bc41409a16d6a8bad6c1ebefbed8736fd71b07001b79c4c
                              • Instruction Fuzzy Hash: 7FE0263270420402CA04BB74AC1246DB74B9BD1351F88053FF28283353CE7D4A456352
                              Function 0101039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
                              • Instruction ID: d6fb79117f2053f2d6affabce41156853937d56249e1fc94309cdac6f161e810
                              • Opcode Fuzzy Hash: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
                              • Instruction Fuzzy Hash: 50D06C3204010DFBDF128F84DD06EDA3BAAFB48714F014000FE5856020C736E821AB90
                              Function 00FD1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FD1CBC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: InfoParametersSystem
                              • String ID:
                              • API String ID: 3098949447-0
                              • Opcode ID: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
                              • Instruction ID: 8b1f48b39f199d850f188b09c2e32a8d2087fcdb776cedf2e376f5d70f0e50e9
                              • Opcode Fuzzy Hash: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
                              • Instruction Fuzzy Hash: EFC09B36280704DFF2344A90BD4AF107755B348B10F448001F6C9555D7C3B71450DB50
                              Function 0104744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00FD949C,?,00008000), ref: 00FD5773
                              • GetLastError.KERNEL32(00000002,00000000), ref: 010476DE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateErrorFileLast
                              • String ID:
                              • API String ID: 1214770103-0
                              • Opcode ID: 581cd8031bac9ffad99b1b592e0ca3ab786a2ca5487eae629533ea94ce8e2184
                              • Instruction ID: 2074c5b0d2efcc0a3be51591ae2da0dc9301c06414eef0fc96e61382ac0519f5
                              • Opcode Fuzzy Hash: 581cd8031bac9ffad99b1b592e0ca3ab786a2ca5487eae629533ea94ce8e2184
                              • Instruction Fuzzy Hash: 3F8180702043019FCB15EF28C891BADB7E2BF89314F08456EF8859B392DB74A945DB92
                              Function 00FD6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(?,?,00000000,010124E0), ref: 00FD6266
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: a223b3ec4915f596fca2610ae9ebc85f30377d67030f317b329af24571aa6076
                              • Instruction ID: 831477c345d48c79e175f5d72561de6f8401a846443265944597baee6d61c92d
                              • Opcode Fuzzy Hash: a223b3ec4915f596fca2610ae9ebc85f30377d67030f317b329af24571aa6076
                              • Instruction Fuzzy Hash: A8E09275800B11DED7324F1AE804412FBE6FEE13623244A2FD0E592664D3B058869B50
                              Function 041722E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 041722F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction ID: 9238b4804e4bc31ef2f3bca1f5cff4fd08d4695304b6211e191f7199b118a2ca
                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction Fuzzy Hash: 92E0E67494010DDFDB00DFB4D6496DD7BB4EF04301F1005A1FD01D2280D7309D508A72

                              Non-executed Functions

                              Function 01069576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0106961A
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106965B
                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0106969F
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010696C9
                              • SendMessageW.USER32 ref: 010696F2
                              • GetKeyState.USER32(00000011), ref: 0106978B
                              • GetKeyState.USER32(00000009), ref: 01069798
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010697AE
                              • GetKeyState.USER32(00000010), ref: 010697B8
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010697E9
                              • SendMessageW.USER32 ref: 01069810
                              • SendMessageW.USER32(?,00001030,?,01067E95), ref: 01069918
                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0106992E
                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01069941
                              • SetCapture.USER32(?), ref: 0106994A
                              • ClientToScreen.USER32(?,?), ref: 010699AF
                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010699BC
                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010699D6
                              • ReleaseCapture.USER32 ref: 010699E1
                              • GetCursorPos.USER32(?), ref: 01069A19
                              • ScreenToClient.USER32(?,?), ref: 01069A26
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 01069A80
                              • SendMessageW.USER32 ref: 01069AAE
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 01069AEB
                              • SendMessageW.USER32 ref: 01069B1A
                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01069B3B
                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 01069B4A
                              • GetCursorPos.USER32(?), ref: 01069B68
                              • ScreenToClient.USER32(?,?), ref: 01069B75
                              • GetParent.USER32(?), ref: 01069B93
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 01069BFA
                              • SendMessageW.USER32 ref: 01069C2B
                              • ClientToScreen.USER32(?,?), ref: 01069C84
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01069CB4
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 01069CDE
                              • SendMessageW.USER32 ref: 01069D01
                              • ClientToScreen.USER32(?,?), ref: 01069D4E
                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01069D82
                                • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                              • GetWindowLongW.USER32(?,000000F0), ref: 01069E05
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                              • String ID: @GUI_DRAGID$F
                              • API String ID: 3429851547-4164748364
                              • Opcode ID: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
                              • Instruction ID: bc1c309c7c99d1527d03c21140360d2bbec3afd5f6d5a80b944bc77a6a8719f8
                              • Opcode Fuzzy Hash: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
                              • Instruction Fuzzy Hash: 75428B34204341AFEB25CF28C944AAABBE9FF4D318F040659F6D9876A1D776E850CF51
                              Function 01064873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010648F3
                              • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01064908
                              • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01064927
                              • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0106494B
                              • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0106495C
                              • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0106497B
                              • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010649AE
                              • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010649D4
                              • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01064A0F
                              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A56
                              • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A7E
                              • IsMenu.USER32(?), ref: 01064A97
                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064AF2
                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064B20
                              • GetWindowLongW.USER32(?,000000F0), ref: 01064B94
                              • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01064BE3
                              • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01064C82
                              • wsprintfW.USER32 ref: 01064CAE
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064CC9
                              • GetWindowTextW.USER32(?,00000000,00000001), ref: 01064CF1
                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01064D13
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064D33
                              • GetWindowTextW.USER32(?,00000000,00000001), ref: 01064D5A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                              • String ID: %d/%02d/%02d
                              • API String ID: 4054740463-328681919
                              • Opcode ID: 278642e8f8d890827c5d9038d603748f214c9bbe17fd9a39f9a5e40670af994b
                              • Instruction ID: 57353563de1f34de50c8b69ba6af0bedbc1eb7c933b3c4bc2ba3d66ba378ea6d
                              • Opcode Fuzzy Hash: 278642e8f8d890827c5d9038d603748f214c9bbe17fd9a39f9a5e40670af994b
                              • Instruction Fuzzy Hash: 56122331600244ABFB259F28DC49FAE7BF8EF49710F044169F695DB2E1DB78A940CB50
                              Function 00FEF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FEF998
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102F474
                              • IsIconic.USER32(00000000), ref: 0102F47D
                              • ShowWindow.USER32(00000000,00000009), ref: 0102F48A
                              • SetForegroundWindow.USER32(00000000), ref: 0102F494
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4AA
                              • GetCurrentThreadId.KERNEL32 ref: 0102F4B1
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4BD
                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4CE
                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4D6
                              • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0102F4DE
                              • SetForegroundWindow.USER32(00000000), ref: 0102F4E1
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F4F6
                              • keybd_event.USER32(00000012,00000000), ref: 0102F501
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F50B
                              • keybd_event.USER32(00000012,00000000), ref: 0102F510
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F519
                              • keybd_event.USER32(00000012,00000000), ref: 0102F51E
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F528
                              • keybd_event.USER32(00000012,00000000), ref: 0102F52D
                              • SetForegroundWindow.USER32(00000000), ref: 0102F530
                              • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0102F557
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                              • String ID: Shell_TrayWnd
                              • API String ID: 4125248594-2988720461
                              • Opcode ID: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
                              • Instruction ID: 096a6e357637c802f38b52a7af85cca28bd3472e33fbe5221648045364ae3665
                              • Opcode Fuzzy Hash: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
                              • Instruction Fuzzy Hash: 26316371A40228BBFB316BB55D4AFBF7EBCEB48B50F100056F681E61D1C6B65940AB60
                              Function 01031201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                                • Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                                • Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A
                              • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01031286
                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010312A8
                              • CloseHandle.KERNEL32(?), ref: 010312B9
                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010312D1
                              • GetProcessWindowStation.USER32 ref: 010312EA
                              • SetProcessWindowStation.USER32(00000000), ref: 010312F4
                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01031310
                                • Part of subcall function 010310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
                                • Part of subcall function 010310BF: CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                              • String ID: $default$winsta0
                              • API String ID: 22674027-1027155976
                              • Opcode ID: f0538457262657f0d42d32abbeee6c3fc53f8c6389e5d7bcabd1b243dc9553a0
                              • Instruction ID: 2609fc78dde7f0251200bb50a70782f0b8686f62661bd66ae53c4ac1f914204d
                              • Opcode Fuzzy Hash: f0538457262657f0d42d32abbeee6c3fc53f8c6389e5d7bcabd1b243dc9553a0
                              • Instruction Fuzzy Hash: 24819F71900309AFEF219FA9DD49BEE7FBDEF48700F044159FA90A61A0CB799944CB20
                              Function 01030B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                                • Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                                • Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                                • Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                                • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030BCC
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030C00
                              • GetLengthSid.ADVAPI32(?), ref: 01030C17
                              • GetAce.ADVAPI32(?,00000000,?), ref: 01030C51
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030C6D
                              • GetLengthSid.ADVAPI32(?), ref: 01030C84
                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030C8C
                              • HeapAlloc.KERNEL32(00000000), ref: 01030C93
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030CB4
                              • CopySid.ADVAPI32(00000000), ref: 01030CBB
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030CEA
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030D0C
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030D1E
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D45
                              • HeapFree.KERNEL32(00000000), ref: 01030D4C
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D55
                              • HeapFree.KERNEL32(00000000), ref: 01030D5C
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D65
                              • HeapFree.KERNEL32(00000000), ref: 01030D6C
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 01030D78
                              • HeapFree.KERNEL32(00000000), ref: 01030D7F
                                • Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
                                • Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
                                • Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                              • String ID:
                              • API String ID: 4175595110-0
                              • Opcode ID: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
                              • Instruction ID: 7632634019419939cc80d93b6df0b354d9cc76cb34c90178d721eb90b6b9ebb8
                              • Opcode Fuzzy Hash: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
                              • Instruction Fuzzy Hash: CF719D7590120AABEF20EFA8DD48BEEBBFCBF45300F044195FA94A6194D775A905CB60
                              Function 0104EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(0106CC08), ref: 0104EB29
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0104EB37
                              • GetClipboardData.USER32(0000000D), ref: 0104EB43
                              • CloseClipboard.USER32 ref: 0104EB4F
                              • GlobalLock.KERNEL32(00000000), ref: 0104EB87
                              • CloseClipboard.USER32 ref: 0104EB91
                              • GlobalUnlock.KERNEL32(00000000), ref: 0104EBBC
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0104EBC9
                              • GetClipboardData.USER32(00000001), ref: 0104EBD1
                              • GlobalLock.KERNEL32(00000000), ref: 0104EBE2
                              • GlobalUnlock.KERNEL32(00000000), ref: 0104EC22
                              • IsClipboardFormatAvailable.USER32(0000000F), ref: 0104EC38
                              • GetClipboardData.USER32(0000000F), ref: 0104EC44
                              • GlobalLock.KERNEL32(00000000), ref: 0104EC55
                              • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0104EC77
                              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104EC94
                              • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104ECD2
                              • GlobalUnlock.KERNEL32(00000000), ref: 0104ECF3
                              • CountClipboardFormats.USER32 ref: 0104ED14
                              • CloseClipboard.USER32 ref: 0104ED59
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                              • String ID:
                              • API String ID: 420908878-0
                              • Opcode ID: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
                              • Instruction ID: dc144dbfdbe9f37e9a226ad207f2f95fd2f0d7d0f292ce05aa7a27932d7e13a5
                              • Opcode Fuzzy Hash: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
                              • Instruction Fuzzy Hash: BF61E7742043019FE310EF68D984F6A7BE5BF88704F08456EF5D6872A5CB79E905CBA2
                              Function 0104698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 010469BE
                              • FindClose.KERNEL32(00000000), ref: 01046A12
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A4E
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A75
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 01046AB2
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 01046ADF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                              • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                              • API String ID: 3830820486-3289030164
                              • Opcode ID: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
                              • Instruction ID: c2462a4eba1ff1fe58e52217705736c6a41ae610ff6f0fb6f58c86b3779731f6
                              • Opcode Fuzzy Hash: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
                              • Instruction Fuzzy Hash: 56D182B1508301AFD310EBA4CC91EABB7EDAF88704F44491EF585C7291EB79DA44DB62
                              Function 01049642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01049663
                              • GetFileAttributesW.KERNEL32(?), ref: 010496A1
                              • SetFileAttributesW.KERNEL32(?,?), ref: 010496BB
                              • FindNextFileW.KERNEL32(00000000,?), ref: 010496D3
                              • FindClose.KERNEL32(00000000), ref: 010496DE
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 010496FA
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0104974A
                              • SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 01049768
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 01049772
                              • FindClose.KERNEL32(00000000), ref: 0104977F
                              • FindClose.KERNEL32(00000000), ref: 0104978F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                              • String ID: *.*
                              • API String ID: 1409584000-438819550
                              • Opcode ID: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
                              • Instruction ID: 112e0817df21845b71b3b9eac424a0878e539b204562aa302986fcf9e0a82482
                              • Opcode Fuzzy Hash: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
                              • Instruction Fuzzy Hash: 2231B6715006196BEF24EEB9DD48ADF77ECAF4D224F0041B5EAD5E20A0D735D9408B14
                              Function 0104979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 010497BE
                              • FindNextFileW.KERNEL32(00000000,?), ref: 01049819
                              • FindClose.KERNEL32(00000000), ref: 01049824
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 01049840
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01049890
                              • SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 010498AE
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 010498B8
                              • FindClose.KERNEL32(00000000), ref: 010498C5
                              • FindClose.KERNEL32(00000000), ref: 010498D5
                                • Part of subcall function 0103DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0103DB00
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                              • String ID: *.*
                              • API String ID: 2640511053-438819550
                              • Opcode ID: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
                              • Instruction ID: 8ea3abe6c2c480cb9199e4cb4a518c3476eecbab5eb55209a7902f1bb266969a
                              • Opcode Fuzzy Hash: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
                              • Instruction Fuzzy Hash: B831C971500619ABFF20EEBDDC849DF77AC9F49224F1041B9E9D4A2090D735D9458B20
                              Function 01048195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 01048257
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 01048267
                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01048273
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01048310
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01048324
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01048356
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0104838C
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01048395
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CurrentDirectoryTime$File$Local$System
                              • String ID: *.*
                              • API String ID: 1464919966-438819550
                              • Opcode ID: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
                              • Instruction ID: 89c388f2d129912c32cfb226af37599b023e3ba6269f36bcfb1e4eb5fddcac56
                              • Opcode Fuzzy Hash: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
                              • Instruction Fuzzy Hash: D9616BB25043059FD710EF64C8849AEB3E9FF89310F08896EF9C997261DB35E945CB92
                              Function 0103D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                                • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                              • FindFirstFileW.KERNEL32(?,?), ref: 0103D122
                              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0103D1DD
                              • MoveFileW.KERNEL32(?,?), ref: 0103D1F0
                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D20D
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D237
                                • Part of subcall function 0103D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0103D21C,?,?), ref: 0103D2B2
                              • FindClose.KERNEL32(00000000,?,?,?), ref: 0103D253
                              • FindClose.KERNEL32(00000000), ref: 0103D264
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                              • String ID: \*.*
                              • API String ID: 1946585618-1173974218
                              • Opcode ID: 46a9e390b8f3e3859e5f8e4506151aced2fd9afdb4a856996d112390b17633c7
                              • Instruction ID: cb7a299331571eeeea31f0c4053f359cb4add79073c826cd9ce061643095210b
                              • Opcode Fuzzy Hash: 46a9e390b8f3e3859e5f8e4506151aced2fd9afdb4a856996d112390b17633c7
                              • Instruction Fuzzy Hash: 5261BF31D0510DABCF05EBE0DE929EDB7BAAF51300F6841A6E48173291EB359F09DB61
                              Function 0104ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                              • String ID:
                              • API String ID: 1737998785-0
                              • Opcode ID: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
                              • Instruction ID: babc42bac95da38c92b3c6a7831d4689abbd8c5e7e65a190700bbaa6f69c7313
                              • Opcode Fuzzy Hash: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
                              • Instruction Fuzzy Hash: F4418D75204611AFE721DF19D488B19BBE5FF48318F04C0A9E89A8B662C77AFC41CB90
                              Function 0103E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                                • Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                                • Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A
                              • ExitWindowsEx.USER32(?,00000000), ref: 0103E932
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                              • String ID: $ $@$SeShutdownPrivilege
                              • API String ID: 2234035333-3163812486
                              • Opcode ID: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
                              • Instruction ID: 80ebed5fcc2eead0c79f8891104191edd3015d95d09cba3b71592ab51d7080a8
                              • Opcode Fuzzy Hash: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
                              • Instruction Fuzzy Hash: BE01D672610211ABFB6426B8DD85BFF729C9798750F054A23FDC2E21D1D5A55C4083A0
                              Function 01051204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01051276
                              • WSAGetLastError.WSOCK32 ref: 01051283
                              • bind.WSOCK32(00000000,?,00000010), ref: 010512BA
                              • WSAGetLastError.WSOCK32 ref: 010512C5
                              • closesocket.WSOCK32(00000000), ref: 010512F4
                              • listen.WSOCK32(00000000,00000005), ref: 01051303
                              • WSAGetLastError.WSOCK32 ref: 0105130D
                              • closesocket.WSOCK32(00000000), ref: 0105133C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$closesocket$bindlistensocket
                              • String ID:
                              • API String ID: 540024437-0
                              • Opcode ID: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
                              • Instruction ID: 6bd6cf47d1d41ae6da3d8f58b29fcfd5446e1f2e5a536ac13f0bd75c587de4d4
                              • Opcode Fuzzy Hash: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
                              • Instruction Fuzzy Hash: 9B41A5716001019FE760DF28C584B2ABBE6BF46314F188189D9968F397C775ED81CBE1
                              Function 0100B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0100B9D4
                              • _free.LIBCMT ref: 0100B9F8
                              • _free.LIBCMT ref: 0100BB7F
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
                              • _free.LIBCMT ref: 0100BD4B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: 53f9a02e77945ac70094e2f062c8fbc61480a8da2a3ff6cc275b64eee7c8600e
                              • Instruction ID: bc632d49a6864561bf1d4136d3285093211b28cd03e73c0ed7e9ea0bf3e9c95a
                              • Opcode Fuzzy Hash: 53f9a02e77945ac70094e2f062c8fbc61480a8da2a3ff6cc275b64eee7c8600e
                              • Instruction Fuzzy Hash: DEC12579904209AFFB239F6C8850BEEBBF8EF46210F1441AAD9D4D72C5EB319A41C750
                              Function 0103D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                                • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                              • FindFirstFileW.KERNEL32(?,?), ref: 0103D420
                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D470
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D481
                              • FindClose.KERNEL32(00000000), ref: 0103D498
                              • FindClose.KERNEL32(00000000), ref: 0103D4A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                              • String ID: \*.*
                              • API String ID: 2649000838-1173974218
                              • Opcode ID: a3eb3ef447e7d2686c36685e1da76d175f3b458ed40e34f0154432163ffaf4a3
                              • Instruction ID: f8a2c329f6c347e5d1c3292750eedae073c95b678d16646283525312ea0b205c
                              • Opcode Fuzzy Hash: a3eb3ef447e7d2686c36685e1da76d175f3b458ed40e34f0154432163ffaf4a3
                              • Instruction Fuzzy Hash: 553180710083419BC311EFA4D9918EFB7EDAE91304F884A1EF4D593291EB29AA09D763
                              Function 0100E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 4168288129-2761157908
                              • Opcode ID: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
                              • Instruction ID: 01aa5b001b67852e293d4770672c739603a912062382d8945df2a8df8f19695e
                              • Opcode Fuzzy Hash: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
                              • Instruction Fuzzy Hash: 54C25B71E046298FEB76CE28DD407EAB7B5EB44304F1445EAD58DE7281E778AE818F40
                              Function 0104648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 010464DC
                              • CoInitialize.OLE32(00000000), ref: 01046639
                              • CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 01046650
                              • CoUninitialize.OLE32 ref: 010468D4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 886957087-24824748
                              • Opcode ID: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
                              • Instruction ID: a3e33251b70a73d90e4e002b2839a3dc012b42eb9f9258247a73c9c30c2a09be
                              • Opcode Fuzzy Hash: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
                              • Instruction Fuzzy Hash: 7ED16AB1508301AFD310EF24C88196BB7E9FF89704F44496DF5958B2A1EB71E905CBA2
                              Function 01049B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01049B78
                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01049C8B
                                • Part of subcall function 01043874: GetInputState.USER32 ref: 010438CB
                                • Part of subcall function 01043874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966
                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01049BA8
                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01049C75
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                              • String ID: *.*
                              • API String ID: 1972594611-438819550
                              • Opcode ID: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
                              • Instruction ID: 3ed46a6230afd2151efb2499bec2f99cb6a902b37ae10ceacc6ebae57e08e29b
                              • Opcode Fuzzy Hash: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
                              • Instruction Fuzzy Hash: 6741B1B190020E9FDF54DFA4C985AEE7BF8EF09304F1440B6E985A2290EB319E44CF64
                              Function 00FE997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FE9A4E
                              • GetSysColor.USER32(0000000F), ref: 00FE9B23
                              • SetBkColor.GDI32(?,00000000), ref: 00FE9B36
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Color$LongProcWindow
                              • String ID:
                              • API String ID: 3131106179-0
                              • Opcode ID: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
                              • Instruction ID: 50fe7357a8a512e8e93114149e42e3a1089d47edc89b2529df5cf4f490a4f851
                              • Opcode Fuzzy Hash: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
                              • Instruction Fuzzy Hash: 35A14D7110C5A0BEF7389A3E8C48EBF3A9DEF56714F144119F182C6685CAB98D01E371
                              Function 01051806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                                • Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B
                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0105185D
                              • WSAGetLastError.WSOCK32 ref: 01051884
                              • bind.WSOCK32(00000000,?,00000010), ref: 010518DB
                              • WSAGetLastError.WSOCK32 ref: 010518E6
                              • closesocket.WSOCK32(00000000), ref: 01051915
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                              • String ID:
                              • API String ID: 1601658205-0
                              • Opcode ID: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
                              • Instruction ID: 61f91d1e300eb151520e5d8140a8bcb67db5c724ceb241338f05f4720b2ac74d
                              • Opcode Fuzzy Hash: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
                              • Instruction Fuzzy Hash: 9751B471A00200AFEB20EF24C886F6A77E5AB44718F088099F9459F3C7D779AD41CBE1
                              Function 0104CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CF38
                              • InternetReadFile.WININET(?,00000000,?,?), ref: 0104CF6F
                              • GetLastError.KERNEL32(?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFB4
                              • SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFC8
                              • SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                              • String ID:
                              • API String ID: 3191363074-0
                              • Opcode ID: 6e2d4027819408efb6acb883ff0b13013f0782ed4e205dda73705e2257f79b7f
                              • Instruction ID: b086ef5dfcb26dfb66ec7399bad82915cdb9e3a546caa9321f874dd2907b71ea
                              • Opcode Fuzzy Hash: 6e2d4027819408efb6acb883ff0b13013f0782ed4e205dda73705e2257f79b7f
                              • Instruction Fuzzy Hash: 53317FB1601205AFFB20DFA9CAC4AAFBBF8EF14210B10447EF586D2101D739AA419B60
                              Function 01061C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                              • String ID:
                              • API String ID: 292994002-0
                              • Opcode ID: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
                              • Instruction ID: ebf2981708eebd97008696d552f99e13faef89fdffe65a7c345b7ad25a8b491e
                              • Opcode Fuzzy Hash: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
                              • Instruction Fuzzy Hash: E321A3317002055FE7609F1AC844B6E7BE9EFD9325F1980A9E8C6CB355CB76E842CB90
                              Function 00FD8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                              • API String ID: 0-1546025612
                              • Opcode ID: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
                              • Instruction ID: fd783ea7e3aa4f714c8c15afa0282784ae64bfd26ab31c23cb88333f00fc1a15
                              • Opcode Fuzzy Hash: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
                              • Instruction Fuzzy Hash: F2A26071E0021ACBDF25CF58C8407AEB7B2BF44354F28819AE855AB389DB759D82DF50
                              Function 0105A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0105A6AC
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0105A6BA
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • Process32NextW.KERNEL32(00000000,?), ref: 0105A79C
                              • CloseHandle.KERNEL32(00000000), ref: 0105A7AB
                                • Part of subcall function 00FECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01013303,?), ref: 00FECE8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                              • String ID:
                              • API String ID: 1991900642-0
                              • Opcode ID: 5c1a8af65ec1ba5a560afe29283d7d267e700527ac99285f8b0dfbffae6eabd2
                              • Instruction ID: fc991e07acde005aba084862bffa114540eb76c8dd8c06c6d3b8c0b66457e0b8
                              • Opcode Fuzzy Hash: 5c1a8af65ec1ba5a560afe29283d7d267e700527ac99285f8b0dfbffae6eabd2
                              • Instruction Fuzzy Hash: 52518C71608300AFD710EF24CC85A6BBBE9FF89714F04891EF98597291EB34D904DB92
                              Function 0103AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0103ABF1
                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 0103AC0D
                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 0103AC74
                              • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0103ACC6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
                              • Instruction ID: 9dd1878bdabc5d9ed73ff7b1dc56508a41f4d07f91573ae32e669b6efcb5c30c
                              • Opcode Fuzzy Hash: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
                              • Instruction Fuzzy Hash: F331E330B2461CEFFB358A6988087FE7AADABC9320F08425AE4C5D71D1C37989858B51
                              Function 0103DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,01015222), ref: 0103DBCE
                              • GetFileAttributesW.KERNEL32(?), ref: 0103DBDD
                              • FindFirstFileW.KERNEL32(?,?), ref: 0103DBEE
                              • FindClose.KERNEL32(00000000), ref: 0103DBFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FileFind$AttributesCloseFirstlstrlen
                              • String ID:
                              • API String ID: 2695905019-0
                              • Opcode ID: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
                              • Instruction ID: a80e2ed19f3b0f52dad72d31fde7b219afd0fb06a1e6629289c2e7c363d68361
                              • Opcode Fuzzy Hash: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
                              • Instruction Fuzzy Hash: F7F0EC7043051597A2306BBC9D0D46A77AC9E41334B404742F8F5C10F0EBB5995447D5
                              Function 01038298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 010382AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: lstrlen
                              • String ID: ($|
                              • API String ID: 1659193697-1631851259
                              • Opcode ID: 5ba63936c71707dbf1c57fabf31e68e7fbf2996bc34c53ffb91e5a281a84ddd7
                              • Instruction ID: 3738ef1e401efcb0a3ce044447e9a183072cdbd71548fd124967628aac65165d
                              • Opcode Fuzzy Hash: 5ba63936c71707dbf1c57fabf31e68e7fbf2996bc34c53ffb91e5a281a84ddd7
                              • Instruction Fuzzy Hash: 21322575A006059FDB28CF69C480A6AB7F5FF88310B15C5AEE59ADB3A1E770E941CB40
                              Function 01045C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 01045CC1
                              • FindNextFileW.KERNEL32(00000000,?), ref: 01045D17
                              • FindClose.KERNEL32(?), ref: 01045D5F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNext
                              • String ID:
                              • API String ID: 3541575487-0
                              • Opcode ID: 222da53e3652d13f08167ee608f13c707b80f5fee1720974fa7c4fe7e6a09afd
                              • Instruction ID: 449fb7bc8f65adadd29aafe9ee658e15228dae67a86d2c9f4ba653a94ccad7e9
                              • Opcode Fuzzy Hash: 222da53e3652d13f08167ee608f13c707b80f5fee1720974fa7c4fe7e6a09afd
                              • Instruction Fuzzy Hash: F151AD746046019FD724DF28C8D4A9AB7E4FF49314F1485AEE99A8B3A2CB34E905CB91
                              Function 01002622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 0100271A
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01002724
                              • UnhandledExceptionFilter.KERNEL32(?), ref: 01002731
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
                              • Instruction ID: e92bec0c1fb3faf21c503902753ac48cea94c07c993f014aafdfa27a68dd1101
                              • Opcode Fuzzy Hash: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
                              • Instruction Fuzzy Hash: 9B31D67491122C9BDB61DF68DD887DCBBB8BF08310F5041EAE94CA7261EB749B818F44
                              Function 010451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 010451DA
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01045238
                              • SetErrorMode.KERNEL32(00000000), ref: 010452A1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID:
                              • API String ID: 1682464887-0
                              • Opcode ID: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
                              • Instruction ID: 5ed4d6fe5819f208ea5802754aca3d7c655328ab165b85b238b606712e0ee09a
                              • Opcode Fuzzy Hash: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
                              • Instruction Fuzzy Hash: 18316B75A00109DFDB00DF94D884EADBBB5FF49314F08809AE845AB356DB36E845CBA0
                              Function 010316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
                                • Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685
                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                              • GetLastError.KERNEL32 ref: 0103174A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                              • String ID:
                              • API String ID: 577356006-0
                              • Opcode ID: a6dc6531db6e888ac194d433fd300dc501bf96df8d35c6b7b379553d812ce456
                              • Instruction ID: f964b78c303dbee9335a1beda1e03718c44e122da94b89684b45e6fe405e8af9
                              • Opcode Fuzzy Hash: a6dc6531db6e888ac194d433fd300dc501bf96df8d35c6b7b379553d812ce456
                              • Instruction Fuzzy Hash: 4211C1B2404305AFE7289F54DC86D6ABBFDFB48754B24852EF09653241EB75BC428B20
                              Function 0103D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D608
                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0103D645
                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D650
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseControlCreateDeviceFileHandle
                              • String ID:
                              • API String ID: 33631002-0
                              • Opcode ID: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
                              • Instruction ID: 8d801ab79489189a67e4651672e8530663e5453eae8e1d0a26dfcc5e7899954f
                              • Opcode Fuzzy Hash: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
                              • Instruction Fuzzy Hash: 59118E71E01228BFEB208F99DC44FAFBFBCEB89B50F108151F954E7290C2704A058BA1
                              Function 01031663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0103168C
                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010316A1
                              • FreeSid.ADVAPI32(?), ref: 010316B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AllocateCheckFreeInitializeMembershipToken
                              • String ID:
                              • API String ID: 3429775523-0
                              • Opcode ID: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
                              • Instruction ID: d282448011c609ac5500226286ed6c9a9df300e199acfe9ba5d70c70ea3946fe
                              • Opcode Fuzzy Hash: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
                              • Instruction Fuzzy Hash: 34F0177195030DBBEF00DFE4DA89EAEBBBCFB08604F5045A5F541E2181E775AA449B50
                              Function 00FF4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D09
                              • TerminateProcess.KERNEL32(00000000,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D10
                              • ExitProcess.KERNEL32 ref: 00FF4D22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
                              • Instruction ID: dd3bd8d5f315e177d6ac8e20d6974adf0ad38c3c727fa31433ea9090adfb0977
                              • Opcode Fuzzy Hash: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
                              • Instruction Fuzzy Hash: E4E0BF31400149AFEF216F54DE09A593F69FF45751F104014FD958A236DB3AED41DB40
                              Function 0100C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: /
                              • API String ID: 0-2043925204
                              • Opcode ID: 83ba5d2665343ae371178fef34838bd6be2ca7a2044378926fb32271fa127bfb
                              • Instruction ID: 524ee4fbb62a5ccba80d139463b8f1b217860b695c3eabb46c1c5b33e68403b0
                              • Opcode Fuzzy Hash: 83ba5d2665343ae371178fef34838bd6be2ca7a2044378926fb32271fa127bfb
                              • Instruction Fuzzy Hash: 15412872900219ABFB219FB9DD48EBB77B8EB84314F1042E9F945D71C0E6719E418B50
                              Function 0102D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,?), ref: 0102D28C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID: X64
                              • API String ID: 2645101109-893830106
                              • Opcode ID: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
                              • Instruction ID: 59a85cd1df27af151765ae17e854bbb383f90df89072e7b44d204ffd8565e3d5
                              • Opcode Fuzzy Hash: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
                              • Instruction Fuzzy Hash: E9D0C9B580112DEADB90CA90D888DDDB37CBB15305F000151F146A2000D73495488F20
                              Function 00FFCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                              • Instruction ID: 4ccd1399953d85e68ea14bdf8b2d6f38a22597120b58525ae0aca02e08702fef
                              • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                              • Instruction Fuzzy Hash: 28023D72E0012D9BDF14CFA9C9806ADFBF1EF88324F254169DA19E7394D731A941DB90
                              Function 010468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 01046918
                              • FindClose.KERNEL32(00000000), ref: 01046961
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
                              • Instruction ID: bf955dceeef3292fb1fcfb25510a8fff74e69a5a633faee7a4625c2f320c9eb8
                              • Opcode Fuzzy Hash: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
                              • Instruction Fuzzy Hash: 9311D3756042019FD710DF29D4C4A16BBE5FF85328F08C6A9E8A98F3A2D775EC05CB91
                              Function 010437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437E4
                              • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorFormatLastMessage
                              • String ID:
                              • API String ID: 3479602957-0
                              • Opcode ID: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
                              • Instruction ID: 37e316932e0f150dfc82f71920b8bb106174abebf1a071f8fdeb886f7b6a3530
                              • Opcode Fuzzy Hash: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
                              • Instruction Fuzzy Hash: 53F0E5B06052392BE77056B68C8DFEB3AAEFFC4761F0001B5F589D2285D9609904C7B0
                              Function 0103B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0103B25D
                              • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0103B270
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: InputSendkeybd_event
                              • String ID:
                              • API String ID: 3536248340-0
                              • Opcode ID: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
                              • Instruction ID: 109d915899253d661e65cb9c25f1823e78611c1380bbf9237e9071a817a73bc7
                              • Opcode Fuzzy Hash: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
                              • Instruction Fuzzy Hash: 4BF01D7180428DABEB159FA5C806BAE7FB4FF04309F00804AF9A5A5192C77D82119F94
                              Function 010310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
                              • CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AdjustCloseHandlePrivilegesToken
                              • String ID:
                              • API String ID: 81990902-0
                              • Opcode ID: 25a93760d319793e563f41391c917c6114659f21ba16a90f5f7c7f4ec24c39f8
                              • Instruction ID: 30ede0a4d6451eaf9f9fec9155c1929e1377e5ca66c3c1f399178656af0fa2bb
                              • Opcode Fuzzy Hash: 25a93760d319793e563f41391c917c6114659f21ba16a90f5f7c7f4ec24c39f8
                              • Instruction Fuzzy Hash: 6BE04F32008650AEF7352B12FC05E777BE9EB04310B10882EF5E5804B5DB666C90EB10
                              Function 00FDCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                              Download Yara Rule
                              Strings
                              • Variable is not of type 'Object'., xrefs: 01020C40
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: Variable is not of type 'Object'.
                              • API String ID: 0-1840281001
                              • Opcode ID: e32d754abde2583494c314f48c0ffd962d7b91eddd71f5636d92b1c2b121b2ff
                              • Instruction ID: 4a5577ef427f9febae2b49f1e80bb5e10da1266156668357bba5ea86bbf3da2f
                              • Opcode Fuzzy Hash: e32d754abde2583494c314f48c0ffd962d7b91eddd71f5636d92b1c2b121b2ff
                              • Instruction Fuzzy Hash: EF32AE71900219DBDF14DF94CC80BEDB7B6FF04304F18809AE846AB396D775AA45EBA0
                              Function 0100676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01006766,?,?,00000008,?,?,0100FEFE,00000000), ref: 01006998
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
                              • Instruction ID: 99526bc5fcd4f79117a5c95f39e5193694568e23f0510e5416f9ba47d5fcf900
                              • Opcode Fuzzy Hash: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
                              • Instruction Fuzzy Hash: 84B127715106088FE756CF28C486BA57BE1FB45364F258698E9D9CF2E2C336DAA1CB40
                              Function 00FEB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
                              • Instruction ID: 7db1adb3b5331bb495decdfa863fe0bc1e92d8dd02ec9553e9aa346f8f2e8c75
                              • Opcode Fuzzy Hash: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
                              • Instruction Fuzzy Hash: C1126D75E002299FDB64CF59C8807EEB7F5FF48310F1481AAE849EB255E7349A81DB90
                              Function 0104EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • BlockInput.USER32(00000001), ref: 0104EABD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: BlockInput
                              • String ID:
                              • API String ID: 3456056419-0
                              • Opcode ID: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
                              • Instruction ID: 4d1aac7f34563379c58b5edebf32929b05adc75eea9791c17a8f02b0563446dc
                              • Opcode Fuzzy Hash: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
                              • Instruction Fuzzy Hash: 5CE01A752002059FD710EF59D844E9AB7E9BF98760F048426FD89C7361DA78B8408BA0
                              Function 0103E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0103E37E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: mouse_event
                              • String ID:
                              • API String ID: 2434400541-0
                              • Opcode ID: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
                              • Instruction ID: f5bb6715def672c96469aac6b50a97fd8419349b1a6def3e97f7b910dbfd277d
                              • Opcode Fuzzy Hash: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
                              • Instruction Fuzzy Hash: 71D05EF21902017DFABD0A3CCE2FF7A298CE381580F40D789B2C189599DA91A4444021
                              Function 00FF09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FF03EE), ref: 00FF09DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
                              • Instruction ID: 1f02813f8fd5385b5077cc27e466e65b2bec5508b0c3db8b4cf9d54d2827a163
                              • Opcode Fuzzy Hash: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
                              • Instruction Fuzzy Hash:
                              Function 00FF781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                              • Instruction ID: 5544599811cfa79770dc1e8201303a8d8bad75a87c85acc80163a15476ae8a42
                              • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                              • Instruction Fuzzy Hash: DB514862E0C70D56DB38796888997BFE3959F123E0F280509DB82C72B2C659DE06F355
                              Function 01006DD9 Relevance: .6, Instructions: 637COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
                              • Instruction ID: 24b8b2a91277d4fcbdafa379be8684007cdff0da658c5e8c0854939043b5d9c9
                              • Opcode Fuzzy Hash: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
                              • Instruction Fuzzy Hash: 5C323431D29F414DE7639538C822335B689AFB73C5F15C737E89AB599AEB2ED4834200
                              Function 00FECC39 Relevance: .6, Instructions: 635COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
                              • Instruction ID: 70b038e4bef0bc05348cef1d8273fb8f30093a7e613815df0eacb75598c94ab8
                              • Opcode Fuzzy Hash: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
                              • Instruction Fuzzy Hash: 2C321A31A001E58BFF34CE2DC694A7D7BE1FB45314F2881A6E6D9DB291D234D982DB41
                              Function 00FD7920 Relevance: .6, Instructions: 563COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0ed4809ed954ef1dbc366d299ddebd18b9bdc04f7cafeca9a92f3454b99d257
                              • Instruction ID: 317fde71dcc11131a820f6772c7c8e0207fac548c400601210bd9a2ae7617dbd
                              • Opcode Fuzzy Hash: b0ed4809ed954ef1dbc366d299ddebd18b9bdc04f7cafeca9a92f3454b99d257
                              • Instruction Fuzzy Hash: A622C270A042099FDF14DF64DC41AAEB7F6FF85300F14462AE852AB395EB3AA914DB50
                              Function 00FD91C0 Relevance: .5, Instructions: 475COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80e4a53c8cc017dc17d4b919c007ca3b65287c886140294e5871a996cfd22ab5
                              • Instruction ID: 0faa497818f2ef4ab7d635ebafa68bba130f5ed522d46faccb1d57dcc2515940
                              • Opcode Fuzzy Hash: 80e4a53c8cc017dc17d4b919c007ca3b65287c886140294e5871a996cfd22ab5
                              • Instruction Fuzzy Hash: A70208B1E00209EBDB05DF64DC81AAEBBB1FF44300F548165E846DB395EB79E910DB90
                              Function 00FF1C77 Relevance: .3, Instructions: 254COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                              • Instruction ID: f2098679692de4a8190f33a787f3f96a71c518a4a0d481fe43ea04d2bc8a21d6
                              • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                              • Instruction Fuzzy Hash: D4918733A080A78ADB29463A857417EFFF16E923B131A079DD5F2CA1E5FE10D954F620
                              Function 00FF19B0 Relevance: .2, Instructions: 240COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                              • Instruction ID: f6a8aaabbb977991276218e8b1d81ed9c15d4a5e06c0fdbae832a9987a5e9524
                              • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                              • Instruction Fuzzy Hash: A89143726090A789DB29467A857403EFFE16E923B131A079DD5F2CA1E1FD14C564B620
                              Function 00FF7A4A Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
                              • Instruction ID: dc02e6e86b2565d12a880328d41a5d04ab8587fe5a3cbf09d84c374eedb58cfd
                              • Opcode Fuzzy Hash: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
                              • Instruction Fuzzy Hash: 1C618B32A0C70D96EA34792C8C95BBEF394DF82364F100959EB42CB2B5D9599E43F315
                              Function 00FF7CA7 Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
                              • Instruction ID: dc47338a7b956606dc2dd45e7da18ba914708ae38f93af1ad1c4332aa14c5062
                              • Opcode Fuzzy Hash: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
                              • Instruction Fuzzy Hash: 87619A32E0870D52DE3879285C91BBFF388DF42764F90085AEB42DB2B1DA56AD42F315
                              Function 00FF1706 Relevance: .2, Instructions: 232COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                              • Instruction ID: 90993b1cc7899954c10c90672605173a2062aa95cfd0c6962a9596a3e2b8d29c
                              • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                              • Instruction Fuzzy Hash: 98818533A080A789EB2D423A857403EFFE17E923B131A079DD5F6CB1E1EE649554F660
                              Function 04173688 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction ID: d6f61e5b62d249594afb319eea1d08c337a5f1bd43bf3ee6bb7caa93513b83fc
                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction Fuzzy Hash: 1C41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90
                              Function 01042046 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
                              • Instruction ID: 4f67654b7a043678e26b65c3e2c5e2f829bae330111f77e0e1c4c20638664efc
                              • Opcode Fuzzy Hash: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
                              • Instruction Fuzzy Hash: 7221D5723216158BD728CE79C82267A73E5A754210F54863EF4E7C77C1DE3AA904CB80
                              Function 04173518 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction ID: 13962bc4960cacd914244caedd925c07e9b6ca01f3655ab9ec21f3169ec00d5b
                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction Fuzzy Hash: 86014078A01109EFCB58DF98C5909AEF7B5FB48210F208599DC19A7745D731AE41EB90
                              Function 04173578 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction ID: e1e66655f3e786ddca9b46e8fc7855c95007d47e69c7530341c382e00426dd38
                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction Fuzzy Hash: A8019278A0020DEFCB48DF98C5909AEF7B5FB48310F208599DC19A7301D730AE42EB80
                              Function 04171EB8 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2066526599.0000000004170000.00000040.00000020.00020000.00000000.sdmp, Offset: 04170000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4170000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                              Function 01052ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 01052B30
                              • DeleteObject.GDI32(00000000), ref: 01052B43
                              • DestroyWindow.USER32 ref: 01052B52
                              • GetDesktopWindow.USER32 ref: 01052B6D
                              • GetWindowRect.USER32(00000000), ref: 01052B74
                              • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01052CA3
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01052CB1
                              • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052CF8
                              • GetClientRect.USER32(00000000,?), ref: 01052D04
                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01052D40
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D62
                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D75
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D80
                              • GlobalLock.KERNEL32(00000000), ref: 01052D89
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D98
                              • GlobalUnlock.KERNEL32(00000000), ref: 01052DA1
                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA8
                              • GlobalFree.KERNEL32(00000000), ref: 01052DB3
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DC5
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0106FC38,00000000), ref: 01052DDB
                              • GlobalFree.KERNEL32(00000000), ref: 01052DEB
                              • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01052E11
                              • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01052E30
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052E52
                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0105303F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                              • String ID: $AutoIt v3$DISPLAY$static
                              • API String ID: 2211948467-2373415609
                              • Opcode ID: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
                              • Instruction ID: 9b77dd510a6a82686d86d67bb73d1fa96cca34699dccd04ebc3eaefa7b5c80cf
                              • Opcode Fuzzy Hash: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
                              • Instruction Fuzzy Hash: 75028E71500205EFEB24DF64DD89EAE7BB9FF48310F048159F995AB2A5C779AD00CB60
                              Function 010670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                              Download Yara Rule
                              APIs
                              • SetTextColor.GDI32(?,00000000), ref: 0106712F
                              • GetSysColorBrush.USER32(0000000F), ref: 01067160
                              • GetSysColor.USER32(0000000F), ref: 0106716C
                              • SetBkColor.GDI32(?,000000FF), ref: 01067186
                              • SelectObject.GDI32(?,?), ref: 01067195
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 010671C0
                              • GetSysColor.USER32(00000010), ref: 010671C8
                              • CreateSolidBrush.GDI32(00000000), ref: 010671CF
                              • FrameRect.USER32(?,?,00000000), ref: 010671DE
                              • DeleteObject.GDI32(00000000), ref: 010671E5
                              • InflateRect.USER32(?,000000FE,000000FE), ref: 01067230
                              • FillRect.USER32(?,?,?), ref: 01067262
                              • GetWindowLongW.USER32(?,000000F0), ref: 01067284
                                • Part of subcall function 010673E8: GetSysColor.USER32(00000012), ref: 01067421
                                • Part of subcall function 010673E8: SetTextColor.GDI32(?,?), ref: 01067425
                                • Part of subcall function 010673E8: GetSysColorBrush.USER32(0000000F), ref: 0106743B
                                • Part of subcall function 010673E8: GetSysColor.USER32(0000000F), ref: 01067446
                                • Part of subcall function 010673E8: GetSysColor.USER32(00000011), ref: 01067463
                                • Part of subcall function 010673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
                                • Part of subcall function 010673E8: SelectObject.GDI32(?,00000000), ref: 01067482
                                • Part of subcall function 010673E8: SetBkColor.GDI32(?,00000000), ref: 0106748B
                                • Part of subcall function 010673E8: SelectObject.GDI32(?,?), ref: 01067498
                                • Part of subcall function 010673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
                                • Part of subcall function 010673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
                                • Part of subcall function 010673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                              • String ID:
                              • API String ID: 4124339563-0
                              • Opcode ID: a7e774b8a409bbf8565b753b3a74a2934e470d064139d1605aed6c1d617b43b5
                              • Instruction ID: 8da13c21c10b3f6e4d728019516f6136fe5dcbbb2e1b427b7f13b812474e4751
                              • Opcode Fuzzy Hash: a7e774b8a409bbf8565b753b3a74a2934e470d064139d1605aed6c1d617b43b5
                              • Instruction Fuzzy Hash: 3EA18072008301EFE7219F64DD48A5B7BE9FB49324F100A19FAE2961E4D77AD944CB51
                              Function 00FE8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?), ref: 00FE8E14
                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 01026AC5
                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01026AFE
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01026F43
                                • Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5
                              • SendMessageW.USER32(?,00001053), ref: 01026F7F
                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01026F96
                              • ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FAC
                              • ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FB7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                              • String ID: 0
                              • API String ID: 2760611726-4108050209
                              • Opcode ID: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
                              • Instruction ID: 21859283a6d864f675cad6f2e71377f5ca167c457d49190ab5b78ce7b56a31cb
                              • Opcode Fuzzy Hash: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
                              • Instruction Fuzzy Hash: 2012E130500261EFEB65EF18C944BAABBE5FF44300F5440A9F9D98B251CB37E892DB91
                              Function 01052711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(00000000), ref: 0105273E
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0105286A
                              • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010528A9
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010528B9
                              • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01052900
                              • GetClientRect.USER32(00000000,?), ref: 0105290C
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01052955
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01052964
                              • GetStockObject.GDI32(00000011), ref: 01052974
                              • SelectObject.GDI32(00000000,00000000), ref: 01052978
                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01052988
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052991
                              • DeleteDC.GDI32(00000000), ref: 0105299A
                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010529C6
                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 010529DD
                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01052A1D
                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01052A31
                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 01052A42
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01052A77
                              • GetStockObject.GDI32(00000011), ref: 01052A82
                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01052A8D
                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01052A97
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                              • API String ID: 2910397461-517079104
                              • Opcode ID: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
                              • Instruction ID: b0cabe63f3f54d8e32ccda6f9547ad5010c9e16992c3cb2e97d3c8536ea89e44
                              • Opcode Fuzzy Hash: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
                              • Instruction Fuzzy Hash: F2B16EB2A00215AFEB24DFA8DD45FAF7BA9EF08710F048155F994EB290D779AD40CB50
                              Function 01044ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 01044AED
                              • GetDriveTypeW.KERNEL32(?,0106CB68,?,\\.\,0106CC08), ref: 01044BCA
                              • SetErrorMode.KERNEL32(00000000,0106CB68,?,\\.\,0106CC08), ref: 01044D36
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorMode$DriveType
                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                              • API String ID: 2907320926-4222207086
                              • Opcode ID: bafaf5ae0f301ec0c5d913debbda7c19ca23a941fd2e8f2e3e0642e5a1454132
                              • Instruction ID: cfaef0f1c7f03ea917a6479f34bb3816c143fe7d9ceacac0f51f1a388583ad93
                              • Opcode Fuzzy Hash: bafaf5ae0f301ec0c5d913debbda7c19ca23a941fd2e8f2e3e0642e5a1454132
                              • Instruction Fuzzy Hash: FF61D5B0A0410ADBCF44EF68CAD1A7C77E2AB04241B18406AF8D6EF251DB76DD85EB45
                              Function 010673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000012), ref: 01067421
                              • SetTextColor.GDI32(?,?), ref: 01067425
                              • GetSysColorBrush.USER32(0000000F), ref: 0106743B
                              • GetSysColor.USER32(0000000F), ref: 01067446
                              • CreateSolidBrush.GDI32(?), ref: 0106744B
                              • GetSysColor.USER32(00000011), ref: 01067463
                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
                              • SelectObject.GDI32(?,00000000), ref: 01067482
                              • SetBkColor.GDI32(?,00000000), ref: 0106748B
                              • SelectObject.GDI32(?,?), ref: 01067498
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0106752A
                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01067554
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 01067572
                              • DrawFocusRect.USER32(?,?), ref: 0106757D
                              • GetSysColor.USER32(00000011), ref: 0106758E
                              • SetTextColor.GDI32(?,00000000), ref: 01067596
                              • DrawTextW.USER32(?,010670F5,000000FF,?,00000000), ref: 010675A8
                              • SelectObject.GDI32(?,?), ref: 010675BF
                              • DeleteObject.GDI32(?), ref: 010675CA
                              • SelectObject.GDI32(?,?), ref: 010675D0
                              • DeleteObject.GDI32(?), ref: 010675D5
                              • SetTextColor.GDI32(?,?), ref: 010675DB
                              • SetBkColor.GDI32(?,?), ref: 010675E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                              • String ID:
                              • API String ID: 1996641542-0
                              • Opcode ID: c957f1a7d87401cee8eeed7dde5f4ceb4a766829ae94742d7bf5415a0df83d5a
                              • Instruction ID: 8e78d7ad5342581a897270f0432aa8f6843bdaaab09612780098533d301358aa
                              • Opcode Fuzzy Hash: c957f1a7d87401cee8eeed7dde5f4ceb4a766829ae94742d7bf5415a0df83d5a
                              • Instruction Fuzzy Hash: A7618172900218AFEF119FA4DD48EEE7FB9EF09320F104151FA91AB2A1D7799940CF90
                              Function 01060FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 01061128
                              • GetDesktopWindow.USER32 ref: 0106113D
                              • GetWindowRect.USER32(00000000), ref: 01061144
                              • GetWindowLongW.USER32(?,000000F0), ref: 01061199
                              • DestroyWindow.USER32(?), ref: 010611B9
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010611ED
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106120B
                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0106121D
                              • SendMessageW.USER32(00000000,00000421,?,?), ref: 01061232
                              • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01061245
                              • IsWindowVisible.USER32(00000000), ref: 010612A1
                              • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010612BC
                              • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010612D0
                              • GetWindowRect.USER32(00000000,?), ref: 010612E8
                              • MonitorFromPoint.USER32(?,?,00000002), ref: 0106130E
                              • GetMonitorInfoW.USER32(00000000,?), ref: 01061328
                              • CopyRect.USER32(?,?), ref: 0106133F
                              • SendMessageW.USER32(00000000,00000412,00000000), ref: 010613AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                              • String ID: ($0$tooltips_class32
                              • API String ID: 698492251-4156429822
                              • Opcode ID: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
                              • Instruction ID: d6cac30011fa5b3781491f003455b88b33fa9e297ab5b86eb59f99e050780ed8
                              • Opcode Fuzzy Hash: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
                              • Instruction Fuzzy Hash: F7B1AE71604341AFE750DF64C984B6ABBE9FF88310F048919F9D99B261C775E804CB91
                              Function 01060241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 010602E5
                              • _wcslen.LIBCMT ref: 0106031F
                              • _wcslen.LIBCMT ref: 01060389
                              • _wcslen.LIBCMT ref: 010603F1
                              • _wcslen.LIBCMT ref: 01060475
                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010604C5
                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01060504
                                • Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD
                                • Part of subcall function 0103223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01032258
                                • Part of subcall function 0103223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0103228A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$MessageSend$BuffCharUpper
                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                              • API String ID: 1103490817-719923060
                              • Opcode ID: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
                              • Instruction ID: 847077ee51822df20cdf0df127a12e3f7135d37732e26d49e1a9049acdcab4f2
                              • Opcode Fuzzy Hash: 03149422caeb50688d55b9c89416bce381f9dc2a9f75a7a0cebacd6b1c248991
                              • Instruction Fuzzy Hash: 23E1C1322542418FCB14DF28C85093EB7EABF88314B14899DF8D69B3AADB34ED45CB41
                              Function 00FE8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE8968
                              • GetSystemMetrics.USER32(00000007), ref: 00FE8970
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE899B
                              • GetSystemMetrics.USER32(00000008), ref: 00FE89A3
                              • GetSystemMetrics.USER32(00000004), ref: 00FE89C8
                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FE89E5
                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FE89F5
                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FE8A28
                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FE8A3C
                              • GetClientRect.USER32(00000000,000000FF), ref: 00FE8A5A
                              • GetStockObject.GDI32(00000011), ref: 00FE8A76
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE8A81
                                • Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
                                • Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
                                • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
                                • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D
                              • SetTimer.USER32(00000000,00000000,00000028,00FE90FC), ref: 00FE8AA8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                              • String ID: AutoIt v3 GUI
                              • API String ID: 1458621304-248962490
                              • Opcode ID: 41591dc252b8f99cbf291be572749b02313d5a5241040665d5b18419ee7e8c19
                              • Instruction ID: 41490ee076fb3da37e1ba7acbfe40458069257e9faec2b6a7bd32e07b6e2ca8d
                              • Opcode Fuzzy Hash: 41591dc252b8f99cbf291be572749b02313d5a5241040665d5b18419ee7e8c19
                              • Instruction Fuzzy Hash: E6B1A075A0024AAFDF14DFA8DD45BAE3BB4FB48310F004229FA95A7294DB79D941CF50
                              Function 01030D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                                • Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                                • Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                                • Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                                • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030DF5
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030E29
                              • GetLengthSid.ADVAPI32(?), ref: 01030E40
                              • GetAce.ADVAPI32(?,00000000,?), ref: 01030E7A
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030E96
                              • GetLengthSid.ADVAPI32(?), ref: 01030EAD
                              • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030EB5
                              • HeapAlloc.KERNEL32(00000000), ref: 01030EBC
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030EDD
                              • CopySid.ADVAPI32(00000000), ref: 01030EE4
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030F13
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030F35
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030F47
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F6E
                              • HeapFree.KERNEL32(00000000), ref: 01030F75
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F7E
                              • HeapFree.KERNEL32(00000000), ref: 01030F85
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F8E
                              • HeapFree.KERNEL32(00000000), ref: 01030F95
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 01030FA1
                              • HeapFree.KERNEL32(00000000), ref: 01030FA8
                                • Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
                                • Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
                                • Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                              • String ID:
                              • API String ID: 4175595110-0
                              • Opcode ID: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
                              • Instruction ID: ac70894b7f71885295e8db43a5edd818989a79e8ed9ba1056220e8e878cfd0f2
                              • Opcode Fuzzy Hash: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
                              • Instruction Fuzzy Hash: 94717D7290120AAFEF209FA8DD44FEEBBBCBF46300F044155FA99E6194D7359905CB60
                              Function 0105C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105C4BD
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0106CC08,00000000,?,00000000,?,?), ref: 0105C544
                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0105C5A4
                              • _wcslen.LIBCMT ref: 0105C5F4
                              • _wcslen.LIBCMT ref: 0105C66F
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0105C6B2
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0105C7C1
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0105C84D
                              • RegCloseKey.ADVAPI32(?), ref: 0105C881
                              • RegCloseKey.ADVAPI32(00000000), ref: 0105C88E
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0105C960
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                              • API String ID: 9721498-966354055
                              • Opcode ID: e582e8812b00c352a0690a9c9a5c6b66d26d07b561654728a24791ad0591698a
                              • Instruction ID: 59057bb9cb61483ffeb1a057f444c47820baa0703fec2e80c740737b15a4a1c5
                              • Opcode Fuzzy Hash: e582e8812b00c352a0690a9c9a5c6b66d26d07b561654728a24791ad0591698a
                              • Instruction Fuzzy Hash: 58125C356043019FE754DF18C981B2AB7E5EF88714F08889DF98A9B3A2DB35ED41DB81
                              Function 0106091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 010609C6
                              • _wcslen.LIBCMT ref: 01060A01
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01060A54
                              • _wcslen.LIBCMT ref: 01060A8A
                              • _wcslen.LIBCMT ref: 01060B06
                              • _wcslen.LIBCMT ref: 01060B81
                                • Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD
                                • Part of subcall function 01032BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01032BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$MessageSend$BuffCharUpper
                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                              • API String ID: 1103490817-4258414348
                              • Opcode ID: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
                              • Instruction ID: a0a25b00d1f9e5556df84346574735ccf133f36db106403c23cebda246eae950
                              • Opcode Fuzzy Hash: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
                              • Instruction Fuzzy Hash: 54E1AF322483018FCB14EF29C85096EB7E6BF98354B048A9DF8D69B366D735ED45CB81
                              Function 0105C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$BuffCharUpper
                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                              • API String ID: 1256254125-909552448
                              • Opcode ID: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
                              • Instruction ID: 1fb0249d2e73d02096c703647264d4d3a506943e1761f9eadcc8db54e42e8096
                              • Opcode Fuzzy Hash: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
                              • Instruction Fuzzy Hash: 4871053360022A8BEFA1DE6CCE505BF3BD9AF50654F140168FCD297286E635CD44E7A0
                              Function 0106833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0106835A
                              • _wcslen.LIBCMT ref: 0106836E
                              • _wcslen.LIBCMT ref: 01068391
                              • _wcslen.LIBCMT ref: 010683B4
                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010683F2
                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01065BF2), ref: 0106844E
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068487
                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010684CA
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068501
                              • FreeLibrary.KERNEL32(?), ref: 0106850D
                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0106851D
                              • DestroyIcon.USER32(?,?,?,?,?,01065BF2), ref: 0106852C
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01068549
                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01068555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                              • String ID: .dll$.exe$.icl
                              • API String ID: 799131459-1154884017
                              • Opcode ID: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
                              • Instruction ID: 44eb02f3ced6b39efe73b25b60a81a4ef62f1dd783f3b0ea91d8aad2b5696b58
                              • Opcode Fuzzy Hash: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
                              • Instruction Fuzzy Hash: CB61E271540319BAEB24DF64CC41BBF77ACBF08710F10864AF995DA1D1DBB9AA80D7A0
                              Function 00FD7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                              • API String ID: 0-1645009161
                              • Opcode ID: 310269f522be1bafef09db0db34866baeeddec1c585e9fdff9cee2eef16fee55
                              • Instruction ID: dd11e5ed71e435b8aae832455fc88c422948806204761bce0584e702a4dd8a6f
                              • Opcode Fuzzy Hash: 310269f522be1bafef09db0db34866baeeddec1c585e9fdff9cee2eef16fee55
                              • Instruction Fuzzy Hash: B9811771A04305BBDB21BF64DC42FBE3BA9AF45300F084426F945AE256FB78D901E791
                              Function 01035A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000063), ref: 01035A2E
                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01035A40
                              • SetWindowTextW.USER32(?,?), ref: 01035A57
                              • GetDlgItem.USER32(?,000003EA), ref: 01035A6C
                              • SetWindowTextW.USER32(00000000,?), ref: 01035A72
                              • GetDlgItem.USER32(?,000003E9), ref: 01035A82
                              • SetWindowTextW.USER32(00000000,?), ref: 01035A88
                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01035AA9
                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01035AC3
                              • GetWindowRect.USER32(?,?), ref: 01035ACC
                              • _wcslen.LIBCMT ref: 01035B33
                              • SetWindowTextW.USER32(?,?), ref: 01035B6F
                              • GetDesktopWindow.USER32 ref: 01035B75
                              • GetWindowRect.USER32(00000000), ref: 01035B7C
                              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01035BD3
                              • GetClientRect.USER32(?,?), ref: 01035BE0
                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 01035C05
                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01035C2F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                              • String ID:
                              • API String ID: 895679908-0
                              • Opcode ID: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
                              • Instruction ID: b2f1008970219e2be72f684e72127cab97b2ff0df8c440435f1442c60cd2b07b
                              • Opcode Fuzzy Hash: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
                              • Instruction Fuzzy Hash: 03717F31900709AFDB24DFA8CE85AAEBBF9FF88704F104558E5C2A25A4D779E940CF50
                              Function 00FF00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FF00C6
                                • Part of subcall function 00FF00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(010A070C,00000FA0,51ADDD29,?,?,?,?,010123B3,000000FF), ref: 00FF011C
                                • Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0127
                                • Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0138
                                • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FF014E
                                • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FF015C
                                • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FF016A
                                • Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF0195
                                • Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF01A0
                              • ___scrt_fastfail.LIBCMT ref: 00FF00E7
                                • Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9
                              Strings
                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FF0122
                              • SleepConditionVariableCS, xrefs: 00FF0154
                              • InitializeConditionVariable, xrefs: 00FF0148
                              • WakeAllConditionVariable, xrefs: 00FF0162
                              • kernel32.dll, xrefs: 00FF0133
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                              • API String ID: 66158676-1714406822
                              • Opcode ID: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
                              • Instruction ID: 4c5f070fd86c93ff83d2e660dae58817f1397c531e44ce5170d22ef8fd53fe0f
                              • Opcode Fuzzy Hash: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
                              • Instruction Fuzzy Hash: 26213E32E45719ABE7306BA5AD05B7E3799EF05B60F00012AF9C1AB265DF799C009B50
                              Function 010330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen
                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                              • API String ID: 176396367-1603158881
                              • Opcode ID: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
                              • Instruction ID: 66f52825b4d4eb2556f94318b223c249ab64bcb22e0424c09669a07da256d8a3
                              • Opcode Fuzzy Hash: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
                              • Instruction Fuzzy Hash: 9BE10632A001169BCF199F68C8917FEFBB8BF84710F14815AE5D6EB241DF30A945DB90
                              Function 010444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(00000000,00000000,0106CC08), ref: 01044527
                              • _wcslen.LIBCMT ref: 0104453B
                              • _wcslen.LIBCMT ref: 01044599
                              • _wcslen.LIBCMT ref: 010445F4
                              • _wcslen.LIBCMT ref: 0104463F
                              • _wcslen.LIBCMT ref: 010446A7
                                • Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD
                              • GetDriveTypeW.KERNEL32(?,01096BF0,00000061), ref: 01044743
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$BuffCharDriveLowerType
                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                              • API String ID: 2055661098-1000479233
                              • Opcode ID: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
                              • Instruction ID: 3897bfe768af297ce158af8cb069bb4f11746d9a6f5dfe128e48b595aade8441
                              • Opcode Fuzzy Hash: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
                              • Instruction Fuzzy Hash: 35B1FEB16083029BC710DF28C8D0A6EB7E5BF99760F44496DF5D6C7292E734D845CBA2
                              Function 0105AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0105B198
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1B0
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1D4
                              • _wcslen.LIBCMT ref: 0105B200
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B214
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B236
                              • _wcslen.LIBCMT ref: 0105B332
                                • Part of subcall function 010405A7: GetStdHandle.KERNEL32(000000F6), ref: 010405C6
                              • _wcslen.LIBCMT ref: 0105B34B
                              • _wcslen.LIBCMT ref: 0105B366
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0105B3B6
                              • GetLastError.KERNEL32(00000000), ref: 0105B407
                              • CloseHandle.KERNEL32(?), ref: 0105B439
                              • CloseHandle.KERNEL32(00000000), ref: 0105B44A
                              • CloseHandle.KERNEL32(00000000), ref: 0105B45C
                              • CloseHandle.KERNEL32(00000000), ref: 0105B46E
                              • CloseHandle.KERNEL32(?), ref: 0105B4E3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                              • String ID:
                              • API String ID: 2178637699-0
                              • Opcode ID: 11a9ba8c28c3cadbce9f43591c9ca9398a5945d32f5eca39165d50a136805213
                              • Instruction ID: e278f3b778e2b693059f0bca699bd4089db9f516256ab12c1244da96791a6096
                              • Opcode Fuzzy Hash: 11a9ba8c28c3cadbce9f43591c9ca9398a5945d32f5eca39165d50a136805213
                              • Instruction Fuzzy Hash: B2F19D716043409FD764EF28C881B6FBBE6AF85310F18855EF9D59B2A2DB35E804CB52
                              Function 00FD326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemCount.USER32(010A1990), ref: 01012F8D
                              • GetMenuItemCount.USER32(010A1990), ref: 0101303D
                              • GetCursorPos.USER32(?), ref: 01013081
                              • SetForegroundWindow.USER32(00000000), ref: 0101308A
                              • TrackPopupMenuEx.USER32(010A1990,00000000,?,00000000,00000000,00000000), ref: 0101309D
                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010130A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                              • String ID: 0
                              • API String ID: 36266755-4108050209
                              • Opcode ID: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
                              • Instruction ID: 6cfa76654f6a1f831faecb9aaea601050190b2bc413876d748d78d9f3ce0db24
                              • Opcode Fuzzy Hash: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
                              • Instruction Fuzzy Hash: 25714B31640209BEFB319F28CC49FAABFA9FF05324F244217F6946A2D4C7B5A850DB51
                              Function 01066CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?), ref: 01066DEB
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01066E5F
                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01066E81
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066E94
                              • DestroyWindow.USER32(?), ref: 01066EB5
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 01066EE4
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066EFD
                              • GetDesktopWindow.USER32 ref: 01066F16
                              • GetWindowRect.USER32(00000000), ref: 01066F1D
                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01066F35
                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01066F4D
                                • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                              • String ID: 0$tooltips_class32
                              • API String ID: 2429346358-3619404913
                              • Opcode ID: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
                              • Instruction ID: 7dc5190c4b6550edc25dd9f1593d53c40e546bfd0c9db9639aeb50c85c65af19
                              • Opcode Fuzzy Hash: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
                              • Instruction Fuzzy Hash: B8717670104244AFEB21CF1CC844EAABBE9FB89304F84045EFADA87261C776E906DB15
                              Function 0106911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • DragQueryPoint.SHELL32(?,?), ref: 01069147
                                • Part of subcall function 01067674: ClientToScreen.USER32(?,?), ref: 0106769A
                                • Part of subcall function 01067674: GetWindowRect.USER32(?,?), ref: 01067710
                                • Part of subcall function 01067674: PtInRect.USER32(?,?,01068B89), ref: 01067720
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 010691B0
                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010691BB
                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010691DE
                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 01069225
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0106923E
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 01069255
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 01069277
                              • DragFinish.SHELL32(?), ref: 0106927E
                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01069371
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                              • API String ID: 221274066-3440237614
                              • Opcode ID: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
                              • Instruction ID: 08a3cc4d85e15daa0544c5205a7a6b72b7feb42fc46311021e80bffcce3216e4
                              • Opcode Fuzzy Hash: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
                              • Instruction Fuzzy Hash: A5618871108302AFD701DFA0DC85DAFBBE9EF88750F40091EF5D5922A0DB759A48CB62
                              Function 0104C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C4B0
                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C4C3
                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C4D7
                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0104C4F0
                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0104C533
                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0104C549
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C554
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C584
                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C5DC
                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C5F0
                              • InternetCloseHandle.WININET(00000000), ref: 0104C5FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                              • String ID:
                              • API String ID: 3800310941-3916222277
                              • Opcode ID: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
                              • Instruction ID: 2c5e97e0db1465ef6c33940033df444e73322b13ffa59dcbfa0f3245b9d19c04
                              • Opcode Fuzzy Hash: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
                              • Instruction Fuzzy Hash: DF513FB1501605BFFB219F65CA88AAF7BFCFF08754F008429F9C696150DB39E9449BA0
                              Function 0106856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01068592
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685A2
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685AD
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685BA
                              • GlobalLock.KERNEL32(00000000), ref: 010685C8
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685D7
                              • GlobalUnlock.KERNEL32(00000000), ref: 010685E0
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685E7
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010685F8
                              • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0106FC38,?), ref: 01068611
                              • GlobalFree.KERNEL32(00000000), ref: 01068621
                              • GetObjectW.GDI32(?,00000018,?), ref: 01068641
                              • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01068671
                              • DeleteObject.GDI32(?), ref: 01068699
                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010686AF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                              • String ID:
                              • API String ID: 3840717409-0
                              • Opcode ID: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
                              • Instruction ID: 381731c07dbf9b1b6bd5ef29cf878481826be3b9ae0c107988d71b44e5bafb2e
                              • Opcode Fuzzy Hash: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
                              • Instruction Fuzzy Hash: DF412B75600205AFEB219FA9CD48EAE7BBCEF89711F008059F989EB264D7359901CB20
                              Function 010414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(00000000), ref: 01041502
                              • VariantCopy.OLEAUT32(?,?), ref: 0104150B
                              • VariantClear.OLEAUT32(?), ref: 01041517
                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010415FB
                              • VarR8FromDec.OLEAUT32(?,?), ref: 01041657
                              • VariantInit.OLEAUT32(?), ref: 01041708
                              • SysFreeString.OLEAUT32(?), ref: 0104178C
                              • VariantClear.OLEAUT32(?), ref: 010417D8
                              • VariantClear.OLEAUT32(?), ref: 010417E7
                              • VariantInit.OLEAUT32(00000000), ref: 01041823
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                              • API String ID: 1234038744-3931177956
                              • Opcode ID: dcb982b99ce2aa815a3645203875357a21f66203a46db8dc9a41ce7c34f377a8
                              • Instruction ID: d3173a3c65ca477d726e559941d04a0c35780443d6593e9cba3ae12d9e6ef2fd
                              • Opcode Fuzzy Hash: dcb982b99ce2aa815a3645203875357a21f66203a46db8dc9a41ce7c34f377a8
                              • Instruction Fuzzy Hash: 8CD1D5B1600219DBDB10DF65D8C5BBDBBF5BF05700F0880A6E9969B280DB35F885DBA1
                              Function 0105B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105B6F4
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105B772
                              • RegDeleteValueW.ADVAPI32(?,?), ref: 0105B80A
                              • RegCloseKey.ADVAPI32(?), ref: 0105B87E
                              • RegCloseKey.ADVAPI32(?), ref: 0105B89C
                              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0105B8F2
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105B904
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 0105B922
                              • FreeLibrary.KERNEL32(00000000), ref: 0105B983
                              • RegCloseKey.ADVAPI32(00000000), ref: 0105B994
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 146587525-4033151799
                              • Opcode ID: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
                              • Instruction ID: c7bf221b8c651a94c59af0b9a54b8657daabf23e8fdc9eead26fd8ec05e55f83
                              • Opcode Fuzzy Hash: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
                              • Instruction Fuzzy Hash: 17C17E34204201AFE750DF18C495F2ABBE2FF85308F18859DF9968B3A2CB75E945CB91
                              Function 0105255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 010525D8
                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010525E8
                              • CreateCompatibleDC.GDI32(?), ref: 010525F4
                              • SelectObject.GDI32(00000000,?), ref: 01052601
                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0105266D
                              • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010526AC
                              • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010526D0
                              • SelectObject.GDI32(?,?), ref: 010526D8
                              • DeleteObject.GDI32(?), ref: 010526E1
                              • DeleteDC.GDI32(?), ref: 010526E8
                              • ReleaseDC.USER32(00000000,?), ref: 010526F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                              • String ID: (
                              • API String ID: 2598888154-3887548279
                              • Opcode ID: ea7064275f8c000d593e13789ff22e08961485a905a18c0577122af77bf30862
                              • Instruction ID: 340f1eca7a52e99a22fad7b9326b7bdb71da08aa298bf5e0b8b468b35ab1a18a
                              • Opcode Fuzzy Hash: ea7064275f8c000d593e13789ff22e08961485a905a18c0577122af77bf30862
                              • Instruction Fuzzy Hash: DA611375D00209EFDF15CFA8C984AAEBBF5FF48310F20852AE995A7250D775A940CFA0
                              Function 0100DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 0100DAA1
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D659
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D66B
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D67D
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D68F
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6A1
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6B3
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6C5
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6D7
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6E9
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6FB
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D70D
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D71F
                                • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D731
                              • _free.LIBCMT ref: 0100DA96
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 0100DAB8
                              • _free.LIBCMT ref: 0100DACD
                              • _free.LIBCMT ref: 0100DAD8
                              • _free.LIBCMT ref: 0100DAFA
                              • _free.LIBCMT ref: 0100DB0D
                              • _free.LIBCMT ref: 0100DB1B
                              • _free.LIBCMT ref: 0100DB26
                              • _free.LIBCMT ref: 0100DB5E
                              • _free.LIBCMT ref: 0100DB65
                              • _free.LIBCMT ref: 0100DB82
                              • _free.LIBCMT ref: 0100DB9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
                              • Instruction ID: cac6e923f02d539fe2cac0ffb1567042a6e23e09fd8a78abda6c82cc4b0169af
                              • Opcode Fuzzy Hash: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
                              • Instruction Fuzzy Hash: 463139316046069FFB63AAB9E848B9A7BE9FF11250F244459E4C9D71D1DE35E880CB30
                              Function 0103365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000100), ref: 0103369C
                              • _wcslen.LIBCMT ref: 010336A7
                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01033797
                              • GetClassNameW.USER32(?,?,00000400), ref: 0103380C
                              • GetDlgCtrlID.USER32(?), ref: 0103385D
                              • GetWindowRect.USER32(?,?), ref: 01033882
                              • GetParent.USER32(?), ref: 010338A0
                              • ScreenToClient.USER32(00000000), ref: 010338A7
                              • GetClassNameW.USER32(?,?,00000100), ref: 01033921
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0103395D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                              • String ID: %s%u
                              • API String ID: 4010501982-679674701
                              • Opcode ID: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
                              • Instruction ID: 4b09bec1805f56015a79183c4c2ff7c88d6124fe231a6e9e81ba8dd5ad769c7b
                              • Opcode Fuzzy Hash: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
                              • Instruction Fuzzy Hash: BA91A271204606EFE715DF28C884BAAF7ECFF84310F00851AFAD9DA150DB34A945CB91
                              Function 01034954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000400), ref: 01034994
                              • GetWindowTextW.USER32(?,?,00000400), ref: 010349DA
                              • _wcslen.LIBCMT ref: 010349EB
                              • CharUpperBuffW.USER32(?,00000000), ref: 010349F7
                              • _wcsstr.LIBVCRUNTIME ref: 01034A2C
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 01034A64
                              • GetWindowTextW.USER32(?,?,00000400), ref: 01034A9D
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 01034AE6
                              • GetClassNameW.USER32(?,?,00000400), ref: 01034B20
                              • GetWindowRect.USER32(?,?), ref: 01034B8B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                              • String ID: ThumbnailClass
                              • API String ID: 1311036022-1241985126
                              • Opcode ID: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
                              • Instruction ID: fff677af2c5f0cf1fdda20fef021db7c635eb97b86451075a83163b9b47b721f
                              • Opcode Fuzzy Hash: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
                              • Instruction Fuzzy Hash: 1791B2311042099FEB59DE18C980BAA7BECFF84314F0484AAFEC5DA196DB34E945CB61
                              Function 01068D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01068D5A
                              • GetFocus.USER32 ref: 01068D6A
                              • GetDlgCtrlID.USER32(00000000), ref: 01068D75
                              • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01068E1D
                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01068ECF
                              • GetMenuItemCount.USER32(?), ref: 01068EEC
                              • GetMenuItemID.USER32(?,00000000), ref: 01068EFC
                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01068F2E
                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01068F70
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01068FA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                              • String ID: 0
                              • API String ID: 1026556194-4108050209
                              • Opcode ID: 0668d578460e08f58efb07d98f4db53986694ebe769224fada94793565847c3b
                              • Instruction ID: e9e788c4b57f2451623ec4c52b4be5b508bddce8571431903a5a18f5a4dcbc03
                              • Opcode Fuzzy Hash: 0668d578460e08f58efb07d98f4db53986694ebe769224fada94793565847c3b
                              • Instruction Fuzzy Hash: D4818D71508301ABE761CF18CC84AAB7BEDFB88354F04895AFAC597292D775D940CB61
                              Function 0103BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(010A1990,000000FF,00000000,00000030), ref: 0103BFAC
                              • SetMenuItemInfoW.USER32(010A1990,00000004,00000000,00000030), ref: 0103BFE1
                              • Sleep.KERNEL32(000001F4), ref: 0103BFF3
                              • GetMenuItemCount.USER32(?), ref: 0103C039
                              • GetMenuItemID.USER32(?,00000000), ref: 0103C056
                              • GetMenuItemID.USER32(?,-00000001), ref: 0103C082
                              • GetMenuItemID.USER32(?,?), ref: 0103C0C9
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0103C10F
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103C124
                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103C145
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountRadioSleep
                              • String ID: 0
                              • API String ID: 1460738036-4108050209
                              • Opcode ID: bec6f8a52a04c5ae9e2f89841664aeb5b46775b4d367cbc993a537b22b7ec631
                              • Instruction ID: f5900bb14300f66f45d5599c9cd6d4bada708813ae02ef76099c8743be7cfad2
                              • Opcode Fuzzy Hash: bec6f8a52a04c5ae9e2f89841664aeb5b46775b4d367cbc993a537b22b7ec631
                              • Instruction Fuzzy Hash: AC61727150024AAFFF21CF58CA88AEEBBACEB86344F044056F991E3281C775A954DB60
                              Function 0103DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                              Download Yara Rule
                              APIs
                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0103DC20
                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0103DC46
                              • _wcslen.LIBCMT ref: 0103DC50
                              • _wcsstr.LIBVCRUNTIME ref: 0103DCA0
                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0103DCBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                              • API String ID: 1939486746-1459072770
                              • Opcode ID: 87cc9de5f56207939dc39efcf03c60eee6bd5bf204ed0316e3465a58af2147b3
                              • Instruction ID: 2d1596356a7f6f45bfd0dfdfb28c46424f9451b0c1b4f8d886feb1f9413d8a64
                              • Opcode Fuzzy Hash: 87cc9de5f56207939dc39efcf03c60eee6bd5bf204ed0316e3465a58af2147b3
                              • Instruction Fuzzy Hash: F8414D729402057AEB15B775DC07EBF37ACEF42710F40006EFA80BA153EB799901A7A4
                              Function 0105CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CC64
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0105CC8D
                              • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD48
                                • Part of subcall function 0105CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0105CCAA
                                • Part of subcall function 0105CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0105CCBD
                                • Part of subcall function 0105CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105CCCF
                                • Part of subcall function 0105CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD05
                                • Part of subcall function 0105CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CD28
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 0105CCF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 2734957052-4033151799
                              • Opcode ID: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
                              • Instruction ID: f5e96165b0138220b36fd5be6cf96240fc96f36f4a1a2f70d5875dbaea50a758
                              • Opcode Fuzzy Hash: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
                              • Instruction Fuzzy Hash: 0B318071901229BBFB719A95DD88EFFBFBCEF06640F0001A5F981E6104D6749A459BB0
                              Function 01043D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01043D40
                              • _wcslen.LIBCMT ref: 01043D6D
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 01043D9D
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01043DBE
                              • RemoveDirectoryW.KERNEL32(?), ref: 01043DCE
                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01043E55
                              • CloseHandle.KERNEL32(00000000), ref: 01043E60
                              • CloseHandle.KERNEL32(00000000), ref: 01043E6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                              • String ID: :$\$\??\%s
                              • API String ID: 1149970189-3457252023
                              • Opcode ID: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
                              • Instruction ID: b4515ca8d423a0e003af067910e4bb8a3bdef0fc4e2020f934110745a3045348
                              • Opcode Fuzzy Hash: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
                              • Instruction Fuzzy Hash: 3031B6B150011AABEB21ABA4DC85FEF37BDFF89700F1040B5F689D6064E77493448B24
                              Function 0103E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • timeGetTime.WINMM ref: 0103E6B4
                                • Part of subcall function 00FEE551: timeGetTime.WINMM(?,?,0103E6D4), ref: 00FEE555
                              • Sleep.KERNEL32(0000000A), ref: 0103E6E1
                              • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0103E705
                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0103E727
                              • SetActiveWindow.USER32 ref: 0103E746
                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0103E754
                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 0103E773
                              • Sleep.KERNEL32(000000FA), ref: 0103E77E
                              • IsWindow.USER32 ref: 0103E78A
                              • EndDialog.USER32(00000000), ref: 0103E79B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                              • String ID: BUTTON
                              • API String ID: 1194449130-3405671355
                              • Opcode ID: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
                              • Instruction ID: 73bbbab3a8739232e80f8e073159035e43f0ed4a1ba82a423c30b190694cab99
                              • Opcode Fuzzy Hash: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
                              • Instruction Fuzzy Hash: CE21C670240601AFFB315F24EDD8A293B6DF788348F400635F5D182655DBBBAC109B24
                              Function 0103E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0103EA5D
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0103EA73
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103EA84
                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0103EA96
                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103EAA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: SendString$_wcslen
                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                              • API String ID: 2420728520-1007645807
                              • Opcode ID: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
                              • Instruction ID: 7e8d7395fed4943e46cf1b3aa92c6e7f52fc4df30f901876d61543b22529a505
                              • Opcode Fuzzy Hash: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
                              • Instruction Fuzzy Hash: D1110630A5026979EB20A3A6DC5AEFF7ABCEFC1F00F04052AB441A60D0EEB11905D5B0
                              Function 01039F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0103A012
                              • SetKeyboardState.USER32(?), ref: 0103A07D
                              • GetAsyncKeyState.USER32(000000A0), ref: 0103A09D
                              • GetKeyState.USER32(000000A0), ref: 0103A0B4
                              • GetAsyncKeyState.USER32(000000A1), ref: 0103A0E3
                              • GetKeyState.USER32(000000A1), ref: 0103A0F4
                              • GetAsyncKeyState.USER32(00000011), ref: 0103A120
                              • GetKeyState.USER32(00000011), ref: 0103A12E
                              • GetAsyncKeyState.USER32(00000012), ref: 0103A157
                              • GetKeyState.USER32(00000012), ref: 0103A165
                              • GetAsyncKeyState.USER32(0000005B), ref: 0103A18E
                              • GetKeyState.USER32(0000005B), ref: 0103A19C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: f46ad59824ee27472bd6269d10553614b82c6995f4865de0dd54db6119434ab8
                              • Instruction ID: 6f6405642420ca88e9e9eb13507997e2d0f81493c4ef27a44275e2f93702c818
                              • Opcode Fuzzy Hash: f46ad59824ee27472bd6269d10553614b82c6995f4865de0dd54db6119434ab8
                              • Instruction Fuzzy Hash: 8751F830B0478869FB75EBA485147EABFFC9F92384F0885CDD6C2971C2DA94A64CC761
                              Function 01035CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 01035CE2
                              • GetWindowRect.USER32(00000000,?), ref: 01035CFB
                              • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01035D59
                              • GetDlgItem.USER32(?,00000002), ref: 01035D69
                              • GetWindowRect.USER32(00000000,?), ref: 01035D7B
                              • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01035DCF
                              • GetDlgItem.USER32(?,000003E9), ref: 01035DDD
                              • GetWindowRect.USER32(00000000,?), ref: 01035DEF
                              • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01035E31
                              • GetDlgItem.USER32(?,000003EA), ref: 01035E44
                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01035E5A
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 01035E67
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ItemMoveRect$Invalidate
                              • String ID:
                              • API String ID: 3096461208-0
                              • Opcode ID: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
                              • Instruction ID: ab1fdaeb50aac960dffe0fcc62d6c3248a261345997e642c7c37925b21d4314d
                              • Opcode Fuzzy Hash: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
                              • Instruction Fuzzy Hash: C3510FB1B00205AFDB18DF68DD89AAE7BF9FB88301F548129F555E7294D774AE00CB60
                              Function 00FE8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5
                              • DestroyWindow.USER32(?), ref: 00FE8C81
                              • KillTimer.USER32(00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8D1B
                              • DestroyAcceleratorTable.USER32(00000000), ref: 01026973
                              • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269A1
                              • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269B8
                              • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000), ref: 010269D4
                              • DeleteObject.GDI32(00000000), ref: 010269E6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                              • String ID:
                              • API String ID: 641708696-0
                              • Opcode ID: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
                              • Instruction ID: 46a70a4684300cc1d7daed2a75ef3594b895eb91c482c81359e4d08613c4299e
                              • Opcode Fuzzy Hash: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
                              • Instruction Fuzzy Hash: F2610131502A90DFDB32AF1ACA08B2577F1FB41352F60451DE4C687564CB3BA882EF90
                              Function 00FE9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                              • GetSysColor.USER32(0000000F), ref: 00FE9862
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ColorLongWindow
                              • String ID:
                              • API String ID: 259745315-0
                              • Opcode ID: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
                              • Instruction ID: b71d5038156ed4ebeb2425349f0a8477bed2b3f7ea6b168712c6d8d68790a3ba
                              • Opcode Fuzzy Hash: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
                              • Instruction Fuzzy Hash: D7412231504690EFEB305F399884BB93BA5EB06330F544205FAE28B2F5C3B58941EB22
                              Function 010396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01039717
                              • LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039720
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01039742
                              • LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039745
                              • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01039866
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message_wcslen
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                              • API String ID: 747408836-2268648507
                              • Opcode ID: 8a16bf1b5fba72b5f4901cc255b6773647d936f1c17419304e8d68eb677e03b1
                              • Instruction ID: 3e492ba19b259f37995f14b3e69e0e58ef3a98f69a4a43a14ed997b2b4e59dd6
                              • Opcode Fuzzy Hash: 8a16bf1b5fba72b5f4901cc255b6773647d936f1c17419304e8d68eb677e03b1
                              • Instruction Fuzzy Hash: 42418E7290420AAADF04FBE0DE92DEE777EAF54344F540026F24172191EB796F48EB61
                              Function 010306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010307A2
                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010307BE
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010307DA
                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01030804
                              • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0103082C
                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01030837
                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0103083C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                              • API String ID: 323675364-22481851
                              • Opcode ID: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
                              • Instruction ID: 4e74a3b76e9702790861cccf68629b6cac8d1c814e8848dbc908c02c701a256a
                              • Opcode Fuzzy Hash: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
                              • Instruction Fuzzy Hash: D7413C75C10229ABDF21EB94DC95CEDB7B9FF44750F08416AF981A3261EB349E04DB90
                              Function 01063F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0106403B
                              • CreateCompatibleDC.GDI32(00000000), ref: 01064042
                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01064055
                              • SelectObject.GDI32(00000000,00000000), ref: 0106405D
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 01064068
                              • DeleteDC.GDI32(00000000), ref: 01064072
                              • GetWindowLongW.USER32(?,000000EC), ref: 0106407C
                              • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01064092
                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0106409E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                              • String ID: static
                              • API String ID: 2559357485-2160076837
                              • Opcode ID: 79351a73c5a164b614863059ff40cf112341af083a254197b65968e80cbfc825
                              • Instruction ID: 1c1237a1c1a6ad64f3c02c319cbd7a2a4c3cca7d3e76845505970d2ae489a67d
                              • Opcode Fuzzy Hash: 79351a73c5a164b614863059ff40cf112341af083a254197b65968e80cbfc825
                              • Instruction Fuzzy Hash: 12313E31101215ABEF229FA8DD08FDA3BADFF0D724F114215FA99E61A0C77AD850DB94
                              Function 01053C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 01053C5C
                              • CoInitialize.OLE32(00000000), ref: 01053C8A
                              • CoUninitialize.OLE32 ref: 01053C94
                              • _wcslen.LIBCMT ref: 01053D2D
                              • GetRunningObjectTable.OLE32(00000000,?), ref: 01053DB1
                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 01053ED5
                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01053F0E
                              • CoGetObject.OLE32(?,00000000,0106FB98,?), ref: 01053F2D
                              • SetErrorMode.KERNEL32(00000000), ref: 01053F40
                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01053FC4
                              • VariantClear.OLEAUT32(?), ref: 01053FD8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                              • String ID:
                              • API String ID: 429561992-0
                              • Opcode ID: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
                              • Instruction ID: 38d8868d918ad06d7424d2265e4dd713579cf7a68c5c88ceb22459602b3508db
                              • Opcode Fuzzy Hash: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
                              • Instruction Fuzzy Hash: 2FC133716083059FD790DF68C88492BBBE9FF89788F04495DF98A9B250DB31ED05CB62
                              Function 01047A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 01047AF3
                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01047B8F
                              • SHGetDesktopFolder.SHELL32(?), ref: 01047BA3
                              • CoCreateInstance.OLE32(0106FD08,00000000,00000001,01096E6C,?), ref: 01047BEF
                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01047C74
                              • CoTaskMemFree.OLE32(?,?), ref: 01047CCC
                              • SHBrowseForFolderW.SHELL32(?), ref: 01047D57
                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01047D7A
                              • CoTaskMemFree.OLE32(00000000), ref: 01047D81
                              • CoTaskMemFree.OLE32(00000000), ref: 01047DD6
                              • CoUninitialize.OLE32 ref: 01047DDC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                              • String ID:
                              • API String ID: 2762341140-0
                              • Opcode ID: c3deef7af477d65acc3bd55ade52d7eeb4640d2b32e919f0363e130d28a642cd
                              • Instruction ID: b02c312fb952edcc46bb8a4467b5a8d98ecebf644c30d9c1ad74f83ec67a0673
                              • Opcode Fuzzy Hash: c3deef7af477d65acc3bd55ade52d7eeb4640d2b32e919f0363e130d28a642cd
                              • Instruction Fuzzy Hash: 84C15A75A00209AFDB14DFA4C8C4DAEBBF9FF48304B1484A9E9599B361DB35ED41CB90
                              Function 0106541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01065504
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01065515
                              • CharNextW.USER32(00000158), ref: 01065544
                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01065585
                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0106559B
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010655AC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$CharNext
                              • String ID:
                              • API String ID: 1350042424-0
                              • Opcode ID: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
                              • Instruction ID: 0879dc71b458274840148f66b6edbc495daf107eadc9db55c7eee95fa1ca746c
                              • Opcode Fuzzy Hash: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
                              • Instruction Fuzzy Hash: 54617434900209AFEF209F54CC849FE7BBDEF0A7A4F004185F6E5A7290D7759A41CB61
                              Function 0102FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0102FAAF
                              • SafeArrayAllocData.OLEAUT32(?), ref: 0102FB08
                              • VariantInit.OLEAUT32(?), ref: 0102FB1A
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0102FB3A
                              • VariantCopy.OLEAUT32(?,?), ref: 0102FB8D
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 0102FBA1
                              • VariantClear.OLEAUT32(?), ref: 0102FBB6
                              • SafeArrayDestroyData.OLEAUT32(?), ref: 0102FBC3
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBCC
                              • VariantClear.OLEAUT32(?), ref: 0102FBDE
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBE9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                              • String ID:
                              • API String ID: 2706829360-0
                              • Opcode ID: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
                              • Instruction ID: acb5d94c334da6ae43d22e2211c79b573e55b20e53aff5ea7a075165a7cb86d7
                              • Opcode Fuzzy Hash: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
                              • Instruction Fuzzy Hash: A8416375A0021ADFDF11DF68C8549EDBBB9FF48384F008065E985A7261CB35E945CFA0
                              Function 01039C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 01039CA1
                              • GetAsyncKeyState.USER32(000000A0), ref: 01039D22
                              • GetKeyState.USER32(000000A0), ref: 01039D3D
                              • GetAsyncKeyState.USER32(000000A1), ref: 01039D57
                              • GetKeyState.USER32(000000A1), ref: 01039D6C
                              • GetAsyncKeyState.USER32(00000011), ref: 01039D84
                              • GetKeyState.USER32(00000011), ref: 01039D96
                              • GetAsyncKeyState.USER32(00000012), ref: 01039DAE
                              • GetKeyState.USER32(00000012), ref: 01039DC0
                              • GetAsyncKeyState.USER32(0000005B), ref: 01039DD8
                              • GetKeyState.USER32(0000005B), ref: 01039DEA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
                              • Instruction ID: 8ddbc0a7a3485ff44324ce7747d7175fbc25d3aca39f0146376ede1111906efa
                              • Opcode Fuzzy Hash: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
                              • Instruction Fuzzy Hash: 3A41F9345047C969FFB2666885093B6BEE86F81308F0480DED6C6562C3DBE595C4CBA2
                              Function 0105055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WSOCK32(00000101,?), ref: 010505BC
                              • inet_addr.WSOCK32(?), ref: 0105061C
                              • gethostbyname.WSOCK32(?), ref: 01050628
                              • IcmpCreateFile.IPHLPAPI ref: 01050636
                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010506C6
                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010506E5
                              • IcmpCloseHandle.IPHLPAPI(?), ref: 010507B9
                              • WSACleanup.WSOCK32 ref: 010507BF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                              • String ID: Ping
                              • API String ID: 1028309954-2246546115
                              • Opcode ID: 7c1efd45e8691b7b0db59faaa1a00cbe5aff57a5da217196706798ed321c39c8
                              • Instruction ID: 530c88217615c81d873a2bbb035197678a15986a1affd996b3cd17d89c99e3f5
                              • Opcode Fuzzy Hash: 7c1efd45e8691b7b0db59faaa1a00cbe5aff57a5da217196706798ed321c39c8
                              • Instruction Fuzzy Hash: 35918E759042019FD360CF19C988B1BBBE0BF44318F0885A9F9A98B7A6C735ED45CF91
                              Function 01058CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$BuffCharLower
                              • String ID: cdecl$none$stdcall$winapi
                              • API String ID: 707087890-567219261
                              • Opcode ID: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
                              • Instruction ID: ced4025b4cc7a960c84c0658319db679311b62e2dd4e9f970ef330f5e9854e8a
                              • Opcode Fuzzy Hash: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
                              • Instruction Fuzzy Hash: AD51C032A000169BCFA4DF6DC8508BFB7F6AF54324B24825AEDA6E7285D735DD40D790
                              Function 0105372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32 ref: 01053774
                              • CoUninitialize.OLE32 ref: 0105377F
                              • CoCreateInstance.OLE32(?,00000000,00000017,0106FB78,?), ref: 010537D9
                              • IIDFromString.OLE32(?,?), ref: 0105384C
                              • VariantInit.OLEAUT32(?), ref: 010538E4
                              • VariantClear.OLEAUT32(?), ref: 01053936
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                              • API String ID: 636576611-1287834457
                              • Opcode ID: 2db5bf910695abc9e91cf23bb07eecb122a34bc86d65ed27da0eaa3623559cf7
                              • Instruction ID: c7cd3c74ee59b6bc1d673b338ded1d3d687f7a53860054f1f9dcfc2e21b1cb09
                              • Opcode Fuzzy Hash: 2db5bf910695abc9e91cf23bb07eecb122a34bc86d65ed27da0eaa3623559cf7
                              • Instruction Fuzzy Hash: 2C618E71608301AFD361DF55C888B6BBBE8FF88754F040859F9C59B291D774E948CB92
                              Function 01043388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010433CF
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010433F0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LoadString$_wcslen
                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                              • API String ID: 4099089115-3080491070
                              • Opcode ID: e4f6bd516a8defb70aa71b2148544603a3aada6424a85f08c0619461b3a4f0be
                              • Instruction ID: 3dc49e6d6bda82776387202897097a35a439c1a051a68de7117b61b076f3d4d2
                              • Opcode Fuzzy Hash: e4f6bd516a8defb70aa71b2148544603a3aada6424a85f08c0619461b3a4f0be
                              • Instruction Fuzzy Hash: 2B51F17290021AABDF14EBE0CE42EEEB77AAF14340F144066F14576151EB7A2F58EF61
                              Function 0103B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$BuffCharUpper
                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                              • API String ID: 1256254125-769500911
                              • Opcode ID: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
                              • Instruction ID: f88ba4f06b81986e45942c1912d805af8ea06d391b0fb513294f003d6634ddc5
                              • Opcode Fuzzy Hash: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
                              • Instruction Fuzzy Hash: BC412832B000268BCB205F7DCC905BEBBE9BFD4658B144169E5A1DB286F639C881E390
                              Function 01045393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 010453A0
                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01045416
                              • GetLastError.KERNEL32 ref: 01045420
                              • SetErrorMode.KERNEL32(00000000,READY), ref: 010454A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Error$Mode$DiskFreeLastSpace
                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                              • API String ID: 4194297153-14809454
                              • Opcode ID: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
                              • Instruction ID: 6f0f1b6f41f6c25da1d5f4b4afc45378b3d490dc5f705b32a4d3efe5887d6535
                              • Opcode Fuzzy Hash: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
                              • Instruction Fuzzy Hash: 6D319FB5A002059FDB11DF68C8C4AAA7BF4FB85309F0880A5F585CF292EB75D942CB90
                              Function 01063C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMenu.USER32 ref: 01063C79
                              • SetMenu.USER32(?,00000000), ref: 01063C88
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063D10
                              • IsMenu.USER32(?), ref: 01063D24
                              • CreatePopupMenu.USER32 ref: 01063D2E
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063D5B
                              • DrawMenuBar.USER32 ref: 01063D63
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                              • String ID: 0$F
                              • API String ID: 161812096-3044882817
                              • Opcode ID: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
                              • Instruction ID: 70519c22da2a8c197c2e1518116ccd74c1c0fd156e53bb0e30968d13112c347f
                              • Opcode Fuzzy Hash: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
                              • Instruction Fuzzy Hash: 5B417F75A01209EFEB24DF64E844ADA7BF9FF49350F040069FA8A9B360D735A910CF94
                              Function 01031FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01032043
                              • GetDlgCtrlID.USER32 ref: 0103204E
                              • GetParent.USER32 ref: 0103206A
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0103206D
                              • GetDlgCtrlID.USER32(?), ref: 01032076
                              • GetParent.USER32(?), ref: 0103208A
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0103208D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 711023334-1403004172
                              • Opcode ID: 3f11d205504929a173860a2bdbad4bb8b04f0645638594734bab205d391d40f9
                              • Instruction ID: eeeddf43dfb84c639460338404a356fd849741504a2fe9af274d27479d3533dd
                              • Opcode Fuzzy Hash: 3f11d205504929a173860a2bdbad4bb8b04f0645638594734bab205d391d40f9
                              • Instruction Fuzzy Hash: 7C21D475A00218BBDF11AFA4CC84EEEBFB9EF19300F004046F9D1972A6CB795818DB60
                              Function 01063A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01063A9D
                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01063AA0
                              • GetWindowLongW.USER32(?,000000F0), ref: 01063AC7
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01063AEA
                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01063B62
                              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01063BAC
                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01063BC7
                              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01063BE2
                              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01063BF6
                              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01063C13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow
                              • String ID:
                              • API String ID: 312131281-0
                              • Opcode ID: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
                              • Instruction ID: a4b2639126ca93b18287cfb6cb409277444c8c7072372c39bc72030e27ee7cae
                              • Opcode Fuzzy Hash: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
                              • Instruction Fuzzy Hash: F7616A75900208AFDB20DFA8CC81EEE77F8FF09714F10019AFA95AB291D775A945DB90
                              Function 0103B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 0103B151
                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B165
                              • GetWindowThreadProcessId.USER32(00000000), ref: 0103B16C
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B17B
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0103B18D
                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1A6
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1B8
                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1FD
                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B212
                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B21D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                              • String ID:
                              • API String ID: 2156557900-0
                              • Opcode ID: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
                              • Instruction ID: b68c108820f56959957790cc2f2022563ecd9121f45f1d76a645ba33c96314be
                              • Opcode Fuzzy Hash: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
                              • Instruction Fuzzy Hash: FB31FD71180604BFEB359F28D849F6DBBEDBB86319F504104FAC2CA185C7BAA8008F24
                              Function 01002C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 01002C94
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 01002CA0
                              • _free.LIBCMT ref: 01002CAB
                              • _free.LIBCMT ref: 01002CB6
                              • _free.LIBCMT ref: 01002CC1
                              • _free.LIBCMT ref: 01002CCC
                              • _free.LIBCMT ref: 01002CD7
                              • _free.LIBCMT ref: 01002CE2
                              • _free.LIBCMT ref: 01002CED
                              • _free.LIBCMT ref: 01002CFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
                              • Instruction ID: c4a5c549467f4ce043041e07c10291093d6a69478084efb5f7e8131261c4af66
                              • Opcode Fuzzy Hash: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
                              • Instruction Fuzzy Hash: 1511B676500109BFEB03EF94D885CDD3BA9FF15390F6144A5FA889F2A1DA31EE509B90
                              Function 00FD1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FD1459
                              • OleUninitialize.OLE32(?,00000000), ref: 00FD14F8
                              • UnregisterHotKey.USER32(?), ref: 00FD16DD
                              • DestroyWindow.USER32(?), ref: 010124B9
                              • FreeLibrary.KERNEL32(?), ref: 0101251E
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0101254B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                              • String ID: close all
                              • API String ID: 469580280-3243417748
                              • Opcode ID: cf2875bafba47af97be1c4a1fcb71875475cc85e29dbc375566356765e5a9f9c
                              • Instruction ID: b29d196f10a7134eb2b10cb37aa3a24d4482faf95ff0c8e222f882915fb08ab3
                              • Opcode Fuzzy Hash: cf2875bafba47af97be1c4a1fcb71875475cc85e29dbc375566356765e5a9f9c
                              • Instruction Fuzzy Hash: DAD19931701212DFDB29EF15C998B28F7A5BF05700F2842AEE58A6B365CB34AC12DF50
                              Function 01047DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01047FAD
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01047FC1
                              • GetFileAttributesW.KERNEL32(?), ref: 01047FEB
                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 01048005
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01048017
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 01048060
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010480B0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CurrentDirectory$AttributesFile
                              • String ID: *.*
                              • API String ID: 769691225-438819550
                              • Opcode ID: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
                              • Instruction ID: a3c9cd633eb68de918236dc879005afd26d3c815c9e65bf6e997972653ae80ba
                              • Opcode Fuzzy Hash: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
                              • Instruction Fuzzy Hash: 4981C1B25042019BDB74EF59C884AAEB7E9BF88310F084D6EF9C5C7250E735D945CB92
                              Function 00FD5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,000000EB), ref: 00FD5C7A
                                • Part of subcall function 00FD5D0A: GetClientRect.USER32(?,?), ref: 00FD5D30
                                • Part of subcall function 00FD5D0A: GetWindowRect.USER32(?,?), ref: 00FD5D71
                                • Part of subcall function 00FD5D0A: ScreenToClient.USER32(?,?), ref: 00FD5D99
                              • GetDC.USER32 ref: 010146F5
                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01014708
                              • SelectObject.GDI32(00000000,00000000), ref: 01014716
                              • SelectObject.GDI32(00000000,00000000), ref: 0101472B
                              • ReleaseDC.USER32(?,00000000), ref: 01014733
                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010147C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                              • String ID: U
                              • API String ID: 4009187628-3372436214
                              • Opcode ID: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
                              • Instruction ID: 0860b4c19cc7d5986dcfc46463849bf5723e87a7579a31f5ee21f49d859e25ba
                              • Opcode Fuzzy Hash: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
                              • Instruction Fuzzy Hash: EA71E331500205DFDF218F68C984ABE3BB6FF49365F1842A6EED59A26AC3399841DF50
                              Function 0104359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010435E4
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • LoadStringW.USER32(010A2390,?,00000FFF,?), ref: 0104360A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LoadString$_wcslen
                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 4099089115-2391861430
                              • Opcode ID: f93db0d451c3e4cfdeff658b3e9988ab94d4ab35764340fa8d8a36bd16571de7
                              • Instruction ID: 488dbfe35c086e19e2f0d7c94c0fd133af2cf962acb7cc4183f90513b992caa6
                              • Opcode Fuzzy Hash: f93db0d451c3e4cfdeff658b3e9988ab94d4ab35764340fa8d8a36bd16571de7
                              • Instruction Fuzzy Hash: 0D51A27280021ABBDF15EBE0CD81EEDBB7ABF14300F484126F14576251DB751A98EF61
                              Function 01068B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                                • Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
                                • Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
                                • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
                                • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D
                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01068B6B
                              • ImageList_EndDrag.COMCTL32 ref: 01068B71
                              • ReleaseCapture.USER32 ref: 01068B77
                              • SetWindowTextW.USER32(?,00000000), ref: 01068C12
                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01068C25
                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01068CFF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                              • API String ID: 1924731296-2107944366
                              • Opcode ID: 25dbc8ecef78c092e3df012f17f24e3729b742a2075c717c5487c215dff2f890
                              • Instruction ID: d0f109d127d5755c4ca24b20f1aa2c1185bd071aa4c07e5e012a20c16ed3b856
                              • Opcode Fuzzy Hash: 25dbc8ecef78c092e3df012f17f24e3729b742a2075c717c5487c215dff2f890
                              • Instruction Fuzzy Hash: 4951AB71208304AFE710DF64DC59FAA77E9FB88714F40062EF9D6972A1CB799904CB62
                              Function 0104C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C29A
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C2CA
                              • GetLastError.KERNEL32 ref: 0104C322
                              • SetEvent.KERNEL32(?), ref: 0104C336
                              • InternetCloseHandle.WININET(00000000), ref: 0104C341
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                              • String ID:
                              • API String ID: 3113390036-3916222277
                              • Opcode ID: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
                              • Instruction ID: 28d8cdb07ef70945c986e1488bf6a296edbc66dfca4314240e920f69311193f9
                              • Opcode Fuzzy Hash: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
                              • Instruction Fuzzy Hash: 073171B1601244AFF7319FA58AC4AAF7BFCEF49645B04856DE4C6D2210DB39DA048B60
                              Function 0103989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01013AAF,?,?,Bad directive syntax error,0106CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010398BC
                              • LoadStringW.USER32(00000000,?,01013AAF,?), ref: 010398C3
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01039987
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HandleLoadMessageModuleString_wcslen
                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                              • API String ID: 858772685-4153970271
                              • Opcode ID: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
                              • Instruction ID: 6345a1127c76205edf7a9b9056ac330a0d1a70d8ceb908ea840c01dc811b9459
                              • Opcode Fuzzy Hash: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
                              • Instruction Fuzzy Hash: 1921D03190021EEBDF11AF90CC06EEE377ABF18304F08441AF65566061EB7A9A28EB11
                              Function 0103209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32 ref: 010320AB
                              • GetClassNameW.USER32(00000000,?,00000100), ref: 010320C0
                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0103214D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassMessageNameParentSend
                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                              • API String ID: 1290815626-3381328864
                              • Opcode ID: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
                              • Instruction ID: 21f54509c4581e72a8296e8d99d2ee75b73ecf682fa9df996834551f5e637591
                              • Opcode Fuzzy Hash: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
                              • Instruction Fuzzy Hash: 7B110A7A68830AB9FB122526DD16DBB379CCF55724B20015AF784A90A2FAB978016A14
                              Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
                              • Instruction ID: 062819872a75c00b55280d3a0eab8458b490428f348d88a42a49aed3d2cbea9d
                              • Opcode Fuzzy Hash: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
                              • Instruction Fuzzy Hash: EDC1BF74D04249AFEB22DFACD844BADBFB4BF09314F04419AF698A72D2C7359941CB61
                              Function 0100CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                              • String ID:
                              • API String ID: 1282221369-0
                              • Opcode ID: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
                              • Instruction ID: 58456d234c6cb2d02f96d3b9b5e715a7124b16f558e63c8d123ff1a35081b8e2
                              • Opcode Fuzzy Hash: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
                              • Instruction Fuzzy Hash: B2614972904205AFFB23AFB89984ABD7FE4AF01350F0442EDFAC4972C5D736990587A1
                              Function 00FE8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01026890
                              • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010268A9
                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010268B9
                              • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010268D1
                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010268F2
                              • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 01026901
                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0102691E
                              • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 0102692D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                              • String ID:
                              • API String ID: 1268354404-0
                              • Opcode ID: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
                              • Instruction ID: c9f8aa5137c2875dffb99097cafd85f3a852c5e8b6d8851880593741f11f4258
                              • Opcode Fuzzy Hash: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
                              • Instruction Fuzzy Hash: 0651AE70600645EFEB20DF25CC41FAA7BF5FB88350F104618F996972A0DBB6E991EB50
                              Function 0104C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C182
                              • GetLastError.KERNEL32 ref: 0104C195
                              • SetEvent.KERNEL32(?), ref: 0104C1A9
                                • Part of subcall function 0104C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
                                • Part of subcall function 0104C253: GetLastError.KERNEL32 ref: 0104C322
                                • Part of subcall function 0104C253: SetEvent.KERNEL32(?), ref: 0104C336
                                • Part of subcall function 0104C253: InternetCloseHandle.WININET(00000000), ref: 0104C341
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                              • String ID:
                              • API String ID: 337547030-0
                              • Opcode ID: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
                              • Instruction ID: 5ea08834ba652fd1c64b1b9c14f067cdd0380a099a3e12143f21e4c0e5511c3b
                              • Opcode Fuzzy Hash: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
                              • Instruction Fuzzy Hash: 663183B1502641BFFB219FB5DB84A6A7BF8FF14200B04442DF9DA82624D775E4149B60
                              Function 010325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                                • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                                • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 010325BD
                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010325DB
                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010325DF
                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 010325E9
                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01032601
                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01032605
                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0103260F
                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01032623
                              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01032627
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                              • String ID:
                              • API String ID: 2014098862-0
                              • Opcode ID: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
                              • Instruction ID: a922baef9f9ff51c80b84c6404d31512fd2013c71746be5143616ed0767c744a
                              • Opcode Fuzzy Hash: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
                              • Instruction Fuzzy Hash: 8401D830790610BBFB2076689C8AF593F5DDF8EB11F100001F394AE0D4C9F224458B69
                              Function 01031803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01031449,?,?,00000000), ref: 0103180C
                              • HeapAlloc.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031813
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031828
                              • GetCurrentProcess.KERNEL32(?,00000000,?,01031449,?,?,00000000), ref: 01031830
                              • DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031833
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031843
                              • GetCurrentProcess.KERNEL32(01031449,00000000,?,01031449,?,?,00000000), ref: 0103184B
                              • DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 0103184E
                              • CreateThread.KERNEL32(00000000,00000000,01031874,00000000,00000000,00000000), ref: 01031868
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                              • String ID:
                              • API String ID: 1957940570-0
                              • Opcode ID: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
                              • Instruction ID: da59f13c231daa53d467d9427a1e4ad1374f97c6c3c58e86aeb843908d71d8d0
                              • Opcode Fuzzy Hash: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
                              • Instruction Fuzzy Hash: 8001A8B5240348FFF620ABA5DD49F6B3BACEB8AB11F004411FA85DB1A5CA7598008B20
                              Function 0105A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
                                • Part of subcall function 0103D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
                                • Part of subcall function 0103D4DC: CloseHandle.KERNEL32(00000000), ref: 0103D5DC
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A16D
                              • GetLastError.KERNEL32 ref: 0105A180
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A1B3
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0105A268
                              • GetLastError.KERNEL32(00000000), ref: 0105A273
                              • CloseHandle.KERNEL32(00000000), ref: 0105A2C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                              • String ID: SeDebugPrivilege
                              • API String ID: 2533919879-2896544425
                              • Opcode ID: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
                              • Instruction ID: 778f9c987f13c35cea4a2278e8a5a057e3e7a7d90d40510e123a6f882fc919a7
                              • Opcode Fuzzy Hash: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
                              • Instruction Fuzzy Hash: A961B130204242DFE760DF18C495F5ABBE1AF44358F18858CE9968F7A3C776E945CB91
                              Function 01063886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01063925
                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0106393A
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01063954
                              • _wcslen.LIBCMT ref: 01063999
                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 010639C6
                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 010639F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$Window_wcslen
                              • String ID: SysListView32
                              • API String ID: 2147712094-78025650
                              • Opcode ID: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
                              • Instruction ID: 7ab82b93cc7e284cbdcdf5a8c3f74da0305a57b280f274b1d05bcfef347be60f
                              • Opcode Fuzzy Hash: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
                              • Instruction Fuzzy Hash: B5418271A00319ABEF219F64CC45FEA7BADFF08350F10056AF998EB291D7759980CB90
                              Function 0103BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103BCFD
                              • IsMenu.USER32(00000000), ref: 0103BD1D
                              • CreatePopupMenu.USER32 ref: 0103BD53
                              • GetMenuItemCount.USER32(01826190), ref: 0103BDA4
                              • InsertMenuItemW.USER32(01826190,?,00000001,00000030), ref: 0103BDCC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                              • String ID: 0$2
                              • API String ID: 93392585-3793063076
                              • Opcode ID: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
                              • Instruction ID: 621e5d99bd9eea538b941377ad26c45b01d1b7b09b54f9a86efebc18ca4d2e46
                              • Opcode Fuzzy Hash: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
                              • Instruction Fuzzy Hash: B551B270A002099BEF21EFACD988BADBFFCBF85318F144199E581DB291E7709541CB52
                              Function 0103C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000000,00007F03), ref: 0103C913
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: IconLoad
                              • String ID: blank$info$question$stop$warning
                              • API String ID: 2457776203-404129466
                              • Opcode ID: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
                              • Instruction ID: 470ae78f8959afaea8e1818a7093fdecc666b8fd75ee9272e6f8c4ca1babfc9d
                              • Opcode Fuzzy Hash: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
                              • Instruction Fuzzy Hash: 3911EB3668930BBAFB019B559D86CAF77DCDF45360B1100AFF580FA182E7A96F006264
                              Function 01069F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • GetSystemMetrics.USER32(0000000F), ref: 01069FC7
                              • GetSystemMetrics.USER32(0000000F), ref: 01069FE7
                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0106A224
                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0106A242
                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0106A263
                              • ShowWindow.USER32(00000003,00000000), ref: 0106A282
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0106A2A7
                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0106A2CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                              • String ID:
                              • API String ID: 1211466189-0
                              • Opcode ID: d118af3aa227cfc30abb77b4d299487044d9fe3eaebb062da570580153dc262a
                              • Instruction ID: 028d755154df53e885ea81e3847acdff4a1b2a910be839674617864bf4b49c23
                              • Opcode Fuzzy Hash: d118af3aa227cfc30abb77b4d299487044d9fe3eaebb062da570580153dc262a
                              • Instruction Fuzzy Hash: 16B19A31600216DBEF14DF6CC9847AE3BF6BF44741F0880A9ED85AF289D735A940CB60
                              Function 0103ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$LocalTime
                              • String ID:
                              • API String ID: 952045576-0
                              • Opcode ID: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
                              • Instruction ID: 3b231c6da6320ea9afb113cf2ef356134a5dcf7375903c5d491b94028f099d67
                              • Opcode Fuzzy Hash: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
                              • Instruction Fuzzy Hash: 33419F65D1021C65CB21EBB4CC8A9DFB7ACAF85710F408566E618E3122FB38E255C3E5
                              Function 00FEF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 00FEF953
                              • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F3D1
                              • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F454
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ShowWindow
                              • String ID:
                              • API String ID: 1268545403-0
                              • Opcode ID: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
                              • Instruction ID: a5b28658de1d1bdc9629fa5511fafb76d3b4b3f74f271ef21e6fbded320916ec
                              • Opcode Fuzzy Hash: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
                              • Instruction Fuzzy Hash: D9415A31A086C0BAD7398B2FCD8872E7FA1AB46360F15802DE0C757562C67AA588E711
                              Function 01062D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 01062D1B
                              • GetDC.USER32(00000000), ref: 01062D23
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01062D2E
                              • ReleaseDC.USER32(00000000,00000000), ref: 01062D3A
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01062D76
                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01062D87
                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01065A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01062DC2
                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01062DE1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                              • String ID:
                              • API String ID: 3864802216-0
                              • Opcode ID: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
                              • Instruction ID: 045e96b28ae87bbd34d8627fc2a8f10d220145d33d6dbcba0da19db67519903a
                              • Opcode Fuzzy Hash: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
                              • Instruction Fuzzy Hash: FA318B72201214BBFB218F548C8AFEB3FADEF09715F044055FE889A291C6BA9840C7A4
                              Function 01035622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID:
                              • API String ID: 2931989736-0
                              • Opcode ID: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
                              • Instruction ID: fe6f2512886ca7cc0a4abe80bbe5e296e1759b29bd300b355bf0cddc5cf51c4a
                              • Opcode Fuzzy Hash: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
                              • Instruction Fuzzy Hash: 1B21F9B174420AB7E2155926BE92FFE339DBFA4294F040014FE859F561F724ED10D1E5
                              Function 01054FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: NULL Pointer assignment$Not an Object type
                              • API String ID: 0-572801152
                              • Opcode ID: 5ce8b8e1ecfc17ea69612dc08a8b5feb04b70aaaf6d76054b569de1b207777f3
                              • Instruction ID: 8c2adcff9855073ed26317a6315ff6b900c54d909c4b88ce66d4d18e782113e0
                              • Opcode Fuzzy Hash: 5ce8b8e1ecfc17ea69612dc08a8b5feb04b70aaaf6d76054b569de1b207777f3
                              • Instruction Fuzzy Hash: 15D1A275A0020A9FDF90CF98CC80AAEBBF5BF48354F148469ED95AB281E771D945CB50
                              Function 01011522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,010117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 010115CE
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011651
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,010117FB,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116E4
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010116FB
                                • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,010117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01011777
                              • __freea.LIBCMT ref: 010117A2
                              • __freea.LIBCMT ref: 010117AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 2829977744-0
                              • Opcode ID: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
                              • Instruction ID: e7fdcba3b2615d9e30818f9b71ea2be4599d568b9f1cba52e1ba6a314bce97da
                              • Opcode Fuzzy Hash: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
                              • Instruction Fuzzy Hash: 6A91CC71E042169FEB298E78C841AEE7BF5AF09710F1C4599EB81E7288D73DD940C7A0
                              Function 01054523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearInit
                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                              • API String ID: 2610073882-625585964
                              • Opcode ID: be2cd469b4b6c3627f7bfbbf76053744b52a868f9908813b687134fe36403c95
                              • Instruction ID: 89c1fed37558b0c52e7f854895ce081f7e4af0a7c86d280fe371321246e3fa21
                              • Opcode Fuzzy Hash: be2cd469b4b6c3627f7bfbbf76053744b52a868f9908813b687134fe36403c95
                              • Instruction Fuzzy Hash: B7915D71A00219EBDF64CFA5C884FEFBBB8EF45714F008559E945EB281E7709985CBA0
                              Function 01041187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0104125C
                              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01041284
                              • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010412A8
                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010412D8
                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0104135F
                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010413C4
                              • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01041430
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ArraySafe$Data$Access$UnaccessVartype
                              • String ID:
                              • API String ID: 2550207440-0
                              • Opcode ID: 949c37bd76516d39b248061f6db02db519fcb20f836f50daa5347dc5b379a650
                              • Instruction ID: 69e08e32beeb3ac7854d5b409c17d5e9f1a90399f4e235503337a3ffd8522481
                              • Opcode Fuzzy Hash: 949c37bd76516d39b248061f6db02db519fcb20f836f50daa5347dc5b379a650
                              • Instruction Fuzzy Hash: BB91A1B5A00209AFEB11DF98C8C4BBE77B5FF45315F144079E680EB291DB79A981CB90
                              Function 00FE948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ObjectSelect$BeginCreatePath
                              • String ID:
                              • API String ID: 3225163088-0
                              • Opcode ID: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
                              • Instruction ID: 811b37544c199333d590c4ab2563f325d86e7c220103c41c736b336682199125
                              • Opcode Fuzzy Hash: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
                              • Instruction Fuzzy Hash: 52916871D04219EFDB10CFAACC84AEEBBB8FF49320F148449E555B7251D3B8AA41DB60
                              Function 01053947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0105396B
                              • CharUpperBuffW.USER32(?,?), ref: 01053A7A
                              • _wcslen.LIBCMT ref: 01053A8A
                              • VariantClear.OLEAUT32(?), ref: 01053C1F
                                • Part of subcall function 01040CDF: VariantInit.OLEAUT32(00000000), ref: 01040D1F
                                • Part of subcall function 01040CDF: VariantCopy.OLEAUT32(?,?), ref: 01040D28
                                • Part of subcall function 01040CDF: VariantClear.OLEAUT32(?), ref: 01040D34
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                              • API String ID: 4137639002-1221869570
                              • Opcode ID: 482fcd16192fa722126449b339c02e4309f70af060b84fbc3069d24eae908820
                              • Instruction ID: c6795db04b5f77a381133ffc3403ce27d3a29ede6da26cf33a1d5dd1e5c231fd
                              • Opcode Fuzzy Hash: 482fcd16192fa722126449b339c02e4309f70af060b84fbc3069d24eae908820
                              • Instruction Fuzzy Hash: E5915775A083059FCB40DF28C88096ABBE5BF88354F04896EF9899B351DB35ED45CB92
                              Function 01054BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
                                • Part of subcall function 0103000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
                                • Part of subcall function 0103000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
                                • Part of subcall function 0103000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01054C51
                              • _wcslen.LIBCMT ref: 01054D59
                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01054DCF
                              • CoTaskMemFree.OLE32(?), ref: 01054DDA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                              • String ID: NULL Pointer assignment
                              • API String ID: 614568839-2785691316
                              • Opcode ID: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
                              • Instruction ID: 9800d67f19fda851104d9cb3db59c05eb471f059b2c1ae28cce22a8ba8247cb0
                              • Opcode Fuzzy Hash: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
                              • Instruction Fuzzy Hash: 77914771D0021DAFDF20DFA4DC90AEEBBB9BF48310F10816AE955A7251EB749A44DF60
                              Function 010620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenu.USER32(?), ref: 01062183
                              • GetMenuItemCount.USER32(00000000), ref: 010621B5
                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010621DD
                              • _wcslen.LIBCMT ref: 01062213
                              • GetMenuItemID.USER32(?,?), ref: 0106224D
                              • GetSubMenu.USER32(?,?), ref: 0106225B
                                • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                                • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                                • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010622E3
                                • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                              • String ID:
                              • API String ID: 4196846111-0
                              • Opcode ID: f8c5781028256c42031d165329495eb36982709c5bf9537f115c239464c8dc03
                              • Instruction ID: 1bacc85326933825c6ed706574697fdb211d4470e83537e660c48c8a70184506
                              • Opcode Fuzzy Hash: f8c5781028256c42031d165329495eb36982709c5bf9537f115c239464c8dc03
                              • Instruction Fuzzy Hash: 65717075E00206EFCB10DF68C845AAEBBF9EF88310F148499E996EB351D735E9418B90
                              Function 0103AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 0103AEF9
                              • GetKeyboardState.USER32(?), ref: 0103AF0E
                              • SetKeyboardState.USER32(?), ref: 0103AF6F
                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 0103AF9D
                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0103AFBC
                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 0103AFFD
                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0103B020
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
                              • Instruction ID: dcdda6f7b8d5dd6210e18cc905720b2ff74d97c2e9c4dc556c3f0da4a5511b48
                              • Opcode Fuzzy Hash: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
                              • Instruction Fuzzy Hash: 8951E3A06047D57DFB764238C845BBABEED5B86308F0885C9F2D9964D2C3D9A8C4D760
                              Function 0103ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(00000000), ref: 0103AD19
                              • GetKeyboardState.USER32(?), ref: 0103AD2E
                              • SetKeyboardState.USER32(?), ref: 0103AD8F
                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0103ADBB
                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0103ADD8
                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0103AE17
                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0103AE38
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
                              • Instruction ID: 527a20a00bd03e8878412d67805cb697a3a877bf4b6827a311a0279fb4720fc8
                              • Opcode Fuzzy Hash: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
                              • Instruction Fuzzy Hash: E451E7A17047D57EFB379238CC59BBA7EDC5B86304F0885C8E1D6874C2D294E884D760
                              Function 0100542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(01013CD6,?,?,?,?,?,?,?,?,01005BA3,?,?,01013CD6,?,?), ref: 01005470
                              • __fassign.LIBCMT ref: 010054EB
                              • __fassign.LIBCMT ref: 01005506
                              • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01013CD6,00000005,00000000,00000000), ref: 0100552C
                              • WriteFile.KERNEL32(?,01013CD6,00000000,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 0100554B
                              • WriteFile.KERNEL32(?,?,00000001,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 01005584
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
                              • Instruction ID: fad42c17f26f2de9184f950cc57bf5853d17be7232e586263fee1967f89829d6
                              • Opcode Fuzzy Hash: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
                              • Instruction Fuzzy Hash: 6451BF70A002499FEB22CFA8DC55AEEBBF9EF09301F14415AF995E7291D6319A41CF60
                              Function 00FF2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 00FF2D4B
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00FF2D53
                              • _ValidateLocalCookies.LIBCMT ref: 00FF2DE1
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00FF2E0C
                              • _ValidateLocalCookies.LIBCMT ref: 00FF2E61
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
                              • Instruction ID: 569ab40d31e24c7b9c3318080b1d97128085cae5f8a2f9048d7c8a1095877188
                              • Opcode Fuzzy Hash: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
                              • Instruction Fuzzy Hash: D041B335E0020DABCF10DF68CC95ABEBBB5BF45324F148155EA14AB362D7399A05DB90
                              Function 010510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                                • Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B
                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01051112
                              • WSAGetLastError.WSOCK32 ref: 01051121
                              • WSAGetLastError.WSOCK32 ref: 010511C9
                              • closesocket.WSOCK32(00000000), ref: 010511F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                              • String ID:
                              • API String ID: 2675159561-0
                              • Opcode ID: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
                              • Instruction ID: 5fea2a7d6d14d5c539a584ddd55500b57e396f4fc6805ccc21446e9a50d18906
                              • Opcode Fuzzy Hash: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
                              • Instruction Fuzzy Hash: 03412B31600204AFEB609F28C844BAEBBE9FF45364F048099FC959B295C779ED41CBE5
                              Function 0103CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD
                                • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16
                              • lstrcmpiW.KERNEL32(?,?), ref: 0103CF45
                              • MoveFileW.KERNEL32(?,?), ref: 0103CF7F
                              • _wcslen.LIBCMT ref: 0103D005
                              • _wcslen.LIBCMT ref: 0103D01B
                              • SHFileOperationW.SHELL32(?), ref: 0103D061
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                              • String ID: \*.*
                              • API String ID: 3164238972-1173974218
                              • Opcode ID: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
                              • Instruction ID: c46a69caed7f51650b2f80320c10e0511cd6f057aa9aa5a569cc2b371a3dcd2a
                              • Opcode Fuzzy Hash: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
                              • Instruction Fuzzy Hash: 774155719052195FEF52EBA4DA81ADEB7FCAF58380F0000E6E689EB141EB35A744CF50
                              Function 01062DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01062E1C
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 01062E4F
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 01062E84
                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01062EB6
                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01062EE0
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 01062EF1
                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01062F0B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LongWindow$MessageSend
                              • String ID:
                              • API String ID: 2178440468-0
                              • Opcode ID: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
                              • Instruction ID: 6c21fb142d4c51ca54f652e7aa93b939937cd6b8b8fa6433dea680f642455f71
                              • Opcode Fuzzy Hash: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
                              • Instruction Fuzzy Hash: 57312430644241AFEB21CF5CDD84FA537E8FB9A710F1501A5FA908F2A6CB76A840CB01
                              Function 01037726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037769
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103778F
                              • SysAllocString.OLEAUT32(00000000), ref: 01037792
                              • SysAllocString.OLEAUT32(?), ref: 010377B0
                              • SysFreeString.OLEAUT32(?), ref: 010377B9
                              • StringFromGUID2.OLE32(?,?,00000028), ref: 010377DE
                              • SysAllocString.OLEAUT32(?), ref: 010377EC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                              • String ID:
                              • API String ID: 3761583154-0
                              • Opcode ID: 3bac0058a9c95fedd3ca646c3c67391cdf96626238d759488b56bb6926a82cd9
                              • Instruction ID: fd97319947ae23b3632598ee0d9cc216ec98d91217a4c3d1fed49129191456c0
                              • Opcode Fuzzy Hash: 3bac0058a9c95fedd3ca646c3c67391cdf96626238d759488b56bb6926a82cd9
                              • Instruction Fuzzy Hash: CB21B0B6604219AFEB11DEADCC88CBB77ECFB492647008066FA84DB251DA74DC41C760
                              Function 010377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037842
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037868
                              • SysAllocString.OLEAUT32(00000000), ref: 0103786B
                              • SysAllocString.OLEAUT32 ref: 0103788C
                              • SysFreeString.OLEAUT32 ref: 01037895
                              • StringFromGUID2.OLE32(?,?,00000028), ref: 010378AF
                              • SysAllocString.OLEAUT32(?), ref: 010378BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                              • String ID:
                              • API String ID: 3761583154-0
                              • Opcode ID: 511f7d2470877dbfb6c5f9b749d9b5a016a50f318152fe344a718ccaa68ee9e2
                              • Instruction ID: ae540356ce52488a77f3e5e18288388e7c4b10473fa9a1eedb0b2bf597bb381e
                              • Opcode Fuzzy Hash: 511f7d2470877dbfb6c5f9b749d9b5a016a50f318152fe344a718ccaa68ee9e2
                              • Instruction Fuzzy Hash: 5C21C171600204AFEB209FADCC88DAA77ECEB493607008025F994CB2A5DA74DC41CB74
                              Function 010405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 010405C6
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01040601
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateHandlePipe
                              • String ID: nul
                              • API String ID: 1424370930-2873401336
                              • Opcode ID: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
                              • Instruction ID: 5629ebd9f968070f5f2e4bac6c63070a570510135bdc593f4756577f3f44d98c
                              • Opcode Fuzzy Hash: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
                              • Instruction Fuzzy Hash: 2121A6B55003059BEB209F6DC884ADA7BE4AF89724F304A69FEE2F72D8D7719540CB50
                              Function 010404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(0000000C), ref: 010404F2
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0104052E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateHandlePipe
                              • String ID: nul
                              • API String ID: 1424370930-2873401336
                              • Opcode ID: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
                              • Instruction ID: 83678e57a6ddbc2e328ecf78d4c0ad81e1b4fd4a7a237ef8ec0ae845722d4255
                              • Opcode Fuzzy Hash: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
                              • Instruction Fuzzy Hash: 362171F1500305EBEB209F29D884ADB7BE4EF45724F104A69FAE1E71E8D7719540CB60
                              Function 010640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                                • Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
                                • Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01064112
                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0106411F
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0106412A
                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01064139
                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01064145
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$CreateObjectStockWindow
                              • String ID: Msctls_Progress32
                              • API String ID: 1025951953-3636473452
                              • Opcode ID: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
                              • Instruction ID: bdfef38d8b799715c2954b65a0b2d36d129f15237c00b003779cc64aef258c7f
                              • Opcode Fuzzy Hash: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
                              • Instruction Fuzzy Hash: FE1182B215021ABEFF219E64CC85EEB7F9DEF08798F014111FA58E6150C6769C21DBA4
                              Function 0100D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100D7A3: _free.LIBCMT ref: 0100D7CC
                              • _free.LIBCMT ref: 0100D82D
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 0100D838
                              • _free.LIBCMT ref: 0100D843
                              • _free.LIBCMT ref: 0100D897
                              • _free.LIBCMT ref: 0100D8A2
                              • _free.LIBCMT ref: 0100D8AD
                              • _free.LIBCMT ref: 0100D8B8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                              • Instruction ID: 3aac571e8af34bbd681cc50084bb9e42a53d80b87334a38304f0e981b84b7aa9
                              • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                              • Instruction Fuzzy Hash: 6B113771940B45AAFA23BFF4CC49FCB7BDCBF60700F400825A2DDA60D0EA65B5058762
                              Function 0103DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0103DA74
                              • LoadStringW.USER32(00000000), ref: 0103DA7B
                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103DA91
                              • LoadStringW.USER32(00000000), ref: 0103DA98
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103DADC
                              Strings
                              • %s (%d) : ==> %s: %s %s, xrefs: 0103DAB9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message
                              • String ID: %s (%d) : ==> %s: %s %s
                              • API String ID: 4072794657-3128320259
                              • Opcode ID: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
                              • Instruction ID: a5ea3365a5f75a751a209cc0b3122f74cd054001c93f04fe16f3851707d37cea
                              • Opcode Fuzzy Hash: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
                              • Instruction Fuzzy Hash: D70162F2500208BFF7109BE49E89EEB376CE708301F400496F7C6E6045EA799E844B74
                              Function 0104096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(018233E8,018233E8), ref: 0104097B
                              • EnterCriticalSection.KERNEL32(018233C8,00000000), ref: 0104098D
                              • TerminateThread.KERNEL32(ABABABAB,000001F6), ref: 0104099B
                              • WaitForSingleObject.KERNEL32(ABABABAB,000003E8), ref: 010409A9
                              • CloseHandle.KERNEL32(ABABABAB), ref: 010409B8
                              • InterlockedExchange.KERNEL32(018233E8,000001F6), ref: 010409C8
                              • LeaveCriticalSection.KERNEL32(018233C8), ref: 010409CF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 3495660284-0
                              • Opcode ID: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
                              • Instruction ID: 2a4db53aa06f65736638d93bfa1513b93368d33f20ae90b57cc5301fbd0b7500
                              • Opcode Fuzzy Hash: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
                              • Instruction Fuzzy Hash: B5F01D31442512BBF7615BA4EF88AD67A25BF01702F401025F281608A8C77A9465CFA0
                              Function 01051C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                              Download Yara Rule
                              APIs
                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01051DC0
                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01051DE1
                              • WSAGetLastError.WSOCK32 ref: 01051DF2
                              • htons.WSOCK32(?,?,?,?,?), ref: 01051EDB
                              • inet_ntoa.WSOCK32(?), ref: 01051E8C
                                • Part of subcall function 010339E8: _strlen.LIBCMT ref: 010339F2
                                • Part of subcall function 01053224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0104EC0C), ref: 01053240
                              • _strlen.LIBCMT ref: 01051F35
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                              • String ID:
                              • API String ID: 3203458085-0
                              • Opcode ID: 61305abd034fa3a08e305cbe9829ba24eab16bc3397e0b160180842925534122
                              • Instruction ID: 699f4ccb9ae05673ee3347926c479e938a91a487773d86b785a92d8dcbd292d2
                              • Opcode Fuzzy Hash: 61305abd034fa3a08e305cbe9829ba24eab16bc3397e0b160180842925534122
                              • Instruction Fuzzy Hash: 4BB1BF30204340AFD764DF24C885F2A7BE5AF94318F58858DF9965B2A2CB75ED42CB91
                              Function 00FD5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 00FD5D30
                              • GetWindowRect.USER32(?,?), ref: 00FD5D71
                              • ScreenToClient.USER32(?,?), ref: 00FD5D99
                              • GetClientRect.USER32(?,?), ref: 00FD5ED7
                              • GetWindowRect.USER32(?,?), ref: 00FD5EF8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Rect$Client$Window$Screen
                              • String ID:
                              • API String ID: 1296646539-0
                              • Opcode ID: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
                              • Instruction ID: 26534d3c09c098c40f9639da2ffd7122bdc13ac9a71eb4bef64bd41c76424ac5
                              • Opcode Fuzzy Hash: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
                              • Instruction Fuzzy Hash: 91B18C35A0074ADBDB14DFA8C4807EEB7F2FF48310F18851AE8A9D7254DB34AA51DB54
                              Function 010001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 010000BA
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010000D6
                              • __allrem.LIBCMT ref: 010000ED
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100010B
                              • __allrem.LIBCMT ref: 01000122
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000140
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                              • Instruction ID: 1c8448dce8cc15a174d1d1ffe8294a1e8b22dd9f4545ed7bf929efcdd96bbd19
                              • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                              • Instruction Fuzzy Hash: 70811676A00B069BF7269E78CC40BAB73E9AF51764F24463EF691D72D0E774D9008B90
                              Function 010061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FF82D9,00FF82D9,?,?,?,0100644F,00000001,00000001,8BE85006), ref: 01006258
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0100644F,00000001,00000001,8BE85006,?,?,?), ref: 010062DE
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010063D8
                              • __freea.LIBCMT ref: 010063E5
                                • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                              • __freea.LIBCMT ref: 010063EE
                              • __freea.LIBCMT ref: 01006413
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                              • String ID:
                              • API String ID: 1414292761-0
                              • Opcode ID: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
                              • Instruction ID: 3a167b4512316bd94e8d1b5198120e3360e9c942e8fa05175ecf796e2b43383e
                              • Opcode Fuzzy Hash: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
                              • Instruction Fuzzy Hash: DD51E872600216AFFB274E64CC81EAF7BEAEF44650F158269FD45DA1C0DB36DC50C6A0
                              Function 0105BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BCCA
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BD25
                              • RegCloseKey.ADVAPI32(00000000), ref: 0105BD6A
                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0105BD99
                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105BDF3
                              • RegCloseKey.ADVAPI32(?), ref: 0105BDFF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                              • String ID:
                              • API String ID: 1120388591-0
                              • Opcode ID: 8f8dd05272e33a08eeb3be0c7e0f82147542987caf90f3a9bd306086b31b4513
                              • Instruction ID: 5069ca4d37dda5d075f4a7ee905dfac34f16be41df8998abe0669ea1489bd471
                              • Opcode Fuzzy Hash: 8f8dd05272e33a08eeb3be0c7e0f82147542987caf90f3a9bd306086b31b4513
                              • Instruction Fuzzy Hash: 5581B330208241AFD754EF24C895E2BBBE6FF84308F18459DF5954B2A2DB35ED05DB92
                              Function 0102F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(00000035), ref: 0102F7B9
                              • SysAllocString.OLEAUT32(00000001), ref: 0102F860
                              • VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F889
                              • VariantClear.OLEAUT32(0102FA64), ref: 0102F8AD
                              • VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F8B1
                              • VariantClear.OLEAUT32(?), ref: 0102F8BB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearCopy$AllocInitString
                              • String ID:
                              • API String ID: 3859894641-0
                              • Opcode ID: 063b8aa6cb9741d57956e31117dd4e3a12747581d8e99c263ee0d83582816d24
                              • Instruction ID: a4d9d89b52ec5642ae68895a76ff8ab95ee46fc4f47528a40885e237d80ba23b
                              • Opcode Fuzzy Hash: 063b8aa6cb9741d57956e31117dd4e3a12747581d8e99c263ee0d83582816d24
                              • Instruction Fuzzy Hash: 7851E331600322BADF20AF65D884B6DB3F9EF45350F24845BE986DF295DBB49C40CB96
                              Function 0104910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 010494E5
                              • _wcslen.LIBCMT ref: 01049506
                              • _wcslen.LIBCMT ref: 0104952D
                              • GetSaveFileNameW.COMDLG32(00000058), ref: 01049585
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$FileName$OpenSave
                              • String ID: X
                              • API String ID: 83654149-3081909835
                              • Opcode ID: 79fa4bdbb21f17ef03d3bd5e292d9fb7902ba7c5ef795fe383c3402bafa7efb7
                              • Instruction ID: 42465ca81f31589b0cf966817e7466fd51700674d7dce6c092d2df69ae5c90e9
                              • Opcode Fuzzy Hash: 79fa4bdbb21f17ef03d3bd5e292d9fb7902ba7c5ef795fe383c3402bafa7efb7
                              • Instruction Fuzzy Hash: 59E180716083418FD724DF24C881A6AB7E5BF89314F18857DF9899B3A2DB35ED04CB92
                              Function 00FE920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • BeginPaint.USER32(?,?,?), ref: 00FE9241
                              • GetWindowRect.USER32(?,?), ref: 00FE92A5
                              • ScreenToClient.USER32(?,?), ref: 00FE92C2
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FE92D3
                              • EndPaint.USER32(?,?,?,?,?), ref: 00FE9321
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010271EA
                                • Part of subcall function 00FE9339: BeginPath.GDI32(00000000), ref: 00FE9357
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                              • String ID:
                              • API String ID: 3050599898-0
                              • Opcode ID: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
                              • Instruction ID: 8bdb5b02df2c3b221a83173b7b870337f9abee4d4af85e26a70d13e67f4b1e3c
                              • Opcode Fuzzy Hash: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
                              • Instruction Fuzzy Hash: 2941B031108340AFD721DF29C884FAA7BE9EF59320F140269FAE4871E1C7769845EB62
                              Function 010407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0104080C
                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01040847
                              • EnterCriticalSection.KERNEL32(?), ref: 01040863
                              • LeaveCriticalSection.KERNEL32(?), ref: 010408DC
                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010408F3
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 01040921
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                              • String ID:
                              • API String ID: 3368777196-0
                              • Opcode ID: aecd4233059185c72a74bec2046912988e0ab621ffb228a38a7909b23da2db83
                              • Instruction ID: 7ebaed5da5dffe4992cf38ba1de04780f5fa6b661751ada75dad63d6d51428ef
                              • Opcode Fuzzy Hash: aecd4233059185c72a74bec2046912988e0ab621ffb228a38a7909b23da2db83
                              • Instruction Fuzzy Hash: FA418B71900205EBEF159F54DC81AAA77B9FF04300F1080B9EE40AA29ADB35EE54DBA0
                              Function 010681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0102F3AB,00000000,?,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0106824C
                              • EnableWindow.USER32(00000000,00000000), ref: 01068272
                              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 010682D1
                              • ShowWindow.USER32(00000000,00000004), ref: 010682E5
                              • EnableWindow.USER32(00000000,00000001), ref: 0106830B
                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0106832F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Show$Enable$MessageSend
                              • String ID:
                              • API String ID: 642888154-0
                              • Opcode ID: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
                              • Instruction ID: 54e64c139bba0a142953740dc92a6add78b4eed3eb48e958ab5c07680367ec67
                              • Opcode Fuzzy Hash: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
                              • Instruction Fuzzy Hash: 6441B634601745AFEB62CF19C989BE47FE4FB0A714F1881EAE6D84F262C336A441CB50
                              Function 010522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,00000000), ref: 010522E8
                                • Part of subcall function 0104E4EC: GetWindowRect.USER32(?,?), ref: 0104E504
                              • GetDesktopWindow.USER32 ref: 01052312
                              • GetWindowRect.USER32(00000000), ref: 01052319
                              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01052355
                              • GetCursorPos.USER32(?), ref: 01052381
                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010523DF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Rectmouse_event$CursorDesktopForeground
                              • String ID:
                              • API String ID: 2387181109-0
                              • Opcode ID: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
                              • Instruction ID: fb712ea66b6ff7a061fb2e3469481fd9ea4cc56bafbdea92a209e2d1a8353333
                              • Opcode Fuzzy Hash: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
                              • Instruction Fuzzy Hash: 6E31C072504305AFD760DF58C848B9BBBE9FF88314F004A1AF9C597191DB35EA08CB92
                              Function 01034C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 01034C95
                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01034CB2
                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01034CEA
                              • _wcslen.LIBCMT ref: 01034D08
                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01034D10
                              • _wcsstr.LIBVCRUNTIME ref: 01034D1A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                              • String ID:
                              • API String ID: 72514467-0
                              • Opcode ID: 6e79e358f92749ac8c8ab19a3137028637a3705c0fdb468d0f773a44924fcab5
                              • Instruction ID: fc479a51ffd4a766ff670bf78b32f8ef197dc03479a174e6cf9ebbb90817b806
                              • Opcode Fuzzy Hash: 6e79e358f92749ac8c8ab19a3137028637a3705c0fdb468d0f773a44924fcab5
                              • Instruction Fuzzy Hash: F52129316042047BFB656B3AAC49E7F7BDCDF89750F008069F845CE192DAB5DC0097A0
                              Function 0104581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                              • _wcslen.LIBCMT ref: 0104587B
                              • CoInitialize.OLE32(00000000), ref: 01045995
                              • CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 010459AE
                              • CoUninitialize.OLE32 ref: 010459CC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 3172280962-24824748
                              • Opcode ID: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
                              • Instruction ID: ddfc788cf2ff8b5001fb792ebe2b5688c90250e6728dfbb9a3bab24246383dcf
                              • Opcode Fuzzy Hash: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
                              • Instruction Fuzzy Hash: 48D156B56083019FC714DF19C880A2ABBE6FF89710F1449ADF9899B361DB35EC45CB92
                              Function 0103175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
                                • Part of subcall function 01030FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
                                • Part of subcall function 01030FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
                                • Part of subcall function 01030FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
                                • Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002
                              • GetLengthSid.ADVAPI32(?,00000000,01031335), ref: 010317AE
                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 010317BA
                              • HeapAlloc.KERNEL32(00000000), ref: 010317C1
                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 010317DA
                              • GetProcessHeap.KERNEL32(00000000,00000000,01031335), ref: 010317EE
                              • HeapFree.KERNEL32(00000000), ref: 010317F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                              • String ID:
                              • API String ID: 3008561057-0
                              • Opcode ID: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
                              • Instruction ID: 558bc568c3ddf808af11b61e11b2dedbb70d8004c63ab96f5a7dcd02251b1634
                              • Opcode Fuzzy Hash: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
                              • Instruction Fuzzy Hash: 6111AC31500205EFEB219FA8CD48BAE7BFDFB8A255F184098F5C197210C73AA944CB60
                              Function 010314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010314FF
                              • OpenProcessToken.ADVAPI32(00000000), ref: 01031506
                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01031515
                              • CloseHandle.KERNEL32(00000004), ref: 01031520
                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103154F
                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 01031563
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                              • String ID:
                              • API String ID: 1413079979-0
                              • Opcode ID: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
                              • Instruction ID: f3e68c806847c65b5716ce16324900978a80f54c7a13ffb0cfa153ca8e73e3e3
                              • Opcode Fuzzy Hash: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
                              • Instruction Fuzzy Hash: 71112972500249EBEF218F98DE49BDE7BADFF49744F044055FA85A20A0C37A8E61DB60
                              Function 00FF3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00FF3379,00FF2FE5), ref: 00FF3390
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF339E
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF33B7
                              • SetLastError.KERNEL32(00000000,?,00FF3379,00FF2FE5), ref: 00FF3409
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 2d9be7c6a202347ce3b5d1b486148d38b2a39bee9fcf816f41897969f3883ea9
                              • Instruction ID: 9692ba7b59d1561f7dc7af28b5902b93cd4b8a4b4edde3b75feae4592cf539e4
                              • Opcode Fuzzy Hash: 2d9be7c6a202347ce3b5d1b486148d38b2a39bee9fcf816f41897969f3883ea9
                              • Instruction Fuzzy Hash: 5D012433A083297EBA3566747D99A773A94EF463B9B200229F760802F4EF1B4E117244
                              Function 01002D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,01005686,01013CD6,?,00000000,?,01005B6A,?,?,?,?,?,00FFE6D1,?,01098A48), ref: 01002D78
                              • _free.LIBCMT ref: 01002DAB
                              • _free.LIBCMT ref: 01002DD3
                              • SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DE0
                              • SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DEC
                              • _abort.LIBCMT ref: 01002DF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
                              • Instruction ID: ab43fa3fc45d84008193599a5e874e7cda03b1ca8a7636f5b9baa96acc868ffb
                              • Opcode Fuzzy Hash: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
                              • Instruction Fuzzy Hash: 74F02832508A022BF6633238BC0CE9E2999BFD26A0F25041AF9E4D61D4EF298C018360
                              Function 01068A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                                • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
                                • Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
                                • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2
                              • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01068A4E
                              • LineTo.GDI32(?,00000003,00000000), ref: 01068A62
                              • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01068A70
                              • LineTo.GDI32(?,00000000,00000003), ref: 01068A80
                              • EndPath.GDI32(?), ref: 01068A90
                              • StrokePath.GDI32(?), ref: 01068AA0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                              • String ID:
                              • API String ID: 43455801-0
                              • Opcode ID: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
                              • Instruction ID: 3480b82e0694cb24b77229cd34e5b4cbea4706829f4cbea44fd5649c4430f7c8
                              • Opcode Fuzzy Hash: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
                              • Instruction Fuzzy Hash: 5D110C76000108BFFF119F94DC48E9A7FACEB09350F008052FA9599164C7769D55DB60
                              Function 010351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 01035218
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 01035229
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01035230
                              • ReleaseDC.USER32(00000000,00000000), ref: 01035238
                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0103524F
                              • MulDiv.KERNEL32(000009EC,00000001,?), ref: 01035261
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CapsDevice$Release
                              • String ID:
                              • API String ID: 1035833867-0
                              • Opcode ID: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
                              • Instruction ID: 68249d87751a3c9c797a24c7ff949f1577691710a509bda62e2230c038e9af23
                              • Opcode Fuzzy Hash: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
                              • Instruction Fuzzy Hash: B601A275E00719BBFB109BE59D49E4EBFB8EF49351F044066FA85AB290D6719C00CFA0
                              Function 00FD1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Virtual
                              • String ID:
                              • API String ID: 4278518827-0
                              • Opcode ID: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
                              • Instruction ID: 559cefd6f6aa8e7e9fd627a210b00ced7d268c84d5319b4227cddb4e9296aa32
                              • Opcode Fuzzy Hash: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
                              • Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                              Function 0103EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0103EB30
                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103EB46
                              • GetWindowThreadProcessId.USER32(?,?), ref: 0103EB55
                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB64
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB6E
                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB75
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                              • String ID:
                              • API String ID: 839392675-0
                              • Opcode ID: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
                              • Instruction ID: 3220390c6783093f670d22fbef60852efecbfe5e9880a61d94b404f8aad2f36e
                              • Opcode Fuzzy Hash: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
                              • Instruction Fuzzy Hash: DDF01D72140158BBE63166529D0DEAB3A7CEFCAB11F000158F682D509496A96A0187B5
                              Function 01027439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?), ref: 01027452
                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 01027469
                              • GetWindowDC.USER32(?), ref: 01027475
                              • GetPixel.GDI32(00000000,?,?), ref: 01027484
                              • ReleaseDC.USER32(?,00000000), ref: 01027496
                              • GetSysColor.USER32(00000005), ref: 010274B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClientColorMessagePixelRectReleaseSendWindow
                              • String ID:
                              • API String ID: 272304278-0
                              • Opcode ID: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
                              • Instruction ID: d1ea2c752d4f5a9b1daaeae92d9e41f170d3836cb2c0f5a8b9be7c4a552164da
                              • Opcode Fuzzy Hash: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
                              • Instruction Fuzzy Hash: A2018B32400215EFEB615FA4DD08BAA7BB5FB08311F504060F995A21A1CF362E41AB50
                              Function 01031874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0103187F
                              • UnloadUserProfile.USERENV(?,?), ref: 0103188B
                              • CloseHandle.KERNEL32(?), ref: 01031894
                              • CloseHandle.KERNEL32(?), ref: 0103189C
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 010318A5
                              • HeapFree.KERNEL32(00000000), ref: 010318AC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                              • String ID:
                              • API String ID: 146765662-0
                              • Opcode ID: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
                              • Instruction ID: cf7bafdbbb6c3cc3c6b2cd74de9075459d38d79affe57994d5bd46a60b3307ef
                              • Opcode Fuzzy Hash: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
                              • Instruction Fuzzy Hash: AEE0ED36004501FBEB116FA2EE0C905BF39FF4A7227108221F2A585078CB375420DB60
                              Function 0103C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C6EE
                              • _wcslen.LIBCMT ref: 0103C735
                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C79C
                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0103C7CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ItemMenu$Info_wcslen$Default
                              • String ID: 0
                              • API String ID: 1227352736-4108050209
                              • Opcode ID: 45fb00c00ec8c74f2df6e1d3e53465f7fae3efeef6b95412b72f7d629cd9968f
                              • Instruction ID: 8a678475b35cdc1f0422fa41b00895a33975a406a59c9ad98296ecc964fdd0ca
                              • Opcode Fuzzy Hash: 45fb00c00ec8c74f2df6e1d3e53465f7fae3efeef6b95412b72f7d629cd9968f
                              • Instruction Fuzzy Hash: 6051C2716043009BF7969E28CE45A6B7BECBFC9310F04096EFAD5E2191DB74D904D752
                              Function 0105AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteExW.SHELL32(0000003C), ref: 0105AEA3
                                • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                              • GetProcessId.KERNEL32(00000000), ref: 0105AF38
                              • CloseHandle.KERNEL32(00000000), ref: 0105AF67
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseExecuteHandleProcessShell_wcslen
                              • String ID: <$@
                              • API String ID: 146682121-1426351568
                              • Opcode ID: 41fb461886c41b935f794a1a5034537c3789f103e15b730c7d9991f2a545e873
                              • Instruction ID: 2bc1446f029050c4df87eb08fd289dd321cb5bb1cd8ac783c9d7caf5817d01d4
                              • Opcode Fuzzy Hash: 41fb461886c41b935f794a1a5034537c3789f103e15b730c7d9991f2a545e873
                              • Instruction Fuzzy Hash: 78718D71A00215DFCB54EF94D884A9EBBF1FF08310F08859AE856AB392D779ED41DB90
                              Function 0103719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01037206
                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0103723C
                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0103724D
                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010372CF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorMode$AddressCreateInstanceProc
                              • String ID: DllGetClassObject
                              • API String ID: 753597075-1075368562
                              • Opcode ID: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
                              • Instruction ID: 317d9b5ced393f815f3a96b604ae763eaa660ced7e08a2bb0de77714e5705eb7
                              • Opcode Fuzzy Hash: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
                              • Instruction Fuzzy Hash: 9C413DB1A00205EFDB25CF54C884A9A7FADEF89310F1480ADFD459F20AD7B5D944CBA0
                              Function 01063D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063E35
                              • IsMenu.USER32(?), ref: 01063E4A
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063E92
                              • DrawMenuBar.USER32 ref: 01063EA5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$Item$DrawInfoInsert
                              • String ID: 0
                              • API String ID: 3076010158-4108050209
                              • Opcode ID: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
                              • Instruction ID: bb04cf70da7ccb075e1837914afccd464e36571a01c20e9521a39e94d37bbdad
                              • Opcode Fuzzy Hash: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
                              • Instruction Fuzzy Hash: DF416C75A00209AFEB20DF54DC84AEABBF9FF48350F044159F9899B290D735A940CFA0
                              Function 01031DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01031E66
                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01031E79
                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 01031EA9
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$_wcslen$ClassName
                              • String ID: ComboBox$ListBox
                              • API String ID: 2081771294-1403004172
                              • Opcode ID: 1de09f28468a0224ee0e373973e3a350c3e2a0a83352672f9101c627756c6386
                              • Instruction ID: a8d820d8a5628f6da50707485e1bc3c2354945b75a164cb5f0b54a758d8b32e7
                              • Opcode Fuzzy Hash: 1de09f28468a0224ee0e373973e3a350c3e2a0a83352672f9101c627756c6386
                              • Instruction Fuzzy Hash: 20213871A00108BEEB14ABA5DC45CFFBBBDEF89350B04411AF4A1A72E1DB7A59099730
                              Function 01062F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01062F8D
                              • LoadLibraryW.KERNEL32(?), ref: 01062F94
                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01062FA9
                              • DestroyWindow.USER32(?), ref: 01062FB1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$DestroyLibraryLoadWindow
                              • String ID: SysAnimate32
                              • API String ID: 3529120543-1011021900
                              • Opcode ID: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
                              • Instruction ID: bf04ae74d7c22422626a5dfe4bab039b9f06802b98fcf13707bc302407b8cee2
                              • Opcode Fuzzy Hash: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
                              • Instruction Fuzzy Hash: 0E21CD72204209ABEF218FA8DC80EBB37EDEF49364F104629FAD0D6195D771DC519760
                              Function 00FF4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002), ref: 00FF4D8D
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF4DA0
                              • FreeLibrary.KERNEL32(00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000), ref: 00FF4DC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
                              • Instruction ID: 7bf1decf2e549fd073ddcfb205bc04de0baba1e36d803bb84dc5b745f9cea217
                              • Opcode Fuzzy Hash: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
                              • Instruction Fuzzy Hash: F0F0C830E0020CBBEB209F90DD09BAEBFF4EF45711F000158F985A6164CB355D40DB94
                              Function 00FD4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
                              • FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                              • API String ID: 145871493-3689287502
                              • Opcode ID: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
                              • Instruction ID: fbd3e5047251314a05c1c33b72b1f11549ed6ee7c7b2f5ff0f680a4cbcf9b672
                              • Opcode Fuzzy Hash: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
                              • Instruction Fuzzy Hash: 0BE0CD35E02522ABE33117266C28B5F7759AF82F72B0D0116FCC0DA304DF74DC0155A0
                              Function 00FD4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
                              • FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                              • API String ID: 145871493-1355242751
                              • Opcode ID: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
                              • Instruction ID: 5448a2a5a9c3e822e3d3c8c11a49ccad93ceeb870f0af9682ae0c3d7ce521bc9
                              • Opcode Fuzzy Hash: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
                              • Instruction Fuzzy Hash: FED0C231902661A76A321B25A828E8B2B19AFC6B613090216F8C0AA218CF35CD01A6D0
                              Function 01042947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042C05
                              • DeleteFileW.KERNEL32(?), ref: 01042C87
                              • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01042C9D
                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CAE
                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: File$Delete$Copy
                              • String ID:
                              • API String ID: 3226157194-0
                              • Opcode ID: 916f3a8b643bbfd8de1e1e0d2b0a65af1e6367ac72457b6b7848ae4ec2561de7
                              • Instruction ID: a63eff196d25636b92cb02e95866bdccbf3afe0d9e3892897900dc3ac2b9c6c1
                              • Opcode Fuzzy Hash: 916f3a8b643bbfd8de1e1e0d2b0a65af1e6367ac72457b6b7848ae4ec2561de7
                              • Instruction Fuzzy Hash: BCB160B1E0011DABDF21DBA4DC85EEE7BBDEF48340F0440A6F649E6151EA359A448FA1
                              Function 0105A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32 ref: 0105A427
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0105A435
                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0105A468
                              • CloseHandle.KERNEL32(?), ref: 0105A63D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$CloseCountersCurrentHandleOpen
                              • String ID:
                              • API String ID: 3488606520-0
                              • Opcode ID: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
                              • Instruction ID: b07e5a67c9646086e45879c47f812576e28d86f81faf07df9fd0ab9af71ef79d
                              • Opcode Fuzzy Hash: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
                              • Instruction Fuzzy Hash: 89A191716043019FE760DF18C882F2AB7E5AF88714F04895DF99A9B392DBB4E841CB91
                              Function 0100BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01073700), ref: 0100BB91
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,010A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0100BC09
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,010A1270,000000FF,?,0000003F,00000000,?), ref: 0100BC36
                              • _free.LIBCMT ref: 0100BB7F
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 0100BD4B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID:
                              • API String ID: 1286116820-0
                              • Opcode ID: f48a155f5f5f70fcd13636121916e7b643ae72528f53b0fb9ef29cff33f1262e
                              • Instruction ID: 8336422d0ddb8159a0171bd3b0574cd37f6b9a4303033de0892067537f7e5af9
                              • Opcode Fuzzy Hash: f48a155f5f5f70fcd13636121916e7b643ae72528f53b0fb9ef29cff33f1262e
                              • Instruction Fuzzy Hash: 7A510875900609AFFB22EF69DC809AEBBF8FF41350F5042AAE5D4D71D4EB349A408B50
                              Function 0103E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD
                                • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16
                                • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                              • lstrcmpiW.KERNEL32(?,?), ref: 0103E473
                              • MoveFileW.KERNEL32(?,?), ref: 0103E4AC
                              • _wcslen.LIBCMT ref: 0103E5EB
                              • _wcslen.LIBCMT ref: 0103E603
                              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0103E650
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                              • String ID:
                              • API String ID: 3183298772-0
                              • Opcode ID: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
                              • Instruction ID: 734798e4fdda73d3fbddd8580ad3013dfeb4549eaf63b14e87716a0fae79396f
                              • Opcode Fuzzy Hash: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
                              • Instruction Fuzzy Hash: 2B5161B25083459BD764EBA4DC809DF77ECAFC5340F004A1EE6C9D3191EF79A2888766
                              Function 0105B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                                • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BAA5
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BB00
                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0105BB63
                              • RegCloseKey.ADVAPI32(?,?), ref: 0105BBA6
                              • RegCloseKey.ADVAPI32(00000000), ref: 0105BBB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                              • String ID:
                              • API String ID: 826366716-0
                              • Opcode ID: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
                              • Instruction ID: 2c7789d2877febb2b37a10ec357acbf85d3468c7b4ff3b889342a623c3845c04
                              • Opcode Fuzzy Hash: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
                              • Instruction Fuzzy Hash: 9961C331208201AFE354DF14C890E2BBBE6FF84308F58859DF5954B2A2DB75ED45CB92
                              Function 01038BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 01038BCD
                              • VariantClear.OLEAUT32 ref: 01038C3E
                              • VariantClear.OLEAUT32 ref: 01038C9D
                              • VariantClear.OLEAUT32(?), ref: 01038D10
                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01038D3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$Clear$ChangeInitType
                              • String ID:
                              • API String ID: 4136290138-0
                              • Opcode ID: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
                              • Instruction ID: 4c57303cfe24c74984ec4fa25bc0be828649206c2646bc0da0f0b6e4ad1cf8ff
                              • Opcode Fuzzy Hash: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
                              • Instruction Fuzzy Hash: F8516BB5A00219EFDB10DF58C884AAABBF8FF89310F05859AF945DB314E734E911CB90
                              Function 01048AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01048BAE
                              • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01048BDA
                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01048C32
                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01048C57
                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01048C5F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: PrivateProfile$SectionWrite$String
                              • String ID:
                              • API String ID: 2832842796-0
                              • Opcode ID: 15350bf44eb24517847f2ed58401d6d1a814691992fdb91029af2ce13a47cd9a
                              • Instruction ID: c8f0c411d548b07e0ec7e810e1bc14cd7761169dc931db02e2f078c06f97984f
                              • Opcode Fuzzy Hash: 15350bf44eb24517847f2ed58401d6d1a814691992fdb91029af2ce13a47cd9a
                              • Instruction Fuzzy Hash: 67515A75A002199FDB11DF65C880A69BBF2FF48314F08C49AE849AB362DB35ED41DB91
                              Function 01058EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(?,00000000,?), ref: 01058F40
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01058FD0
                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 01058FEC
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01059032
                              • FreeLibrary.KERNEL32(00000000), ref: 01059052
                                • Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01041043,?,7529E610), ref: 00FEF6E6
                                • Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0102FA64,00000000,00000000,?,?,01041043,?,7529E610,?,0102FA64), ref: 00FEF70D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                              • String ID:
                              • API String ID: 666041331-0
                              • Opcode ID: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
                              • Instruction ID: b5de8c52d298e78950c7533813619ae4f4b036d333cd655b5a8a097a5afa9b33
                              • Opcode Fuzzy Hash: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
                              • Instruction Fuzzy Hash: BC515835604205DFCB51DF58C4848AEBBF1FF49314B0880AAED8A9B362D735ED85CB90
                              Function 01066B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(00000002,000000F0,?), ref: 01066C33
                              • SetWindowLongW.USER32(?,000000EC,?), ref: 01066C4A
                              • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01066C73
                              • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0104AB79,00000000,00000000), ref: 01066C98
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01066CC7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Long$MessageSendShow
                              • String ID:
                              • API String ID: 3688381893-0
                              • Opcode ID: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
                              • Instruction ID: 297945541406eb1d9b8c0c9336b291421e96551d07a8f683797847ac26b209f9
                              • Opcode Fuzzy Hash: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
                              • Instruction Fuzzy Hash: DE41A135A00508AFE7248F68CD54FB97FA9EB09360F040268F995A72A8C373AD41CA40
                              Function 01002051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
                              • Instruction ID: 977769e55b4fcda74f8fb1f81418ef3334d7d610fd291760e32db43c311c15e4
                              • Opcode Fuzzy Hash: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
                              • Instruction Fuzzy Hash: CF41E636E003009FEB22DF78C984A9DB7F5EF89314F1545A9E655EB392D731A901CB80
                              Function 00FE912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 00FE9141
                              • ScreenToClient.USER32(00000000,?), ref: 00FE915E
                              • GetAsyncKeyState.USER32(00000001), ref: 00FE9183
                              • GetAsyncKeyState.USER32(00000002), ref: 00FE919D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AsyncState$ClientCursorScreen
                              • String ID:
                              • API String ID: 4210589936-0
                              • Opcode ID: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
                              • Instruction ID: 4b09042db855353f80010a18128468604ddd131e02f661bdb6f4a66b662dcfb5
                              • Opcode Fuzzy Hash: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
                              • Instruction Fuzzy Hash: 61416031A0861BFBDF199F69C844BEEB775FF15320F208219E469A32D0C7785990DBA1
                              Function 01043874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetInputState.USER32 ref: 010438CB
                              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 01043922
                              • TranslateMessage.USER32(?), ref: 0104394B
                              • DispatchMessageW.USER32(?), ref: 01043955
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                              • String ID:
                              • API String ID: 2256411358-0
                              • Opcode ID: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
                              • Instruction ID: 50026ed6e76feb0e6ac4f3c98300041d68214ca2da7c2bbd459e4d264e4f1783
                              • Opcode Fuzzy Hash: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
                              • Instruction Fuzzy Hash: F331E6B4504762AFFB75CA389488BB77BE8BB05300F4455BDD5E28A0D5E3799884CB11
                              Function 01031901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 01031915
                              • PostMessageW.USER32(00000001,00000201,00000001), ref: 010319C1
                              • Sleep.KERNEL32(00000000,?,?,?), ref: 010319C9
                              • PostMessageW.USER32(00000001,00000202,00000000), ref: 010319DA
                              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 010319E2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessagePostSleep$RectWindow
                              • String ID:
                              • API String ID: 3382505437-0
                              • Opcode ID: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
                              • Instruction ID: 586d8f63ccd00c18ea3e1ae239fba4669c8d736993972d404d8771e024513a34
                              • Opcode Fuzzy Hash: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
                              • Instruction Fuzzy Hash: 4D31E871900219EFDB14CFACC948ADE3BB9EF49315F004266F9A1EB2D1C7709954CB90
                              Function 01065706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01065745
                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0106579D
                              • _wcslen.LIBCMT ref: 010657AF
                              • _wcslen.LIBCMT ref: 010657BA
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$_wcslen
                              • String ID:
                              • API String ID: 763830540-0
                              • Opcode ID: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
                              • Instruction ID: 48940cf8ea3dd93b027f87c82e3451cbd862fd3c1d00b1a6aa55d4d42cf55d30
                              • Opcode Fuzzy Hash: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
                              • Instruction Fuzzy Hash: 0D21BA71A042199AEB209FA4DC84AEE7BFCFF04764F008256FAA9EB1C4D7749585CF50
                              Function 01050930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(00000000), ref: 01050951
                              • GetForegroundWindow.USER32 ref: 01050968
                              • GetDC.USER32(00000000), ref: 010509A4
                              • GetPixel.GDI32(00000000,?,00000003), ref: 010509B0
                              • ReleaseDC.USER32(00000000,00000003), ref: 010509E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ForegroundPixelRelease
                              • String ID:
                              • API String ID: 4156661090-0
                              • Opcode ID: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
                              • Instruction ID: dee5c30b4fea109f0f163cab72dab253f6c2b3da04daa90d83926fc73f31b42b
                              • Opcode Fuzzy Hash: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
                              • Instruction Fuzzy Hash: 9D218E75600204AFE714EF69D984AAEBBF9FF48700F048069F88AD7365CB75AC44CB90
                              Function 0100CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0100CDC6
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100CDE9
                                • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100CE0F
                              • _free.LIBCMT ref: 0100CE22
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100CE31
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
                              • Instruction ID: 9b26ea651d6ecffda6efffc896ed09603969240d2a2bfdbedee87329864dc7d0
                              • Opcode Fuzzy Hash: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
                              • Instruction Fuzzy Hash: 7601FC726022557F333325BA6D4CC7F7DADDEC7AA171502A9FE85C7180DE658D0182B0
                              Function 00FE9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                              • SelectObject.GDI32(?,00000000), ref: 00FE96A2
                              • BeginPath.GDI32(?), ref: 00FE96B9
                              • SelectObject.GDI32(?,00000000), ref: 00FE96E2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ObjectSelect$BeginCreatePath
                              • String ID:
                              • API String ID: 3225163088-0
                              • Opcode ID: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
                              • Instruction ID: 3cb7aab17aac138e4febea51121248ff51262fbcc70ccf4de354d4f88e8d8d8e
                              • Opcode Fuzzy Hash: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
                              • Instruction Fuzzy Hash: BF21D431816785EFEB318F25E9047A93BB8BB01365F500217F490A60E8D3BA5981DFA1
                              Function 01035711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID:
                              • API String ID: 2931989736-0
                              • Opcode ID: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
                              • Instruction ID: 1f55727aa7a49a756ec05942646f03bbc37c01a22281b8f0c2b2969112db74fd
                              • Opcode Fuzzy Hash: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
                              • Instruction Fuzzy Hash: 5E01D86564520AFBE20A5515BE92FBF739DBFA13A4F414024FE449F212F764ED10D2E0
                              Function 01002DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6), ref: 01002DFD
                              • _free.LIBCMT ref: 01002E32
                              • _free.LIBCMT ref: 01002E59
                              • SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E66
                              • SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E6F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
                              • Instruction ID: d8c94fdba565fcfb894b054e932c0d5332863ed287822ff04d6ddb54aae6a3ee
                              • Opcode Fuzzy Hash: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
                              • Instruction Fuzzy Hash: 6F01F9765886416BF62376396D4CD6F159DABE13A1F650028F5D5921D5EA358C014220
                              Function 0103000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                              Download Yara Rule
                              APIs
                              • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
                              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
                              • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030070
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: From$Prog$FreeStringTasklstrcmpi
                              • String ID:
                              • API String ID: 3897988419-0
                              • Opcode ID: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
                              • Instruction ID: c8157c7d94ba7ade70b9beace782c4fdbaa64553fbeb554973a277b089bada1e
                              • Opcode Fuzzy Hash: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
                              • Instruction Fuzzy Hash: 0101A272601205BFEB205F68DD44BAABEEDEF84761F144124FAC5D2218D77ADD408BA0
                              Function 0103E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?), ref: 0103E997
                              • QueryPerformanceFrequency.KERNEL32(?), ref: 0103E9A5
                              • Sleep.KERNEL32(00000000), ref: 0103E9AD
                              • QueryPerformanceCounter.KERNEL32(?), ref: 0103E9B7
                              • Sleep.KERNEL32 ref: 0103E9F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CounterSleep$Frequency
                              • String ID:
                              • API String ID: 2833360925-0
                              • Opcode ID: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
                              • Instruction ID: 17059d75b81a095d235168a53b8396d8c7537929e3559de0dff8bfb5df9fce9e
                              • Opcode Fuzzy Hash: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
                              • Instruction Fuzzy Hash: 4E016931C01629DBDF50AFE4D948AEDBB7CFF49301F000656E9C2B2244CB399552CBA1
                              Function 010310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                              • GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                              • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                              • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 842720411-0
                              • Opcode ID: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
                              • Instruction ID: 278874d13ed5a6f6a079012510b1ca99c1e505e5da88586600f2ddd894d8a244
                              • Opcode Fuzzy Hash: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
                              • Instruction Fuzzy Hash: ED011D75200205BFEB214F69DD49AAA3FAEEFCA260B104455F9C5D7354DA36DD009B60
                              Function 01030FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
                              • Instruction ID: 396d908ff5f4fc8ae7937ae9eb16e772be6cc4d84830bd91f7b0d4b7929d4d85
                              • Opcode Fuzzy Hash: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
                              • Instruction Fuzzy Hash: CDF04935200341BBEB214FA99D49F563BADEF8A662F104454FAC9DA251CA76D8108B60
                              Function 01031014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
                              • Instruction ID: 9e6b4fa086793339a1ba018988787ec70aeb03f84117966cf0471f93be304469
                              • Opcode Fuzzy Hash: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
                              • Instruction Fuzzy Hash: E0F06D35200341FBEB225FA9ED59F563FADEF8A661F100414FAC5DB250CA76D9108B60
                              Function 0104030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040324
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040331
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104033E
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104034B
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040358
                              • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040365
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
                              • Instruction ID: 056dc06c431a820420c97f204e677766cc4a433bfb92e0e2334386b5c1737e78
                              • Opcode Fuzzy Hash: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
                              • Instruction Fuzzy Hash: EC0190B2800B159FD7309F6AD8D0453FBF9BE502163158A7EE2D662931C371A954CF80
                              Function 0100D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0100D752
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 0100D764
                              • _free.LIBCMT ref: 0100D776
                              • _free.LIBCMT ref: 0100D788
                              • _free.LIBCMT ref: 0100D79A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
                              • Instruction ID: bc40eab9865ff904bad744165a532fb7aecea3dcdf80ed7554014acf9dd628fb
                              • Opcode Fuzzy Hash: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
                              • Instruction Fuzzy Hash: B9F068325442456BB663EBDCF6C8C5A7BDDBB44250BA40849F1CCD7584D735F8404770
                              Function 01035C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E9), ref: 01035C58
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 01035C6F
                              • MessageBeep.USER32(00000000), ref: 01035C87
                              • KillTimer.USER32(?,0000040A), ref: 01035CA3
                              • EndDialog.USER32(?,00000001), ref: 01035CBD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                              • String ID:
                              • API String ID: 3741023627-0
                              • Opcode ID: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
                              • Instruction ID: cea320f515a5e58c4dacb680960b0b296b436d7f3e9edcbc5e36584ef83e5503
                              • Opcode Fuzzy Hash: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
                              • Instruction Fuzzy Hash: D50144305107089EFB315B14DE4EF957BB8BB44705F04065AF6C2A14F1D7F9A9448B54
                              Function 010022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 010022BE
                                • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                                • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                              • _free.LIBCMT ref: 010022D0
                              • _free.LIBCMT ref: 010022E3
                              • _free.LIBCMT ref: 010022F4
                              • _free.LIBCMT ref: 01002305
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
                              • Instruction ID: 9fdfb9676263031bb9c3bdd0dc48228cade4e1e919ad1e26cb5b6954796559e1
                              • Opcode Fuzzy Hash: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
                              • Instruction Fuzzy Hash: 3EF054B48109159BA623BF54F40488D3FA8F7287A0B900506F4D0D72ECC73B4421AFE4
                              Function 00FE95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • EndPath.GDI32(?), ref: 00FE95D4
                              • StrokeAndFillPath.GDI32(?,?,010271F7,00000000,?,?,?), ref: 00FE95F0
                              • SelectObject.GDI32(?,00000000), ref: 00FE9603
                              • DeleteObject.GDI32 ref: 00FE9616
                              • StrokePath.GDI32(?), ref: 00FE9631
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Path$ObjectStroke$DeleteFillSelect
                              • String ID:
                              • API String ID: 2625713937-0
                              • Opcode ID: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
                              • Instruction ID: e1755e48c7337cab9367514b5f2128e4a0103f7321d2a09d4b97c6ae42db286e
                              • Opcode Fuzzy Hash: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
                              • Instruction Fuzzy Hash: 00F04F31409B44EBEB365F66EA0C7643FA1BB41372F448215F4E5550F8CB7A8995EF20
                              Function 01000F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: __freea$_free
                              • String ID: a/p$am/pm
                              • API String ID: 3432400110-3206640213
                              • Opcode ID: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
                              • Instruction ID: f44125d8433acb120f5964c768cf7d8983704f86b1268c186b3e493bfcdfb97c
                              • Opcode Fuzzy Hash: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
                              • Instruction Fuzzy Hash: 67D1BE71A042069AFB6B8F6CC855BFEBBF1EF05300F188199E6819B6D1D275D980CB91
                              Function 01057B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FF0242: EnterCriticalSection.KERNEL32(010A070C,010A1884,?,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF024D
                                • Part of subcall function 00FF0242: LeaveCriticalSection.KERNEL32(010A070C,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF028A
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9
                              • __Init_thread_footer.LIBCMT ref: 01057BFB
                                • Part of subcall function 00FF01F8: EnterCriticalSection.KERNEL32(010A070C,?,?,00FE8747,010A2514), ref: 00FF0202
                                • Part of subcall function 00FF01F8: LeaveCriticalSection.KERNEL32(010A070C,?,00FE8747,010A2514), ref: 00FF0235
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                              • String ID: 5$G$Variable must be of type 'Object'.
                              • API String ID: 535116098-3733170431
                              • Opcode ID: 09595a634ac4ad30c1621f91dfb181e0195784d8fa8ef90337f9caf35c286647
                              • Instruction ID: d365023e0c32f3ef8ef446abaa21135ebb2f2a24c61fe3e69b26095c28346ec3
                              • Opcode Fuzzy Hash: 09595a634ac4ad30c1621f91dfb181e0195784d8fa8ef90337f9caf35c286647
                              • Instruction Fuzzy Hash: 46917F71600209EFCB55EF58C890DAEBBB5FF44304F848099FD865B251DB71AE41EB61
                              Function 01032716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321D0,?,?,00000034,00000800,?,00000034), ref: 0103B42D
                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01032760
                                • Part of subcall function 0103B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0103B3F8
                                • Part of subcall function 0103B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0103B355
                                • Part of subcall function 0103B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B365
                                • Part of subcall function 0103B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B37B
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010327CD
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103281A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                              • String ID: @
                              • API String ID: 4150878124-2766056989
                              • Opcode ID: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
                              • Instruction ID: f2b6dfaed21bc8351415eafdbf9339b28d2fed532b667d4e23cf18be922c04d0
                              • Opcode Fuzzy Hash: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
                              • Instruction Fuzzy Hash: 5F416D72901219BFDB10DFA8CD41AEEBBB8FF59700F108095FA95B7180DA706E45CBA0
                              Function 0100172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe,00000104), ref: 01001769
                              • _free.LIBCMT ref: 01001834
                              • _free.LIBCMT ref: 0100183E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: C:\Users\user\Desktop\Pago devuelto #.Documentos#9787565789678675645767856843.exe
                              • API String ID: 2506810119-4225747931
                              • Opcode ID: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
                              • Instruction ID: 0ae9d72dab94fe3a2f2f71bdc65e49a1f49b113be1ae033bf2b9662af69ccc05
                              • Opcode Fuzzy Hash: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
                              • Instruction Fuzzy Hash: 27318E75A00219EBEB23DF99D884D9EBBFCEF85310F5041A6E98497280D670CB40CBA0
                              Function 0103C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0103C306
                              • DeleteMenu.USER32(?,00000007,00000000), ref: 0103C34C
                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A1990,01826190), ref: 0103C395
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$Delete$InfoItem
                              • String ID: 0
                              • API String ID: 135850232-4108050209
                              • Opcode ID: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
                              • Instruction ID: f46e54a31937358d03f83672d91f658be7e52e062cf534991959dd7b07fce41e
                              • Opcode Fuzzy Hash: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
                              • Instruction Fuzzy Hash: E141A0712043029FE720DF29D984B6ABBE8AFC5314F048A5EF9E5E72D1D770A604CB52
                              Function 01064416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0106CC08,00000000,?,?,?,?), ref: 010644AA
                              • GetWindowLongW.USER32 ref: 010644C7
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 010644D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID: SysTreeView32
                              • API String ID: 847901565-1698111956
                              • Opcode ID: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
                              • Instruction ID: e0227e0e1a33062277b9d3db5013e92a8bbb4b97d1f10fb40eef2cedd94dd10a
                              • Opcode Fuzzy Hash: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
                              • Instruction Fuzzy Hash: 1431BE31210205AFEF618E38DC46BEA7BA9EB09334F204315FAB5D21E1DB75E8509B50
                              Function 0105304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0105335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01053077,?,?), ref: 01053378
                              • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                              • _wcslen.LIBCMT ref: 0105309B
                              • htons.WSOCK32(00000000,?,?,00000000), ref: 01053106
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                              • String ID: 255.255.255.255
                              • API String ID: 946324512-2422070025
                              • Opcode ID: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
                              • Instruction ID: 670689795425671ee86a26f7ef4e6ea6c42dbb4d0222804338714e3b12eff829
                              • Opcode Fuzzy Hash: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
                              • Instruction Fuzzy Hash: 2831EF392002058FDBA0CF68C491AABBBF0FF04398F149099E9958F392CB72ED41C760
                              Function 01064653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01064705
                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01064713
                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0106471A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$DestroyWindow
                              • String ID: msctls_updown32
                              • API String ID: 4014797782-2298589950
                              • Opcode ID: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
                              • Instruction ID: 24abfaa8ae673d35bd1d976ca60d3ca9446f96f679ff8a67d5f3fceea33b59ff
                              • Opcode Fuzzy Hash: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
                              • Instruction Fuzzy Hash: 24215CB5600209AFEB11DF68DC81DAB37EDEB5A3A4B04005AFA80DB251CB75EC11DB60
                              Function 010395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen
                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                              • API String ID: 176396367-2734436370
                              • Opcode ID: 479210415708058930cb8ffc213ddfd53b815288e1d771b637d7e0bd1b3fefb6
                              • Instruction ID: a4988b5e49ec4e295fb887d3105ba4d8889b9d2032ea47a7df659cf72f895b21
                              • Opcode Fuzzy Hash: 479210415708058930cb8ffc213ddfd53b815288e1d771b637d7e0bd1b3fefb6
                              • Instruction Fuzzy Hash: D3218B3220461166D331BB299C12FBB73DC9FD5308F04402AFACA9B182EBD5A981D391
                              Function 010637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01063840
                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01063850
                              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01063876
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend$MoveWindow
                              • String ID: Listbox
                              • API String ID: 3315199576-2633736733
                              • Opcode ID: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
                              • Instruction ID: a5e646946bf0d25f81020e4ec4b6daddc4436d325b6451104e74fd84f272b0b2
                              • Opcode Fuzzy Hash: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
                              • Instruction Fuzzy Hash: D621B072610218BFEF228E58CC45EEB37AEFF89750F108154F9849B190C676DC5187E0
                              Function 010449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 01044A08
                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01044A5C
                              • SetErrorMode.KERNEL32(00000000,?,?,0106CC08), ref: 01044AD0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume
                              • String ID: %lu
                              • API String ID: 2507767853-685833217
                              • Opcode ID: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
                              • Instruction ID: d7647e2aab7394a7b3768540db087dd6eef015a17fc6f8a90e0131aa7a66cfac
                              • Opcode Fuzzy Hash: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
                              • Instruction Fuzzy Hash: F3318171A00109AFDB10DF54C984EAA7BF8EF04304F0440A9E945DF352DB75ED45CB61
                              Function 010641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0106424F
                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01064264
                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01064271
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: msctls_trackbar32
                              • API String ID: 3850602802-1010561917
                              • Opcode ID: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
                              • Instruction ID: c0ebc7723b622d9b6ecffedb5a85fe47ab3fff8b4fef26c5764da85460f984b4
                              • Opcode Fuzzy Hash: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
                              • Instruction Fuzzy Hash: 44112931240209BEEF215F39CC45FAB3BECEF85B54F110114FAD5E6090D2B1D8519B10
                              Function 01032F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                                • Part of subcall function 01032DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
                                • Part of subcall function 01032DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
                                • Part of subcall function 01032DA7: GetCurrentThreadId.KERNEL32 ref: 01032DDD
                                • Part of subcall function 01032DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4
                              • GetFocus.USER32 ref: 01032F78
                                • Part of subcall function 01032DEE: GetParent.USER32(00000000), ref: 01032DF9
                              • GetClassNameW.USER32(?,?,00000100), ref: 01032FC3
                              • EnumChildWindows.USER32(?,0103303B), ref: 01032FEB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                              • String ID: %s%d
                              • API String ID: 1272988791-1110647743
                              • Opcode ID: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
                              • Instruction ID: ba6ddc3627777c882173f7e37bed1cef301d6c6de799cced35040d57177117fd
                              • Opcode Fuzzy Hash: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
                              • Instruction Fuzzy Hash: 2711D271200205ABDF117F648CD9EEE776EAFD4304F04407AF989DB252DE3599099B70
                              Function 01065882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658C1
                              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658EE
                              • DrawMenuBar.USER32(?), ref: 010658FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Menu$InfoItem$Draw
                              • String ID: 0
                              • API String ID: 3227129158-4108050209
                              • Opcode ID: bbf9a0831a40d73bf8a0e85bf9e48921060b9bf61ef7d2cc92fa6822858d2ea4
                              • Instruction ID: 880278ee1b19d451e890ce4e72600ec73d8e0c393763dc5deb51a4becc53589f
                              • Opcode Fuzzy Hash: bbf9a0831a40d73bf8a0e85bf9e48921060b9bf61ef7d2cc92fa6822858d2ea4
                              • Instruction Fuzzy Hash: 33016D31500258AFEB619F15DC44BAFBBB8FF453A0F00809AE889D6151DB348A84DF31
                              Function 0102D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0102D3BF
                              • FreeLibrary.KERNEL32 ref: 0102D3E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: AddressFreeLibraryProc
                              • String ID: GetSystemWow64DirectoryW$X64
                              • API String ID: 3013587201-2590602151
                              • Opcode ID: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
                              • Instruction ID: 1ffc2450a42a1539d69a8534b8190725d6ad991385874a46435d03a6708b3255
                              • Opcode Fuzzy Hash: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
                              • Instruction Fuzzy Hash: 48F02B72906631D7F7B11595CC74AAE7758AF12701F59C58AF5C1FA108DB30CE4887D1
                              Function 0103007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
                              • Instruction ID: dbae0eaa9ae505041603fbe0ed8ecc2540fb648b72a8c525f930c830e6d3bcd5
                              • Opcode Fuzzy Hash: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
                              • Instruction Fuzzy Hash: C1C13A75A0120AAFDB14CFA8C894AAEBBB9FF88704F108598F545EB255D731ED41CB90
                              Function 0105342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Variant$ClearInitInitializeUninitialize
                              • String ID:
                              • API String ID: 1998397398-0
                              • Opcode ID: 753eb1e8d232d6a36903519c3f0f75a759683ec7f9b5795cb4a13bbeaa3057b9
                              • Instruction ID: fc00994a931b4da2065dbdd4e8337f1cb670d6f31aef804a27b6c9073583bf0c
                              • Opcode Fuzzy Hash: 753eb1e8d232d6a36903519c3f0f75a759683ec7f9b5795cb4a13bbeaa3057b9
                              • Instruction Fuzzy Hash: 82A158756043019FC750EF28C885A2ABBE5FF88354F088859FD8A9B361DB34ED01CB92
                              Function 01030436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                              Download Yara Rule
                              APIs
                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 010305F0
                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 01030608
                              • CLSIDFromProgID.OLE32(?,?,00000000,0106CC40,000000FF,?,00000000,00000800,00000000,?,0106FC08,?), ref: 0103062D
                              • _memcmp.LIBVCRUNTIME ref: 0103064E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FromProg$FreeTask_memcmp
                              • String ID:
                              • API String ID: 314563124-0
                              • Opcode ID: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
                              • Instruction ID: 5720831c45b4c2350c202680ed2604148b200fcea2eb41a4266451c94d169162
                              • Opcode Fuzzy Hash: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
                              • Instruction Fuzzy Hash: CC812A75A00109EFCB04DF98C984EEEB7B9FF89315F204598F546AB254DB71AE06CB60
                              Function 01011391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
                              • Instruction ID: 6be404440a759cb1dc3283453eae81d04c26f74eb85083e15d57faeaf3329a9c
                              • Opcode Fuzzy Hash: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
                              • Instruction Fuzzy Hash: 08413731A40105ABEB2A6BFC9C44BFE3AE4EF11B70F144265F799D61E5EE3C84409672
                              Function 01066278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(0182EB50,?), ref: 010662E2
                              • ScreenToClient.USER32(?,?), ref: 01066315
                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01066382
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ClientMoveRectScreen
                              • String ID:
                              • API String ID: 3880355969-0
                              • Opcode ID: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
                              • Instruction ID: c22415acc0d59cad8f802b3d1f2573315e609fc22ba4bea4ab0e618e4fe37c26
                              • Opcode Fuzzy Hash: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
                              • Instruction Fuzzy Hash: 34518F70A00619EFDF21DF58D8809AE7BFAFF45360F108199F9959B291D732E941CB50
                              Function 01051AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000002,00000011), ref: 01051AFD
                              • WSAGetLastError.WSOCK32 ref: 01051B0B
                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01051B8A
                              • WSAGetLastError.WSOCK32 ref: 01051B94
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorLast$socket
                              • String ID:
                              • API String ID: 1881357543-0
                              • Opcode ID: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
                              • Instruction ID: bc73338fdfa9db25fc0d4f6fc586d3814ddb4d82023af5a8c79a858ef351894d
                              • Opcode Fuzzy Hash: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
                              • Instruction Fuzzy Hash: 0D41B334600200AFE760AF24C886F2A77E5AB44718F588499FA5A9F3D3D776DD41CB90
                              Function 0100B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
                              • Instruction ID: b0d63faff8cb252431c4c2a5382daacfb96928d3ccc3aa6c61e8edadb8587275
                              • Opcode Fuzzy Hash: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
                              • Instruction Fuzzy Hash: B141067AA00305AFE7269F78CC41BAEBBE9EF88710F10456AF185DB2D0D6759A018790
                              Function 010456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01045783
                              • GetLastError.KERNEL32(?,00000000), ref: 010457A9
                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010457CE
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010457FA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateHardLink$DeleteErrorFileLast
                              • String ID:
                              • API String ID: 3321077145-0
                              • Opcode ID: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
                              • Instruction ID: 24e7158e69ccbf13041f0ef056f7490c2fb1c8cbbd31e84b1df8483cc4518343
                              • Opcode Fuzzy Hash: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
                              • Instruction Fuzzy Hash: 86414C35200611DFCB11EF14D984A5DBBE2EF88320B088499EC8AAF366DB34FD01DB91
                              Function 0100D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FF6D71,00000000,00000000,00FF82D9,?,00FF82D9,?,00000001,00FF6D71,8BE85006,00000001,00FF82D9,00FF82D9), ref: 0100D910
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100D999
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0100D9AB
                              • __freea.LIBCMT ref: 0100D9B4
                                • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                              • String ID:
                              • API String ID: 2652629310-0
                              • Opcode ID: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
                              • Instruction ID: de48de5e01806a1ee68b5fffee74f7af67b0c974d168acf38b70beded9c8cac2
                              • Opcode Fuzzy Hash: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
                              • Instruction Fuzzy Hash: 0831B371A0020AABEF26DFA8DD40EAE7BA6EF41310F0541A9FD44D7190D739D950CBA0
                              Function 0103AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0103AAAC
                              • SetKeyboardState.USER32(00000080), ref: 0103AAC8
                              • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0103AB36
                              • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0103AB88
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
                              • Instruction ID: 7b187cad42330b3dc0337898244af3011073b3d0482e2b3841b8b39ded58d0b2
                              • Opcode Fuzzy Hash: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
                              • Instruction Fuzzy Hash: 5631E531B40248EEFF398A698804BFA7BEEABC5310F044A5AE5C1D71D2D3799581C765
                              Function 010652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 01065352
                              • GetWindowLongW.USER32(?,000000F0), ref: 01065375
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01065382
                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010653A8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LongWindow$InvalidateMessageRectSend
                              • String ID:
                              • API String ID: 3340791633-0
                              • Opcode ID: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
                              • Instruction ID: b1b980bdfaca29cc400974f049c17e6140603ee53fe6ce94258e5a61fe2745e3
                              • Opcode Fuzzy Hash: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
                              • Instruction Fuzzy Hash: 5531C534A55628EFFB748E18CC05BE83BA9AB04B90F48C142FBD1961E1D7F59A40DB42
                              Function 01067674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                              Download Yara Rule
                              APIs
                              • ClientToScreen.USER32(?,?), ref: 0106769A
                              • GetWindowRect.USER32(?,?), ref: 01067710
                              • PtInRect.USER32(?,?,01068B89), ref: 01067720
                              • MessageBeep.USER32(00000000), ref: 0106778C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Rect$BeepClientMessageScreenWindow
                              • String ID:
                              • API String ID: 1352109105-0
                              • Opcode ID: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
                              • Instruction ID: e57f937f6f461ef60c95d15f42f96e8547a67ef6e98301c44721af995ebe44ff
                              • Opcode Fuzzy Hash: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
                              • Instruction Fuzzy Hash: D841BF34601205EFEB12CF58C884EA97BF8FF48318F0481A8E5949B255D739E941CF90
                              Function 010616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 010616EB
                                • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                                • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                                • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                              • GetCaretPos.USER32(?), ref: 010616FF
                              • ClientToScreen.USER32(00000000,?), ref: 0106174C
                              • GetForegroundWindow.USER32 ref: 01061752
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                              • String ID:
                              • API String ID: 2759813231-0
                              • Opcode ID: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
                              • Instruction ID: 488f249df222336859af4fc3e7b5b159fbedbb7d53cecebe895b75f8d27f6243
                              • Opcode Fuzzy Hash: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
                              • Instruction Fuzzy Hash: 94313E75D00249AFD700EFA9C8818EEBBFDFF88204B5480AAE455E7311E7359E45CBA0
                              Function 0103DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                              • _wcslen.LIBCMT ref: 0103DFCB
                              • _wcslen.LIBCMT ref: 0103DFE2
                              • _wcslen.LIBCMT ref: 0103E00D
                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0103E018
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$ExtentPoint32Text
                              • String ID:
                              • API String ID: 3763101759-0
                              • Opcode ID: a26af61ab36c2a84f7a10ac87712c72e31624ac3c67d452171ce5e6e0af9cb66
                              • Instruction ID: 19a5cccb4f1b2562a32a420f6253ab104d4b49c09c96c9cbeb5105ee21207bac
                              • Opcode Fuzzy Hash: a26af61ab36c2a84f7a10ac87712c72e31624ac3c67d452171ce5e6e0af9cb66
                              • Instruction Fuzzy Hash: 8721D671D00214AFCB219FA8CD81B6EB7F8EF85710F144065F944FB245D6749E408BA1
                              Function 0103D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
                              • Process32NextW.KERNEL32(00000000,?), ref: 0103D52F
                              • CloseHandle.KERNEL32(00000000), ref: 0103D5DC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: bd886499ee2a0fbcc52be8e8914aa85063bc1175cbcda7c4f4f75124a4257fb5
                              • Instruction ID: 26d21dbefa4ae0453d9c3e51e5c1f5d91ed36d47a9d6bef5be5f0d102190383a
                              • Opcode Fuzzy Hash: bd886499ee2a0fbcc52be8e8914aa85063bc1175cbcda7c4f4f75124a4257fb5
                              • Instruction Fuzzy Hash: 8031AF711083009FD301EF94CC81AAFBBE9EFD9344F44092EF5C1862A1EB759A48DB92
                              Function 01068FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              • GetCursorPos.USER32(?), ref: 01069001
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01027711,?,?,?,?,?), ref: 01069016
                              • GetCursorPos.USER32(?), ref: 0106905E
                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01027711,?,?,?), ref: 01069094
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                              • String ID:
                              • API String ID: 2864067406-0
                              • Opcode ID: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
                              • Instruction ID: 1dd98e5451fa0d60c4693b410fad92e71ae3c59eca9131f89d279a66482eacb8
                              • Opcode Fuzzy Hash: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
                              • Instruction Fuzzy Hash: D521BF35601018FFEF258F98C848EFA3FF9EB89350F004099FA8547261C3369990DB60
                              Function 0103D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNEL32(?,0106CB68), ref: 0103D2FB
                              • GetLastError.KERNEL32 ref: 0103D30A
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0103D319
                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0106CB68), ref: 0103D376
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateDirectory$AttributesErrorFileLast
                              • String ID:
                              • API String ID: 2267087916-0
                              • Opcode ID: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
                              • Instruction ID: ed6111901316be25e84a1e00bf8fc7adf8e584495e540565fa6f89ae344476e9
                              • Opcode Fuzzy Hash: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
                              • Instruction Fuzzy Hash: FF21E2705083019F9310DFA8C98086E7BECEE86324F948A5EF4D9C72A1D735DE09CB92
                              Function 01031571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
                                • Part of subcall function 01031014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
                                • Part of subcall function 01031014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
                                • Part of subcall function 01031014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
                                • Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062
                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010315BE
                              • _memcmp.LIBVCRUNTIME ref: 010315E1
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01031617
                              • HeapFree.KERNEL32(00000000), ref: 0103161E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                              • String ID:
                              • API String ID: 1592001646-0
                              • Opcode ID: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
                              • Instruction ID: 89dc790d7e67506cb17119217a11e5adecf2851ea69194f8be6e9d481713de0a
                              • Opcode Fuzzy Hash: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
                              • Instruction Fuzzy Hash: C1219031E00109EFEB10DFA9C944BEEBBF8EF88354F084499E581AB240D735AA05DB60
                              Function 01062782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000EC), ref: 0106280A
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062824
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062832
                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01062840
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Long$AttributesLayered
                              • String ID:
                              • API String ID: 2169480361-0
                              • Opcode ID: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
                              • Instruction ID: 1193ca5c2cdab0838c5092488acfeb9d05eb89f46ef1dfcc0e6f16faa9af26d1
                              • Opcode Fuzzy Hash: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
                              • Instruction Fuzzy Hash: 1421C131205112AFE7149B24CC44FAA7B99AF45324F198159F4A68B6E2C77AEC82C7D0
                              Function 0104CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 0104CE89
                              • GetLastError.KERNEL32(?,00000000), ref: 0104CEEA
                              • SetEvent.KERNEL32(?,?,00000000), ref: 0104CEFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorEventFileInternetLastRead
                              • String ID:
                              • API String ID: 234945975-0
                              • Opcode ID: 6446c62382a9aafd06ef2925a5bda398bd3d259df7617dfd15904aa960416bbb
                              • Instruction ID: 16a41945809d4938086c1d1d1ac369cccf750c1ac0f601e6c72c4a91894021c4
                              • Opcode Fuzzy Hash: 6446c62382a9aafd06ef2925a5bda398bd3d259df7617dfd15904aa960416bbb
                              • Instruction Fuzzy Hash: E92190B15013059BF770DF6ACA84BAA7BF8EF40354F10446EE6C6D2162E779EA049B50
                              Function 010378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01038D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038D8C
                                • Part of subcall function 01038D7D: lstrcpyW.KERNEL32(00000000,?,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01038DB2
                                • Part of subcall function 01038D7D: lstrcmpiW.KERNEL32(00000000,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038DE3
                              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037923
                              • lstrcpyW.KERNEL32(00000000,?,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037949
                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037984
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: lstrcmpilstrcpylstrlen
                              • String ID: cdecl
                              • API String ID: 4031866154-3896280584
                              • Opcode ID: 305f10e94f56a54a4ec8815b5042aeccaf240b9825559aad181f60a2064aad7c
                              • Instruction ID: b64251baa8cbc953f2537af8ab19cae0a1aae5017949b02b18376790c1d4e656
                              • Opcode Fuzzy Hash: 305f10e94f56a54a4ec8815b5042aeccaf240b9825559aad181f60a2064aad7c
                              • Instruction Fuzzy Hash: BC11067A200342ABDB256F39C844E7A77E9FF85350B00816BF982CB264EB369801C751
                              Function 01067CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000F0), ref: 01067D0B
                              • SetWindowLongW.USER32(00000000,000000F0,?), ref: 01067D2A
                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01067D42
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104B7AD,00000000), ref: 01067D6B
                                • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID:
                              • API String ID: 847901565-0
                              • Opcode ID: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
                              • Instruction ID: 1de9685bb4d26cc3a26201b68881aaca2df2a56f6d0d569f24bc0245873d59d0
                              • Opcode Fuzzy Hash: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
                              • Instruction Fuzzy Hash: 2611E432200615AFDB60AF2CCC04A6A3BE8BB45374F114B64F9B5C72F4E7358950CB50
                              Function 01065660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001060,?,00000004), ref: 010656BB
                              • _wcslen.LIBCMT ref: 010656CD
                              • _wcslen.LIBCMT ref: 010656D8
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend_wcslen
                              • String ID:
                              • API String ID: 455545452-0
                              • Opcode ID: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
                              • Instruction ID: 81b9f5e5a1661ed79f61b48ae0d3b35ae9ad5e16fad4ebe49523f0b81fc2d517
                              • Opcode Fuzzy Hash: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
                              • Instruction Fuzzy Hash: 3111D67160020996EB209F65DC85AFF7BACEF057A4F0040AAFAD5D6081EBB4D540CB60
                              Function 01001D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
                              • Instruction ID: 53de52e6dffcd1c4aba9f59f10037b52bdaf852298f2acacadbd3dfedd877f99
                              • Opcode Fuzzy Hash: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
                              • Instruction Fuzzy Hash: 6701A2B220961A7EF66335B86CC0F6B665DDF513B8F300326F6A1A11D5EB71CC004270
                              Function 01031A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 01031A47
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A59
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A6F
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
                              • Instruction ID: 77b93934eb42ab904acefdf3372fcd4391b2bd615e296b67771a3e29cde89083
                              • Opcode Fuzzy Hash: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
                              • Instruction Fuzzy Hash: DD11093AD00219FFEB11DBA9C985FADBBB8EB48750F200091EA44B7290D7716E51DB94
                              Function 0103E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 0103E1FD
                              • MessageBoxW.USER32(?,?,?,?), ref: 0103E230
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0103E246
                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0103E24D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2880819207-0
                              • Opcode ID: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
                              • Instruction ID: 19b47b52b44b8211515cd464d98accccaf27ef626461038d2571f84c99324e93
                              • Opcode Fuzzy Hash: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
                              • Instruction Fuzzy Hash: FC11DB76904258BFD7219FACDC05A9E7FADAF85310F048355F994D3284D6B9D90487A0
                              Function 00FFD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,?,00FFCFF9,00000000,00000004,00000000), ref: 00FFD218
                              • GetLastError.KERNEL32 ref: 00FFD224
                              • __dosmaperr.LIBCMT ref: 00FFD22B
                              • ResumeThread.KERNEL32(00000000), ref: 00FFD249
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Thread$CreateErrorLastResume__dosmaperr
                              • String ID:
                              • API String ID: 173952441-0
                              • Opcode ID: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
                              • Instruction ID: bf9b8ba75b8777e86f28b51c35c22dd8de2ef1e07a177f322ad23c976c06f397
                              • Opcode Fuzzy Hash: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
                              • Instruction Fuzzy Hash: 6901D63680511CBBEB215BA5DC09BBE7A6ADF82331F100259FA25961F0DB75C901E7E0
                              Function 00FD600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                              • GetStockObject.GDI32(00000011), ref: 00FD6060
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CreateMessageObjectSendStockWindow
                              • String ID:
                              • API String ID: 3970641297-0
                              • Opcode ID: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
                              • Instruction ID: b3d8886e4b6f6c94510251931b1641330a7238188c1c3cd0e3351fe2cfaf3ad6
                              • Opcode Fuzzy Hash: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
                              • Instruction Fuzzy Hash: BB116172501549BFEF225F949C48EEA7B6AFF0D364F040116FA5492114D73ADC60EB90
                              Function 00FF3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 00FF3B56
                                • Part of subcall function 00FF3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FF3AD2
                                • Part of subcall function 00FF3AA3: ___AdjustPointer.LIBCMT ref: 00FF3AED
                              • _UnwindNestedFrames.LIBCMT ref: 00FF3B6B
                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FF3B7C
                              • CallCatchBlock.LIBVCRUNTIME ref: 00FF3BA4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                              • String ID:
                              • API String ID: 737400349-0
                              • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                              • Instruction ID: 0d96a72a7dcc28a065c97870d4f4ba8c11b08f982fb95cdba298975abdb9078c
                              • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                              • Instruction Fuzzy Hash: FC01173250014DBBDF125E95CC42EFB3B69EF88764F044055FF48A6131C636E961EBA0
                              Function 01003073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FD13C6,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue), ref: 010030A5
                              • GetLastError.KERNEL32(?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000,00000364,?,01002E46), ref: 010030B1
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000), ref: 010030BF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
                              • Instruction ID: 006eec8d165318ed07fb8b1b83da27efe7b5b1ac9a145788b4a3bff4253d2497
                              • Opcode Fuzzy Hash: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
                              • Instruction Fuzzy Hash: CC01D432712222AFFB338ABD9C54A577B98BF05A61F104620F9C9EB1C1D726D401C7E0
                              Function 01037464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0103747F
                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01037497
                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010374AC
                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010374CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Type$Register$FileLoadModuleNameUser
                              • String ID:
                              • API String ID: 1352324309-0
                              • Opcode ID: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
                              • Instruction ID: 0212238a74dfb384039edda2038276521e27d1217e519422e544c5653c7de2ec
                              • Opcode Fuzzy Hash: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
                              • Instruction Fuzzy Hash: 061139B5201305ABF7308F54E909B967FFCEB80B04F008569E6D6D6591DBB5F904CB60
                              Function 0103B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0C4
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0E9
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0F3
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B126
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuerySleep
                              • String ID:
                              • API String ID: 2875609808-0
                              • Opcode ID: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
                              • Instruction ID: 467cd6aa10ea720184009e5258125deb376e716b58d474027140f61de15511d8
                              • Opcode Fuzzy Hash: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
                              • Instruction Fuzzy Hash: 61115B31C0151CEBDF10AFE4E9586EEBF78FF8A715F404486E9C1B6289CB3596508B61
                              Function 01032DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
                              • GetCurrentThreadId.KERNEL32 ref: 01032DDD
                              • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                              • String ID:
                              • API String ID: 2710830443-0
                              • Opcode ID: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
                              • Instruction ID: 73a3f9d7e55b3ca333c793ac5c179e1f23d3b46b35a4ca7c7c049a0643354749
                              • Opcode Fuzzy Hash: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
                              • Instruction Fuzzy Hash: 94E09271101224BBEB302A779D0DFEB7E6CEF87BA1F000015F286D50809AAAD840C7B0
                              Function 01068863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                                • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
                                • Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
                                • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2
                              • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01068887
                              • LineTo.GDI32(?,?,?), ref: 01068894
                              • EndPath.GDI32(?), ref: 010688A4
                              • StrokePath.GDI32(?), ref: 010688B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                              • String ID:
                              • API String ID: 1539411459-0
                              • Opcode ID: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
                              • Instruction ID: afa714b8b61f41487ab1438ade8b441dc46d5a65529f194cc3af9a0338dd5221
                              • Opcode Fuzzy Hash: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
                              • Instruction Fuzzy Hash: FFF05E36045658BAFB226F94AD09FCE3F59AF0A310F048141FB91650E5C7BA5111DFE5
                              Function 00FE98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000008), ref: 00FE98CC
                              • SetTextColor.GDI32(?,?), ref: 00FE98D6
                              • SetBkMode.GDI32(?,00000001), ref: 00FE98E9
                              • GetStockObject.GDI32(00000005), ref: 00FE98F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Color$ModeObjectStockText
                              • String ID:
                              • API String ID: 4037423528-0
                              • Opcode ID: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
                              • Instruction ID: 9943d16f2669282915d9612fd7bed22a14c767e25f56e9ff0695d372c09ddf67
                              • Opcode Fuzzy Hash: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
                              • Instruction Fuzzy Hash: 04E06531240290EAEB315B78A909BD93F51AB12335F048219F7F9580E5C77642509B11
                              Function 0103162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 01031634
                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103163B
                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010311D9), ref: 01031648
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103164F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CurrentOpenProcessThreadToken
                              • String ID:
                              • API String ID: 3974789173-0
                              • Opcode ID: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
                              • Instruction ID: da2455be6d07dc350c0c2c2e587d3dd813e457deaf1aed9641165ca931cf25da
                              • Opcode Fuzzy Hash: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
                              • Instruction Fuzzy Hash: A4E08631601212ABF7701FE59F0DB463BBDAF4A791F144848F6C9C9084D6394040C750
                              Function 0102D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 0102D858
                              • GetDC.USER32(00000000), ref: 0102D862
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
                              • ReleaseDC.USER32(?), ref: 0102D8A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
                              • Instruction ID: 82e621c1f67db4925bd5d37905fc53f8de943361c5b018c5cef618780a00e694
                              • Opcode Fuzzy Hash: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
                              • Instruction Fuzzy Hash: FDE01AB5800245DFEB519FA0D60866DBBB6FB08310F14900AF8CAE7254C77E6901AF54
                              Function 0102D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 0102D86C
                              • GetDC.USER32(00000000), ref: 0102D876
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
                              • ReleaseDC.USER32(?), ref: 0102D8A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
                              • Instruction ID: fcae2cda5d225899da9f5f48fe35a92f983c68ca7d5c7e5a86667d96b07b3a47
                              • Opcode Fuzzy Hash: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
                              • Instruction Fuzzy Hash: E7E01A71800240DFDB609FA0D50866DBBB5FB08310B149009F98AE7254C73E6901AF54
                              Function 01044D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                              • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01044ED4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Connection_wcslen
                              • String ID: *$LPT
                              • API String ID: 1725874428-3443410124
                              • Opcode ID: c6c67bbcb9ae3856cdc631f11ed92f0647ac45597bc2a86a078d96a5c5d568a7
                              • Instruction ID: 5616581edc966602fbcdb0566b640a3b3d5c3ea00f8f5e3a776f83ca54799d88
                              • Opcode Fuzzy Hash: c6c67bbcb9ae3856cdc631f11ed92f0647ac45597bc2a86a078d96a5c5d568a7
                              • Instruction Fuzzy Hash: D3916FB5A042049FDB15DF58C8C4FAABBF1AF44304F1980A9E84A9F362D735ED85CB91
                              Function 00FFE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 00FFE30D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ErrorHandling__start
                              • String ID: pow
                              • API String ID: 3213639722-2276729525
                              • Opcode ID: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
                              • Instruction ID: eb123f7609eb0937f82f34d43529614e7c0b57355d1c84be3f1fc66907d158a2
                              • Opcode Fuzzy Hash: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
                              • Instruction Fuzzy Hash: C8518E72E0920A96EB277718C9043B93FE4EF50750F204969E1D5422FCEF3D9C95AB46
                              Function 00FEE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID:
                              • String ID: #
                              • API String ID: 0-1885708031
                              • Opcode ID: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
                              • Instruction ID: d25bc105b9278c3d7049c8d9f6432819f368e46d3b3e3cb50a9023e9f0f7e81d
                              • Opcode Fuzzy Hash: 7d52239c26b51028eda69f9041a7b39a50a4795a27a14a204b34d9077f02536d
                              • Instruction Fuzzy Hash: B4517235A44296DFEF15DF68D4806BA7BA4FF05310F248096E9C19B2D0D6389D42DBA0
                              Function 00FEF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00FEF2A2
                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FEF2BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: GlobalMemorySleepStatus
                              • String ID: @
                              • API String ID: 2783356886-2766056989
                              • Opcode ID: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
                              • Instruction ID: dd2bc054cc419711d43e58a4233070ef7b66e973f004918e62405a23248236ab
                              • Opcode Fuzzy Hash: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
                              • Instruction Fuzzy Hash: B95156714087459BD320AF10DC86BAFBBF9FF84300F85884EF1D981295EB75852ACB66
                              Function 01055745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010557E0
                              • _wcslen.LIBCMT ref: 010557EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: BuffCharUpper_wcslen
                              • String ID: CALLARGARRAY
                              • API String ID: 157775604-1150593374
                              • Opcode ID: 1b65b2aca13cbc02dc5963f1298455ac83fdcbc64786bc4a08db986eeaab7840
                              • Instruction ID: 26722876cb509e44a396774d8830954ad972a3c059852dd96f34638e970614a6
                              • Opcode Fuzzy Hash: 1b65b2aca13cbc02dc5963f1298455ac83fdcbc64786bc4a08db986eeaab7840
                              • Instruction Fuzzy Hash: EA41A131E002099FCB54DFA9CC819BEBBF5FF49320F14406AE985A7292E7759981CB90
                              Function 0104D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0104D130
                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0104D13A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CrackInternet_wcslen
                              • String ID: |
                              • API String ID: 596671847-2343686810
                              • Opcode ID: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
                              • Instruction ID: 63ddcb89436e35d4cd006622d9d38de9aa026b7b7917e9bbf19840a8647b79f3
                              • Opcode Fuzzy Hash: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
                              • Instruction Fuzzy Hash: F3313D75D00209ABDF15EFE4CC85AEE7FBAFF14300F04006AF915A6266D735AA06DB54
                              Function 0106356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?,?,?), ref: 01063621
                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0106365C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$DestroyMove
                              • String ID: static
                              • API String ID: 2139405536-2160076837
                              • Opcode ID: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
                              • Instruction ID: f8814a7a18f730f6ea171e9ce2e29c0aca3109a143ca081fbb2564e117f9cdfa
                              • Opcode Fuzzy Hash: f18c917200093b41fa18a12b9e0841f4df99aeca2f607e5c35f0710c4156794b
                              • Instruction Fuzzy Hash: 18318171100604AAEB109F68DC40EFB73ADFF48714F00961AF9A997250DA35AC81D7A0
                              Function 01064537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0106461F
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01064634
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: '
                              • API String ID: 3850602802-1997036262
                              • Opcode ID: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
                              • Instruction ID: e0801c4a699bed0bf6624d972cfb488d1e9cc74d273aff77eb4c9c67b17ebd72
                              • Opcode Fuzzy Hash: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
                              • Instruction Fuzzy Hash: AE310674A0120AAFDB54CFA9C980ADA7BF9FF49300F14416AEA45EB342D771A941CF90
                              Function 010631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0106327C
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01063287
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Combobox
                              • API String ID: 3850602802-2096851135
                              • Opcode ID: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
                              • Instruction ID: c579cb1e9c2e4b4684cf6e0e0ec6211581c5fd9d8587df9fa0ec8ba587ec35c2
                              • Opcode Fuzzy Hash: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
                              • Instruction Fuzzy Hash: 1C11E67130020A7FFF629E58DC80EBB379EFB48364F104125F5989B291D6759C50C7A0
                              Function 01063710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                                • Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
                                • Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                              • GetWindowRect.USER32(00000000,?), ref: 0106377A
                              • GetSysColor.USER32(00000012), ref: 01063794
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                              • String ID: static
                              • API String ID: 1983116058-2160076837
                              • Opcode ID: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
                              • Instruction ID: ab0ddae9897c3ee72879365b7664d3abaf26280e48eaf7056af3340001df826b
                              • Opcode Fuzzy Hash: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
                              • Instruction Fuzzy Hash: 70113A72610209AFEF11DFA8CD45EEE7BF8FB08354F004515F995E6250D779E8509B90
                              Function 0104CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104CD7D
                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0104CDA6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Internet$OpenOption
                              • String ID: <local>
                              • API String ID: 942729171-4266983199
                              • Opcode ID: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
                              • Instruction ID: 78e9e37e246de2ed616550a12d5f843f12cbc563380a6d99c1161c9a2981b378
                              • Opcode Fuzzy Hash: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
                              • Instruction Fuzzy Hash: 0C1106B12026317BE7786A668D84EE7BEACEF026A4F00422AB1C983080D3759440C6F0
                              Function 01063429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextLengthW.USER32(00000000), ref: 010634AB
                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010634BA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LengthMessageSendTextWindow
                              • String ID: edit
                              • API String ID: 2978978980-2167791130
                              • Opcode ID: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
                              • Instruction ID: 06b7080dae4719a3b0b6a3d17808dcb6dc14b822241334272673d0058fdb69d0
                              • Opcode Fuzzy Hash: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
                              • Instruction Fuzzy Hash: 9011B275100104ABEB624E68DC44AEB77AEFF05374F504314F9E89B1D4CB75EC519790
                              Function 01036C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                              • CharUpperBuffW.USER32(?,?,?), ref: 01036CB6
                              • _wcslen.LIBCMT ref: 01036CC2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen$BuffCharUpper
                              • String ID: STOP
                              • API String ID: 1256254125-2411985666
                              • Opcode ID: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
                              • Instruction ID: 960dcd8978e8cf357e70fd57faf32659b876aa30154f9aeff6403499b792b72a
                              • Opcode Fuzzy Hash: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
                              • Instruction Fuzzy Hash: BC010832E1052A9ACB21AFFDDC448BF77F9EA91614B000565E49296195EA37D640C750
                              Function 01031CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01031D4C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 624084870-1403004172
                              • Opcode ID: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
                              • Instruction ID: 7eb65ae739bac252bfb5e4362b5a2ea2334261254b9938262f13ab70fa0dc5b5
                              • Opcode Fuzzy Hash: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
                              • Instruction Fuzzy Hash: 2D012431600229AB9B08FBA4CC54CFE77ADFB9B350B44061AF8B25B3C0EA7458089760
                              Function 01031BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 01031C46
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 624084870-1403004172
                              • Opcode ID: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
                              • Instruction ID: 563697851b7a4acaf70ba6249909281b05f5c56bedeab94490279645a306ec2e
                              • Opcode Fuzzy Hash: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
                              • Instruction Fuzzy Hash: 2C01477171010D66DF04EBE2CE519FF77ED9B56340F04001AB49267281EA74AE0897B1
                              Function 01031C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 01031CC8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 624084870-1403004172
                              • Opcode ID: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
                              • Instruction ID: d7ef093abf0e493ed38da9c99dc941fef1a1500b4953c4e79ad1c0ba666c9271
                              • Opcode Fuzzy Hash: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
                              • Instruction Fuzzy Hash: 2401267171011D67DF04EBE5DE11AFF77ECAB65340F04002AB88267281EA749E08D771
                              Function 01031D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                                • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                              • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01031DD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 624084870-1403004172
                              • Opcode ID: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
                              • Instruction ID: bb19a0d1160db926fc4a7bdb5b8313831591d0608686b790aff16cc1552028ca
                              • Opcode Fuzzy Hash: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
                              • Instruction Fuzzy Hash: 12F04F30B1022966DB04F7E5DC95AFF77ACAF46340F08080AB8A2672C0EAB4590892A0
                              Function 0105747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: _wcslen
                              • String ID: 3, 3, 16, 1
                              • API String ID: 176396367-3042988571
                              • Opcode ID: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
                              • Instruction ID: c7834f9832c7fe5ae35c83dc12b96ef683d21a08dfcd2429d0f8057c0e3bc97d
                              • Opcode Fuzzy Hash: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
                              • Instruction Fuzzy Hash: 2BE0E5023112201093B1127A9CC197F7EC9CFC5650794182EFEC5C2266EF98DD91B3A0
                              Function 01030B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01030B23
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Message
                              • String ID: AutoIt$Error allocating memory.
                              • API String ID: 2030045667-4017498283
                              • Opcode ID: 56f96fd0f26fa27a2543e2ad0c50ee248e856e7be5f385ca87a1c0d9ce873432
                              • Instruction ID: 6eead795e3612027ea779cc3ef8643bab27495dc083cfdc098e13e687c59f56d
                              • Opcode Fuzzy Hash: 56f96fd0f26fa27a2543e2ad0c50ee248e856e7be5f385ca87a1c0d9ce873432
                              • Instruction Fuzzy Hash: 15E0D83124434C36E32436567D03F897A888F05F20F10442BF7D8995C38ADA245022A9
                              Function 00FF0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FEF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FF0D71,?,?,?,00FD100A), ref: 00FEF7CE
                              • IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 00FF0D75
                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 00FF0D84
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FF0D7F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 55579361-631824599
                              • Opcode ID: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
                              • Instruction ID: f55ddc6e0259c8ac388cbdf8b67a97e2262a00fa348e7481cb837b88ed893b51
                              • Opcode Fuzzy Hash: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
                              • Instruction Fuzzy Hash: C1E092742007528BE3309FB9E90875A7BE4AF04B44F04892DE9C6C7756DFBAE4449B91
                              Function 01043017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0104302F
                              • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01043044
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: Temp$FileNamePath
                              • String ID: aut
                              • API String ID: 3285503233-3010740371
                              • Opcode ID: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
                              • Instruction ID: b0de322f861074c1c4c4526cad7b494af72b2df92950950543181a42fd6af11b
                              • Opcode Fuzzy Hash: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
                              • Instruction Fuzzy Hash: 79D05B7150031467DB309695DD0DFC73A6CD704650F000151BAD5D6095DAB99544CBD0
                              Function 0102D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: LocalTime
                              • String ID: %.3d$X64
                              • API String ID: 481472006-1077770165
                              • Opcode ID: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
                              • Instruction ID: c2605fdff3a6a12a798048c8cc77502039c16bb4c3b68affc619abf43114d398
                              • Opcode Fuzzy Hash: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
                              • Instruction Fuzzy Hash: BED01271804129E9DB5096E1CC459BDB37CAB69211F40C452F986D1000D628C90C9B61
                              Function 01062322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106232C
                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0106233F
                                • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
                              • Instruction ID: 065754b167a40f88ba17c41289aaddedee89bb37441931858c097f6eabfae5fa
                              • Opcode Fuzzy Hash: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
                              • Instruction Fuzzy Hash: F0D02232390300B7FA74B330EC0FFCABA08AB04B00F000A06B3C6AA1D4C9F5A800CB04
                              Function 01062356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106236C
                              • PostMessageW.USER32(00000000), ref: 01062373
                                • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
                              • Instruction ID: fa14ebe6dda5564a093d81f50c0751174b859044498ac8e2ce33a0ff10faeef6
                              • Opcode Fuzzy Hash: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
                              • Instruction Fuzzy Hash: 26D0C73139131176F6747671DD0EFC675145754710F004516B6C5991D4D5B568418754
                              Function 0100BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0100BE93
                              • GetLastError.KERNEL32 ref: 0100BEA1
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100BEFC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2063321241.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                              • Associated: 00000000.00000002.2063288492.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063386698.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063444448.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2063468829.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_fd0000_Pago devuelto #.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
                              • Instruction ID: bc403a280f34f076900621885b3f4e1979b6eca2cabfbe7435821262d6cd359e
                              • Opcode Fuzzy Hash: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
                              • Instruction Fuzzy Hash: A741B738604646AFFB738F68C844ABA7BE5AF41710F1441ADFAD9971E1DB328901CB60