Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pagamento.exe

Overview

General Information

Sample name:pagamento.exe
Analysis ID:1501077
MD5:3aed500e59bf7f4761c307fa6976fd7a
SHA1:d9332de73d9cae677566ece8350e9648e54ef9de
SHA256:eba01987d394303d9b87f90eeba8d51a5509f4ce484620a032ce94c2e38502d3
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pagamento.exe (PID: 2068 cmdline: "C:\Users\user\Desktop\pagamento.exe" MD5: 3AED500E59BF7F4761C307FA6976FD7A)
    • RegSvcs.exe (PID: 2444 cmdline: "C:\Users\user\Desktop\pagamento.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "jorge.morales@cirotec.mx", "Password": "fV&uD7[{_c&4", "Host": "mail.cirotec.mx", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4076883705.0000000002F1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x148cb:$a1: get_encryptedPassword
        • 0x14bb7:$a2: get_encryptedUsername
        • 0x146d7:$a3: get_timePasswordChanged
        • 0x147d2:$a4: get_passwordField
        • 0x148e1:$a5: set_encryptedPassword
        • 0x15f74:$a7: get_logins
        • 0x15ed7:$a10: KeyLoggerEventArgs
        • 0x15b42:$a11: KeyLoggerEventArgsEventHandler
        00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
        • 0x18240:$x1: $%SMTPDV$
        • 0x182a6:$x2: $#TheHashHere%&
        • 0x198cf:$x3: %FTPDV$
        • 0x199c3:$x4: $%TelegramDv$
        • 0x15b42:$x5: KeyLoggerEventArgs
        • 0x15ed7:$x5: KeyLoggerEventArgs
        • 0x198f3:$m2: Clipboard Logs ID
        • 0x19b13:$m2: Screenshot Logs ID
        • 0x19c23:$m2: keystroke Logs ID
        • 0x19efd:$m3: SnakePW
        • 0x19aeb:$m4: \SnakeKeylogger\
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x14acb:$a1: get_encryptedPassword
              • 0x14db7:$a2: get_encryptedUsername
              • 0x148d7:$a3: get_timePasswordChanged
              • 0x149d2:$a4: get_passwordField
              • 0x14ae1:$a5: set_encryptedPassword
              • 0x16174:$a7: get_logins
              • 0x160d7:$a10: KeyLoggerEventArgs
              • 0x15d42:$a11: KeyLoggerEventArgsEventHandler
              2.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1c4d1:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1b703:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x1bb36:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1cb75:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 15 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              Timestamp:2024-08-29T12:02:50.042956+0200
              SID:2803305
              Severity:3
              Source Port:49716
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-08-29T12:02:43.302201+0200
              SID:2803305
              Severity:3
              Source Port:49708
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-08-29T12:02:52.685606+0200
              SID:2803305
              Severity:3
              Source Port:49720
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-08-29T12:02:43.993994+0200
              SID:2803274
              Severity:2
              Source Port:49709
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-08-29T12:02:41.806438+0200
              SID:2803274
              Severity:2
              Source Port:49706
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-08-29T12:02:44.538824+0200
              SID:2803305
              Severity:3
              Source Port:49710
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-08-29T12:02:42.744009+0200
              SID:2803274
              Severity:2
              Source Port:49706
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "jorge.morales@cirotec.mx", "Password": "fV&uD7[{_c&4", "Host": "mail.cirotec.mx", "Port": "587", "Version": "5.1"}
              Multi AV Scanner detection for submitted file
              Source: pagamento.exeReversingLabs: Detection: 57%
              Source: pagamento.exeVirustotal: Detection: 60%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: pagamento.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: pagamento.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49707 version: TLS 1.0
              Source: Binary string: wntdll.pdbUGP source: pagamento.exe, 00000000.00000003.1613317937.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, pagamento.exe, 00000000.00000003.1610382501.0000000004040000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: pagamento.exe, 00000000.00000003.1613317937.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, pagamento.exe, 00000000.00000003.1610382501.0000000004040000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C0DBBE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BDC2A2 FindFirstFileExW,0_2_00BDC2A2
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C168EE FindFirstFileW,FindClose,0_2_00C168EE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C1698F
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D076
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D3A9
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C19642
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C1979D
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C19B2B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C15C97
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0120E61Fh2_2_0120E431
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0120EFA9h2_2_0120E431
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0120FA39h2_2_0120F778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0120E005
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0120D7F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_0120DE23
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C88EDh2_2_058C85B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C5869h2_2_058C55C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C7FA9h2_2_058C7D00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C0741h2_2_058C0498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C76F9h2_2_058C7450
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C72A2h2_2_058C6FF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C69C9h2_2_058C6720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_058C3676
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C6119h2_2_058C5E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C53E9h2_2_058C5140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C8401h2_2_058C8158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C7B51h2_2_058C78A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C0B99h2_2_058C08F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C02E9h2_2_058C0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_058C3350
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_058C3360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C6E21h2_2_058C6B78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C6571h2_2_058C62C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058C5CC1h2_2_058C5A18

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49709 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49706 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49716 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49708 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49720 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49707 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C1CE44
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: pagamento.exe, 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: pagamento.exe, 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33(
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C1EAFF
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C1ED6A
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C1EAFF
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C0AA57
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C39576

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Binary is likely a compiled AutoIt script file
              Source: pagamento.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: pagamento.exe, 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_75c2cd94-e
              Source: pagamento.exe, 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_42bd0774-3
              Source: pagamento.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4c942d24-8
              Source: pagamento.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_17069779-b
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C0D5EB
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C01201
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C0E8F6
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C120460_2_00C12046
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA80600_2_00BA8060
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C082980_2_00C08298
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BDE4FF0_2_00BDE4FF
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD676B0_2_00BD676B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C348730_2_00C34873
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BCCAA00_2_00BCCAA0
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BACAF00_2_00BACAF0
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BBCC390_2_00BBCC39
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD6DD90_2_00BD6DD9
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA91C00_2_00BA91C0
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BBB1190_2_00BBB119
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC13940_2_00BC1394
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC17060_2_00BC1706
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC781B0_2_00BC781B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC19B00_2_00BC19B0
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA79200_2_00BA7920
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BB997D0_2_00BB997D
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC7A4A0_2_00BC7A4A
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC7CA70_2_00BC7CA7
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC1C770_2_00BC1C77
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD9EEE0_2_00BD9EEE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C2BE440_2_00C2BE44
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC1F320_2_00BC1F32
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_022F36500_2_022F3650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012061082_2_01206108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120C1902_2_0120C190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120B3282_2_0120B328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120E4312_2_0120E431
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120C4702_2_0120C470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012067302_2_01206730
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120F7782_2_0120F778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120C7522_2_0120C752
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120A84F2_2_0120A84F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012098582_2_01209858
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120BBB82_2_0120BBB8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120CA322_2_0120CA32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01204AD92_2_01204AD9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120BEB02_2_0120BEB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012035722_2_01203572
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120B4F22_2_0120B4F2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120D7E02_2_0120D7E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0120D7F02_2_0120D7F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CC5802_2_058CC580
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C85B02_2_058C85B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CAC482_2_058CAC48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C9FB02_2_058C9FB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CBF302_2_058CBF30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CA6002_2_058CA600
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CB8E02_2_058CB8E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C8B952_2_058C8B95
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CCBD02_2_058CCBD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CB2902_2_058CB290
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CD2182_2_058CD218
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C85A02_2_058C85A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C55B22_2_058C55B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C55C02_2_058C55C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CA5F02_2_058CA5F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C7D002_2_058C7D00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C0D482_2_058C0D48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CC5702_2_058CC570
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C04882_2_058C0488
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C04982_2_058C0498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C7CF02_2_058C7CF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C743F2_2_058C743F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CAC372_2_058CAC37
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C74502_2_058C7450
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C9FA02_2_058C9FA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C6FE82_2_058C6FE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C6FF82_2_058C6FF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C67122_2_058C6712
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C67202_2_058C6720
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CBF202_2_058CBF20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C36D82_2_058C36D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C5E602_2_058C5E60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C5E702_2_058C5E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C51322_2_058C5132
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C81482_2_058C8148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C51402_2_058C5140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C81582_2_058C8158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C78982_2_058C7898
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C78A82_2_058C78A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CB8D02_2_058CB8D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C08E12_2_058C08E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C08F02_2_058C08F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C00072_2_058C0007
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C28482_2_058C2848
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C00402_2_058C0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C28582_2_058C2858
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CCBC02_2_058CCBC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C43D82_2_058C43D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C33502_2_058C3350
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C6B692_2_058C6B69
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C33602_2_058C3360
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C6B782_2_058C6B78
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CB2812_2_058CB281
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C62BA2_2_058C62BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C62C82_2_058C62C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C5A082_2_058C5A08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058CD20B2_2_058CD20B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_058C5A182_2_058C5A18
              Source: C:\Users\user\Desktop\pagamento.exeCode function: String function: 00BC4963 appears 31 times
              Source: C:\Users\user\Desktop\pagamento.exeCode function: String function: 00BC0A30 appears 46 times
              Source: C:\Users\user\Desktop\pagamento.exeCode function: String function: 00BA9CB3 appears 31 times
              Source: C:\Users\user\Desktop\pagamento.exeCode function: String function: 00BBF9F2 appears 40 times
              Source: pagamento.exe, 00000000.00000003.1611065758.0000000004163000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pagamento.exe
              Source: pagamento.exe, 00000000.00000003.1609721852.000000000430D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pagamento.exe
              Source: pagamento.exe, 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs pagamento.exe
              Source: pagamento.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.pagamento.exe.2300000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C137B5 GetLastError,FormatMessageW,0_2_00C137B5
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C010BF AdjustTokenPrivileges,CloseHandle,0_2_00C010BF
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C016C3
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C151CD
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C2A67C
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C1648E
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00BA42A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\pagamento.exeFile created: C:\Users\user\AppData\Local\Temp\aut9FCD.tmpJump to behavior
              Source: pagamento.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\pagamento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000002.00000002.4076883705.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4079614258.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002F86000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002FD8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: pagamento.exeReversingLabs: Detection: 57%
              Source: pagamento.exeVirustotal: Detection: 60%
              Source: unknownProcess created: C:\Users\user\Desktop\pagamento.exe "C:\Users\user\Desktop\pagamento.exe"
              Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pagamento.exe"
              Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pagamento.exe"Jump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: pagamento.exeStatic file information: File size 1116160 > 1048576
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: pagamento.exe, 00000000.00000003.1613317937.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, pagamento.exe, 00000000.00000003.1610382501.0000000004040000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: pagamento.exe, 00000000.00000003.1613317937.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, pagamento.exe, 00000000.00000003.1610382501.0000000004040000.00000004.00001000.00020000.00000000.sdmp
              Source: pagamento.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: pagamento.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: pagamento.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: pagamento.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: pagamento.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC0A76 push ecx; ret 0_2_00BC0A89
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35959 push ebp; ret 0_2_00C3595F
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35968 push edi; ret 0_2_00C3596B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C3596C push ebp; ret 0_2_00C3596F
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35971 push esi; ret 0_2_00C35973
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35975 push edi; ret 0_2_00C35977
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35978 push ebp; ret 0_2_00C3597B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35EED push C74815FFh; ret 0_2_00C35EF7
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C35E88 push C74815FFh; ret 0_2_00C35E92
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012024B9 push 8BFFFFFFh; retf 2_2_012024BF
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BBF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00BBF98E
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C31C41
              Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found API chain indicative of sandbox detection
              Source: C:\Users\user\Desktop\pagamento.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-100426
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\pagamento.exeAPI/Special instruction interceptor: Address: 22F3274
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598538Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598295Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598170Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597894Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597652Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596827Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1866Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7965Jump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeAPI coverage: 4.1 %
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C0DBBE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BDC2A2 FindFirstFileExW,0_2_00BDC2A2
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C168EE FindFirstFileW,FindClose,0_2_00C168EE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C1698F
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D076
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C0D3A9
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C19642
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C1979D
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C19B2B
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C15C97
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598538Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598295Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598170Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597894Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597652Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596827Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594609Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594500Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594281Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594172Jump to behavior
              Source: RegSvcs.exe, 00000002.00000002.4068046835.0000000000F96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C1EAA2 BlockInput,0_2_00C1EAA2
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD2622
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC4CE8 mov eax, dword ptr fs:[00000030h]0_2_00BC4CE8
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_022F34E0 mov eax, dword ptr fs:[00000030h]0_2_022F34E0
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_022F3540 mov eax, dword ptr fs:[00000030h]0_2_022F3540
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_022F1E70 mov eax, dword ptr fs:[00000030h]0_2_022F1E70
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C00B62
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BD2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BD2622
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BC083F
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC09D5 SetUnhandledExceptionFilter,0_2_00BC09D5
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BC0C21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\pagamento.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\pagamento.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DC7008Jump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C01201
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BE2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00BE2BA5
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C0B226 SendInput,keybd_event,0_2_00C0B226
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C222DA
              Source: C:\Users\user\Desktop\pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\pagamento.exe"Jump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C00B62
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C01663
              Source: pagamento.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: pagamento.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BC0698 cpuid 0_2_00BC0698
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00C18195
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BFD27A GetUserNameW,0_2_00BFD27A
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BDB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00BDB952
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00BA42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00BA42DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4076883705.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: pagamento.exeBinary or memory string: WIN_81
              Source: pagamento.exeBinary or memory string: WIN_XP
              Source: pagamento.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
              Source: pagamento.exeBinary or memory string: WIN_XPe
              Source: pagamento.exeBinary or memory string: WIN_VISTA
              Source: pagamento.exeBinary or memory string: WIN_7
              Source: pagamento.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.pagamento.exe.2300000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4076883705.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: pagamento.exe PID: 2068, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2444, type: MEMORYSTR
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C21204
              Source: C:\Users\user\Desktop\pagamento.exeCode function: 0_2_00C21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C21806

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		1
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS127
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		2
              Valid Accounts              		LSA Secrets221
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
              Virtualization/Sandbox Evasion              		Cached Domain Credentials111
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
              Access Token Manipulation              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              pagamento.exe58%ReversingLabsWin32.Trojan.SnakeKeylogger
              pagamento.exe60%VirustotalBrowse
              pagamento.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              reallyfreegeoip.org0%VirustotalBrowse
              checkip.dyndns.com0%VirustotalBrowse
              checkip.dyndns.org0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://reallyfreegeoip.org0%URL Reputationsafe
              https://reallyfreegeoip.org0%URL Reputationsafe
              http://checkip.dyndns.org0%URL Reputationsafe
              http://checkip.dyndns.org/0%URL Reputationsafe
              http://checkip.dyndns.com0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              http://reallyfreegeoip.org0%URL Reputationsafe
              http://reallyfreegeoip.org0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/0%URL Reputationsafe
              https://reallyfreegeoip.org/xml/8.46.123.33(0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.97.3
              		truetrueunknown
              checkip.dyndns.com
              		193.122.6.168
              		truefalseunknown
              checkip.dyndns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org/false
              • URL Reputation: safe
              		unknown
              https://reallyfreegeoip.org/xml/8.46.123.33false
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://reallyfreegeoip.org/xml/8.46.123.33(RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://checkip.dyndns.org/qpagamento.exe, 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4076883705.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002ED3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002EAA000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://reallyfreegeoip.org/xml/pagamento.exe, 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4076883705.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              188.114.97.3
              		reallyfreegeoip.orgEuropean Union
              		13335CLOUDFLARENETUStrue
              193.122.6.168
              		checkip.dyndns.comUnited States
              		31898ORACLE-BMC-31898USfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1501077
              Start date and time:2024-08-29 12:01:16 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:pagamento.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/4@2/2
              EGA Information:
              • Successful, ratio: 50%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 51
              • Number of non-executed functions: 306
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target RegSvcs.exe, PID 2444 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              06:02:41API Interceptor9336695x Sleep call for process: RegSvcs.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              188.114.97.3Document_pdf.exeGet hashmaliciousFormBookBrowse
              • www.x0x9x8x8x7x6.shop/dscg/
              QUOTATION_AUGQTRA071244#U00b7PDF.scrGet hashmaliciousUnknownBrowse
              • filetransfer.io/data-package/zbi9vNYx/download
              z1209627360293827.exeGet hashmaliciousDBatLoader, FormBookBrowse
              • www.coinwab.com/kqqj/
              file.exeGet hashmaliciousLummaCBrowse
              • joxi.net/4Ak49WQH0GE3Nr.mp3
              Rudvfa0Z17.exeGet hashmaliciousNitolBrowse
              • web.ad87h92j.com/4/t.bmp
              nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
              • web.ad87h92j.com/4/t.bmp
              QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
              • filetransfer.io/data-package/0U9QqTZ6/download
              QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • filetransfer.io/data-package/e0pM9Trc/download
              steam_module_x64.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
              • 671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
              http://membership.garenaa.id.vn/css/tunnel.aspx/manager10.jspGet hashmaliciousUnknownBrowse
              • membership.garenaa.id.vn/user/login/images/fb_ico.png
              193.122.6.168QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              Bukti-Transfer.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              Statement of Account.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              FACTURA PENDIENTE DE COBRO P24PM0531563.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
              • checkip.dyndns.org/
              Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              PO-890.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • checkip.dyndns.org/
              P.O_23514.scr.exeGet hashmaliciousMassLogger RATBrowse
              • checkip.dyndns.org/

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              reallyfreegeoip.org8468281651.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              STATEMENT Aug 2024.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.96.3
              QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              Spec sheet.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              df24c9ca-d50b-c720-84ed-638e99f68d75.emlGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.96.3
              18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              Scanned copy payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              checkip.dyndns.com8468281651.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.8.169
              STATEMENT Aug 2024.exeGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.8.169
              172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.6.168
              RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.6.168
              SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              Spec sheet.exeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.130.0
              df24c9ca-d50b-c720-84ed-638e99f68d75.emlGet hashmaliciousSnake KeyloggerBrowse
              • 132.226.8.169
              18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              Scanned copy payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 132.226.8.169

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ORACLE-BMC-31898US172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.6.168
              RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.6.168
              SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              Spec sheet.exeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.130.0
              https://ca.docusign.net/Signing/EmailStart.aspx?a=f73cd823-d46e-4c1d-9aa7-a3313bd2d402&etti=24&acct=9d2cdf2a-d1fa-4c66-83f5-9dd312af890e&er=68a0e22a-40d9-446a-8837-385c38bcc4d8Get hashmaliciousUnknownBrowse
              • 192.29.14.118
              18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              DETAILING_INFO_0321.vbeGet hashmaliciousSnake KeyloggerBrowse
              • 193.122.130.0
              GCBrnEGE22coKRz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 193.122.130.0
              UploadCustomersTemplate(2).xlsmGet hashmaliciousUnknownBrowse
              • 130.35.100.56
              CLOUDFLARENETUSPo#70831.exeGet hashmaliciousAzorultBrowse
              • 172.67.128.117
              payment PAGO 2974749647839452.jsGet hashmaliciousUnknownBrowse
              • 162.159.130.233
              Document_pdf.exeGet hashmaliciousFormBookBrowse
              • 104.21.62.58
              file.exeGet hashmaliciousUnknownBrowse
              • 172.64.41.3
              Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
              • 104.26.13.205
              https://my.manychat.com/r?act=179c825ab8add5f9e8bacb82e520a126&u=7459244230843026&p=108345799024755&h=708b8c96be&fbclid=IwZXh0bgNhZW0CMTAAAR07FD8Q65AMa77uMdYFT9FANMjTbvHV0BrVDR-o7WBQKwVAUtHYk2rnVVU_aem_OFd7GNUGsZzyslAWr711ggGet hashmaliciousUnknownBrowse
              • 104.17.25.14
              https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
              • 104.18.86.42
              OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.emlGet hashmaliciousUnknownBrowse
              • 172.67.146.213
              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
              • 188.114.96.3

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              54328bd36c14bd82ddaa0c04b25ed9ad8468281651.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              STATEMENT Aug 2024.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              RFQ-MR-24-09101 SPS.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3
              Spec sheet.exeGet hashmaliciousSnake KeyloggerBrowse
              • 188.114.97.3
              cY-5134-kfF.exeGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              cY-5134-kfF.exeGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.97.3

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\aut9FCD.tmp

              Download File
              Process:C:\Users\user\Desktop\pagamento.exe
              File Type:data
              Category:dropped
              Size (bytes):97560
              Entropy (8bit):7.927868859098673
              Encrypted:false
              SSDEEP:1536:JGGFlEXeqY+W5BoprCuSk6VAcaau/q3KsRnoADv/CfLoPhcZwZWfJ:Jt5j+W59usVAcaaukCcHC2CZwZ6
              MD5:212880177D7C923CD60706AFBDE5D9DD
              SHA1:7EC63EBF4F8E7F93E48B121B6B28D2AD6A6BF737
              SHA-256:35E42A4460CD32AE0447A203D26BF2D869E7D5BD177FFCE05FE472B9240E3763
              SHA-512:4C1F4B219F9C23A5171DFF876942EA54E9D17AFD2E1F6D03D162374A9FF7477926E50744080BFFC4A3CCA4E99DDC6FECBD77D05039C3317259D131FA91A1F25C
              Malicious:false
              Reputation:low
              Preview:EA06.......S..V.D..h..f.kU.T..:..J.L'....p.4U.....kU...fl.5....=.c.s.5{.t.S....a[..$.9\.%.D..I.z{#...v.......#...J.:.H+..t...N..8._.3..b....4ko3...4.q...'...,{j.z....hE...E.2..A.j...i......e\......0.Q.uY0..(.L......hw.Y.L-`...D.H@:.k..M.......%^cL.....6.\..;...%.@..c.R....C.9....o.M..iU..[.4.'+..!@..8.../..9...rz..qP..`.L`..3.0.....F.-.<....m.N3.......g5=..3.48.j}2....1@A.......q..Lh9~8..'....8...j..h_........4".....h..'....~.hH...8.q6.4!...\.......B[A..f.*.f.6.....Je..I.tJ..8...2h.J.9..)....9X.L..`-..a...;Z...@......qX.D.UZ..7.Ne..eVaX..5r:M*m+._.S....D..m.....@.T...R.H.N@..t..D......!.........I.Q...K.]i.J..=U.\%2*..a.F.Ri..qQ.Q/.9..p.L/.Zm.mO.Gf.*4.q,..h..D..kT0..^....V.o...S..RkU.^*1...{.L)...qU..>..$.7#..f.+.&.H."&...Vq8......#7.Mk...R.c.N&.J-.e8._..J.*..8Gy...F+W.Wisi...,...n.J...=...3.."4..:[J..*.).fcD..h........I..qX.N.r....5.Q.`..6f.hM+3z..q\.G........f.y..u3.....w%......^gG.V(sZ.j.U.w.:.0..{.4.n.;.r@:..^3w.S&....u...4...f.7.S{ ....M....

              C:\Users\user\AppData\Local\Temp\autA00D.tmp

              Download File
              Process:C:\Users\user\Desktop\pagamento.exe
              File Type:data
              Category:dropped
              Size (bytes):43572
              Entropy (8bit):7.819120980760013
              Encrypted:false
              SSDEEP:768:EQPgVsrKNTu4gm0H4ZnioE0gCdI9b0SbR2KN43+vE724s2FNKThj6SG:EQPgmY+m84p1gaSFT43+4s2SB6SG
              MD5:A6DF418D3C8974E366FC76533561636B
              SHA1:8362CD5ADB9FD2DFF11EBFDC2D903BB34BF074B8
              SHA-256:B07B71AE7323EB68427FE30DF571E967183E06DA72DDD34D1D37BE134DC216EB
              SHA-512:5710C416880299CF026764DB37D30AD3E89B2C50F6443B17AFCFB517004857F6A06E2FBC016E21B50444212B0CB39BF8574BC66BE61F1CBDD33BB0D2A5906D5B
              Malicious:false
              Reputation:low
              Preview:EA06..P...(.y.Bg5...9..6.P..Z..gB..(.9.Fm5.M.t..6..fs...eR..+..uNg0...I..3..sz..eA..(39.Bm2.L.......L..I..3............5i..3..s.P.H.Z.k.9.^g5.6(.....O..*....3.T@%...3.R&.Jh..S.L..i..g7...U........i..3.R&s`.b.3.Ufs...j..V&s...6.R.s.d.mK.Mi...0...B(........H3J..j.ZPf....eO..h..,..?P@.....E..f...Fg9..*..P..H.L...L.6..O...Z....7....D..f .D.......i.X.9.Q.s:d.....T...WSfsj..mO......f...U..$.eE..fu9....T@..8.<.......Ng9...Y.....L.T....D.S`.....S.7....3..R...FsL....9.jg4..)..H....L*@..H...S(s9...m.:'4...g5.....j.....4.`.....T..j...VfsJ<.h.l..C.Jm1..) ....V..p.0...S..9..g5..(.D..cZ....($.f.... &E^g9..-.AL.6..-.!...I......,.:.C...G.2.W..`.......6.V&.[...6.M..I..6.U.....oD.....H....ud.:...@=%"g5.....\.mG.H....\.9......Vh.s.....W......Rfs.t.qT..f....6.S.. ...6.P..j....`....$.i...H...X.v...,.qC.M*.9.Zm1..+ .u.m6..KfeH.L@s.?....R..*P...0U@U..B....@..@./Q..`.......i..a5..C...S@~*h..F...$.^m5..)@.u4."..(....h..P.F.X..F.h...I..A...*m4...3...mZ...`.58...S...

              C:\Users\user\AppData\Local\Temp\soliloquised

              Download File
              Process:C:\Users\user\Desktop\pagamento.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:dropped
              Size (bytes):86022
              Entropy (8bit):4.17957477249631
              Encrypted:false
              SSDEEP:1536:21v3INdUFkWdeJ94zJsegSbyp8LbocYU61WP:2cufMeJseRL0cWWP
              MD5:AC8953D9F922092846636830155F5BE2
              SHA1:C51F9F45873EE87A6B2C32D87E1C81D3AB7439F3
              SHA-256:F05A351945559CB314D468920DE060F1EF05B41F4CB35F700365AF438CD5BDD5
              SHA-512:C5C24574CA76BA69AB77EEA2C023161E79AC89740399C6B3731B245C0F137BDC5BD80B9EDB2739E8646DDDF7ADC9EB0728CEA9567A2436A34D35493F6891602B
              Malicious:false
              Reputation:low
              Preview:30D78P35U35S38N62C65Y63B38F31Q65N63M63U63E30Z32R30X30X30S30E35T36V35N37R62A38A36P62B30J30L30D30T30K30A36Z36A38M39V34I35J38J34I62B39X36W35B30F30E30K30O30P30J36R36Q38N39E34H64M38A36S62M61E37Y32Q30W30S30B30V30Y30H36T36U38U39R35R35X38B38O62K38L36K65H30K30L30P30Q30G30J36A36A38V39X34Y35K38A61B62O39F36U35D30E30A30P30Z30T30E36V36J38Q39J34U64M38Y63H62U61E36J63W30N30W30Z30W30Q30N36F36T38A39F35E35D38F65V62B38G33L33W30X30W30M30U30L30M36B36O38P39J34B35H39X30D62E39X33S32X30Z30Q30M30G30O30L36M36K38S39C34E64V39R32J62S61E32Z65D30S30U30N30A30K30U36N36H38J39L35U35D39Z34N62L38G36R34B30R30G30R30O30H30C36D36F38F39I34N35O39X36J62B39W36K63M30V30X30Y30Q30V30N36R36P38J39Y34G64O39A38I62R61A36I63M30A30J30K30Z30P30F36S36U38L39G35P35G39E61Z33P33L63O30P36F36O38W39P34G35X39G63I62S39P36I65G30S30K30T30B30V30X36G36K38H39K38E64G34Q34O66X66P66I66V66D66M62W61W37D34M30I30Z30P30O30Q30Y36D36X38P39A39H35I34T36K66G66P66G66D66W66V62M38K36P34M30G30B30N30W30R30Q36Z36L38I39N38T35K34Z38R66L66P66R66S66B66Y62C39L36U63Z30M30E30Z30C30L3

              C:\Users\user\AppData\Local\Temp\unbarricadoed

              Download File
              Process:C:\Users\user\Desktop\pagamento.exe
              File Type:data
              Category:dropped
              Size (bytes):133632
              Entropy (8bit):6.984604285734691
              Encrypted:false
              SSDEEP:3072:8zrRA5B60PQmxhBT7bE00nvPIgpY3qTzsbJwOKiHRpSYwH:8/4630nUogZEd7KiBc
              MD5:7B0E753AFA691A8D31B95484B187C3F5
              SHA1:8F461AF30690A0C0CAE159EBE7DC6E8FEA553758
              SHA-256:491D90B601F574F96023631C3CE2E4B46460B0C0DD8B99F9D48E59E8EEB0C2BD
              SHA-512:3231B3C471CBC2F7AF0B0610D0A458E29550D6EED417B4DDCB226FD1FEE7A49D65ED67F113CF2E65BDE8641B84AC290F88150C944B9A461D82DB9E85D6E0E5CA
              Malicious:false
              Reputation:low
              Preview:u..8;UADS1D9.5U.RW3U6OJv08X288UADW1D93C5U0RW3U6OJ608X288UAD.1D9=\.[0.^.t.N...l0[K.%3+0C%T. T;^=#.7So8C^.1\.|..d:^ \.N8_.RW3U6OJfu8X~9;U.i.WD93C5U0R.3W7DKf08.388AADW1D9.P7U0rW3U.MJ60xX2.8UAFW1@93C5U0RS3U6OJ6088088WADW1D91Cu.0RG3U&OJ60(X2(8UADW1T93C5U0RW3U6.Y40kX288uCD.!D93C5U0RW3U6OJ608X2x:UMDW1D93C5U0RW3U6OJ608X288UADW1D93C5U0RW3U6OJ608X288UAdW1L93C5U0RW3U6Gj60pX288UADW1D9.7P-DRW3..NJ6.8X2.9UAFW1D93C5U0RW3U6oJ6P.*AJ[UAD.!D93c7U0@W3U.NJ608X288UADW1.93..'U>8PU6CJ608.088WADW9F93C5U0RW3U6OJv08.288UADW1D93C5U0R. W6OJ60pX28:UDD..E9S.5U3RW3.6OLF.9X.88UADW1D93C5U0RW3U6OJ608X288UADW1D93C5U0RW3.K.E...1A..UADW1D81@1S8ZW3U6OJ60FX28~UAD.1D9.C5U.RW386OJ.08XL88U?DW1 93CGU0R63U6.J60WX28VUAD)1D9-A.u0R].s6Mb.08R2..&cDW;.83C1&.RW9.4OJ2C.X22.VADSBa93I.Q0RS@s6O@.58X6.bUB.A7D9(,.U0XW0.#IJ6+.~2:.oAD]1n.3@.@6RW(..OH.98X6.n&\DW7lz3C?!9RW1.<OJ2.&Z.|8UKnuOT93G.U.p)"U6Ka6..& 88QjD}.:*3C1~0xuMA6ON.0.F0.,UA@}.:,3C1~0xuMC6ON.0.zL/8UEoW.Z;.T5U4xQ.76=.*0H[].8UGl.1D3.#5U6R}.UHoJ64:7.88_gn.1F.7B5_0PTNc6ON44Eo28<..DUJ}9

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.9654228846729485
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:pagamento.exe
              File size:1'116'160 bytes
              MD5:3aed500e59bf7f4761c307fa6976fd7a
              SHA1:d9332de73d9cae677566ece8350e9648e54ef9de
              SHA256:eba01987d394303d9b87f90eeba8d51a5509f4ce484620a032ce94c2e38502d3
              SHA512:f5df046061c37d9399dda941bb0114659f57911485fd00b9bcbbd8b7b9318e419fa6aca6b68046b0d13513429b10a7b02db0da4569fca4e58402ab812d7d4fd8
              SSDEEP:24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8aNGxkbziWU:mTvC/MTQYxsWR7aNEoiW
              TLSH:9535BF0273C1D022FF9B92734B5BF6515BBC6A260123A61F13A81D79BE701B1563E7A3
              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

              File Icon

              Icon Hash:aaf3e3e3938382a0

              Static PE Info

              General

              Entrypoint:0x420577
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x66C5BF66 [Wed Aug 21 10:20:22 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:948cc502fe9226992dce9417f952fce3

              Entrypoint Preview

              Instruction
              call 00007F63993B4453h
              jmp 00007F63993B3D5Fh
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F63993B3F3Dh
              mov dword ptr [esi], 0049FDF0h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FDF8h
              mov dword ptr [ecx], 0049FDF0h
              ret
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F63993B3F0Ah
              mov dword ptr [esi], 0049FE0Ch
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 0049FE14h
              mov dword ptr [ecx], 0049FE0Ch
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              and dword ptr [eax], 00000000h
              and dword ptr [eax+04h], 00000000h
              push eax
              mov eax, dword ptr [ebp+08h]
              add eax, 04h
              push eax
              call 00007F63993B6AFDh
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              lea eax, dword ptr [ecx+04h]
              mov dword ptr [ecx], 0049FDD0h
              push eax
              call 00007F63993B6B48h
              pop ecx
              ret
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 0049FDD0h
              push eax
              call 00007F63993B6B31h
              test byte ptr [ebp+08h], 00000001h
              pop ecx

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x39d0c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000x7594.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xd40000x39d0c0x39e00a91d6f8b8345c7f0abb71bec09e0eee2False0.8862926903347732data7.79306139810255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x10e0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
              RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
              RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
              RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
              RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
              RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
              RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
              RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
              RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
              RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
              RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
              RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
              RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
              RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
              RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
              RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
              RT_RCDATA0xdc7b80x30fd2data1.0003538358799549
              RT_GROUP_ICON0x10d78c0x76dataEnglishGreat Britain0.6610169491525424
              RT_GROUP_ICON0x10d8040x14dataEnglishGreat Britain1.25
              RT_GROUP_ICON0x10d8180x14dataEnglishGreat Britain1.15
              RT_GROUP_ICON0x10d82c0x14dataEnglishGreat Britain1.25
              RT_VERSION0x10d8400xdcdataEnglishGreat Britain0.6181818181818182
              RT_MANIFEST0x10d91c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

              Imports

              DLLImport
              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
              PSAPI.DLLGetProcessMemoryInfo
              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
              UxTheme.dllIsThemeActive
              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
              2024-08-29T12:02:50.042956+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349716443192.168.2.9188.114.97.3
              2024-08-29T12:02:43.302201+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349708443192.168.2.9188.114.97.3
              2024-08-29T12:02:52.685606+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349720443192.168.2.9188.114.97.3
              2024-08-29T12:02:43.993994+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24970980192.168.2.9193.122.6.168
              2024-08-29T12:02:41.806438+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24970680192.168.2.9193.122.6.168
              2024-08-29T12:02:44.538824+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349710443192.168.2.9188.114.97.3
              2024-08-29T12:02:42.744009+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24970680192.168.2.9193.122.6.168

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 29, 2024 12:02:40.522304058 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:40.529453039 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:40.529575109 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:40.531263113 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:40.536082983 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:41.220768929 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:41.275268078 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:41.562094927 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:41.567912102 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:41.753981113 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:41.806437969 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:41.839463949 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:41.839520931 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:41.839580059 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:41.848999977 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:41.849028111 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.324265957 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.324368954 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.329016924 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.329030037 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.329336882 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.380166054 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.424513102 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.486920118 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.487030983 CEST44349707188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.487086058 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.493113995 CEST49707443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.496957064 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:42.502228022 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:42.688169956 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:42.690403938 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.690454006 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.690526009 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.690820932 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:42.690833092 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:42.744009018 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.153439045 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.156122923 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.156143904 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.302222967 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.302342892 CEST44349708188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.302423954 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.302968979 CEST49708443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.306325912 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.307816982 CEST4970980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.312511921 CEST8049706193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:43.312614918 CEST4970680192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.312978029 CEST8049709193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:43.313047886 CEST4970980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.313182116 CEST4970980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:43.318728924 CEST8049709193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:43.944389105 CEST8049709193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:43.945611000 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.945676088 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.945760965 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.946036100 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:43.946050882 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:43.993993998 CEST4970980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:44.405740976 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:44.421314001 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:44.421353102 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:44.538839102 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:44.538933039 CEST44349710188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:44.539077997 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:44.543406010 CEST49710443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:44.789659977 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:45.790915012 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:45.869575977 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:45.869707108 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:45.869826078 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:46.090538979 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:46.090558052 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:46.090636969 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:46.892383099 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:46.893796921 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:46.893831968 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:46.893923998 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:46.894134045 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:46.894144058 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:46.946280956 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:46.946356058 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.371334076 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:47.373142958 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:47.373163939 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:47.522445917 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:47.522546053 CEST44349712188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:47.522631884 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:47.523227930 CEST49712443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:47.526787996 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.528052092 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.532247066 CEST8049711193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:47.532339096 CEST4971180192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.532943964 CEST8049713193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:47.533006907 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.533159971 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:47.538527966 CEST8049713193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:48.160515070 CEST8049713193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:48.162209988 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.162267923 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.162360907 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.162843943 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.162861109 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.212754011 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.621661901 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.632132053 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.632153034 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.771785021 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.771902084 CEST44349714188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:48.771991014 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.772623062 CEST49714443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:48.776470900 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.777223110 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.782285929 CEST8049713193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:48.782387972 CEST4971380192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.782803059 CEST8049715193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:48.782877922 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.783030987 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:48.789084911 CEST8049715193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:49.426698923 CEST8049715193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:49.428312063 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:49.428355932 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:49.428447962 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:49.428746939 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:49.428757906 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:49.478463888 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:49.913531065 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:49.915097952 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:49.915127993 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:50.042972088 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:50.043078899 CEST44349716188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:50.043143988 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:50.043627024 CEST49716443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:50.046906948 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:50.047822952 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:50.052040100 CEST8049715193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:50.052148104 CEST4971580192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:50.052629948 CEST8049717193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:50.052736998 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:50.052861929 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:50.057712078 CEST8049717193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:50.803428888 CEST8049717193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:50.805216074 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:50.805258989 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:50.805352926 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:50.805622101 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:50.805633068 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:50.853390932 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.266005039 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:51.268018961 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:51.268035889 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:51.403156996 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:51.403249025 CEST44349718188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:51.403345108 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:51.403778076 CEST49718443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:51.407273054 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.407869101 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.412435055 CEST8049717193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:51.412509918 CEST4971780192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.412763119 CEST8049719193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:51.412838936 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.412918091 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:51.418349028 CEST8049719193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:52.049916983 CEST8049719193.122.6.168192.168.2.9
              Aug 29, 2024 12:02:52.053725004 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:52.053769112 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.053844929 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:52.054075003 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:52.054090023 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.103377104 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:02:52.536648035 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.551851988 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:52.551887989 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.685616016 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.685720921 CEST44349720188.114.97.3192.168.2.9
              Aug 29, 2024 12:02:52.685767889 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:02:52.688648939 CEST49720443192.168.2.9188.114.97.3
              Aug 29, 2024 12:03:48.943836927 CEST8049709193.122.6.168192.168.2.9
              Aug 29, 2024 12:03:48.943948984 CEST4970980192.168.2.9193.122.6.168
              Aug 29, 2024 12:03:57.049650908 CEST8049719193.122.6.168192.168.2.9
              Aug 29, 2024 12:03:57.049741030 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:04:32.059448957 CEST4971980192.168.2.9193.122.6.168
              Aug 29, 2024 12:04:32.064318895 CEST8049719193.122.6.168192.168.2.9

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Aug 29, 2024 12:02:40.446871996 CEST5584953192.168.2.91.1.1.1
              Aug 29, 2024 12:02:40.454655886 CEST53558491.1.1.1192.168.2.9
              Aug 29, 2024 12:02:41.830559015 CEST5105053192.168.2.91.1.1.1
              Aug 29, 2024 12:02:41.838875055 CEST53510501.1.1.1192.168.2.9
              Aug 29, 2024 12:02:59.158715010 CEST53655101.1.1.1192.168.2.9

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Aug 29, 2024 12:02:40.446871996 CEST192.168.2.91.1.1.10x32ebStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:41.830559015 CEST192.168.2.91.1.1.10x7098Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:40.454655886 CEST1.1.1.1192.168.2.90x32ebNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:41.838875055 CEST1.1.1.1192.168.2.90x7098No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
              Aug 29, 2024 12:02:41.838875055 CEST1.1.1.1192.168.2.90x7098No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • reallyfreegeoip.org
              • checkip.dyndns.org

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.949706193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:40.531263113 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:41.220768929 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:41 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: e8f54ea5b247b6082db8a9538d3e1ea3
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
              Aug 29, 2024 12:02:41.562094927 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Aug 29, 2024 12:02:41.753981113 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:41 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 5dcb7a981c4b7327d9582052be401b06
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
              Aug 29, 2024 12:02:42.496957064 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Aug 29, 2024 12:02:42.688169956 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:42 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 502227fd450aed9d0205061c74c47f9a
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.949709193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:43.313182116 CEST127OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Aug 29, 2024 12:02:43.944389105 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:43 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 202a45ab6871f59de641967efb9a5aa8
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.949711193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:45.869826078 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:46.892383099 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:46 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: d92a8b3896efcfbbeff3e18104f389c3
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
              Aug 29, 2024 12:02:46.946280956 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:46 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: d92a8b3896efcfbbeff3e18104f389c3
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.949713193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:47.533159971 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:48.160515070 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:48 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: 2682058b7725ff4216e136ab3bf793b4
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.949715193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:48.783030987 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:49.426698923 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:49 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: ec1d49e6bbaf242482e4db337cb3d702
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.949717193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:50.052861929 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:50.803428888 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:50 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: e16e5773d9d32a6df0b764acc2d09645
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.949719193.122.6.168802444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              Aug 29, 2024 12:02:51.412918091 CEST151OUTGET / HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
              Host: checkip.dyndns.org
              Connection: Keep-Alive
              Aug 29, 2024 12:02:52.049916983 CEST320INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:51 GMT
              Content-Type: text/html
              Content-Length: 103
              Connection: keep-alive
              Cache-Control: no-cache
              Pragma: no-cache
              X-Request-ID: d48baa28b21038afb415921a2918264d
              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.949707188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:42 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-08-29 10:02:42 UTC702INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:42 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24345
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ufb%2F6srULZh0QK6JqdB9iRaOhSCOCAdelkl8PRtVJoXvK8zrnWHXRPxaMmo4XBrYxysI9d7HYV9arIEUkFIGH3LielIWgmGk2Ve0ocSWRcJt8OwI5kBB50iitagCnaMwgTZaCv9p"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb4ff28d0440d-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:42 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:42 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.949708188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:43 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-08-29 10:02:43 UTC708INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:43 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24346
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLNMCrLDIwq0N9RxbQYYYERPX6Hv4BD%2FzE2dg2xAzNaGsh4Eit%2F3qdKa%2B5MCgjxDH3vcm7cIdeOiNEKbCGHI1vbtu%2BGGvFWgoyFWcg0EpfaJdzjsKhtvjUnFj4lUz9B9l64HeOTU"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb50449dd41f2-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:43 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:43 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.949710188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:44 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-08-29 10:02:44 UTC704INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:44 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24347
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7v1F0grGKZy9sXQ364RWadzrPqs9mxwEhefr7pimmkItvUMIurv0U3sVJA5A5FKqB6NGQW5bySamxJE7xLxbbAqSJJmh%2F%2F5O2X8LXIbM5CHlcgnYRqxvyn1i7a4XbC64yV8cl88"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb50c0e9c425b-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:44 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:44 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.949712188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:47 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-08-29 10:02:47 UTC704INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:47 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24350
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ohqkFwxBJVDL2b5zhkTVP%2F0C3bxd6y8TtzVDqwo2CqTQtZmFwJiXOUuk8kqpRmO8pac5vkCtLlx07Yi8styG7viIbrYc%2FWsBG5JmRRzfa1PUn20SCz8HnZMLeYWW29IplOHXIwlG"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb51eacda78d0-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:47 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:47 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.949714188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:48 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-08-29 10:02:48 UTC714INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:48 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24351
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BFW1NB5GLCA8%2FaZwpabr0v48JUuzoJJbNQBGChkKo8c2%2Fp%2FQ9MaLn676npRM%2BIiCQWrypm5LC%2FqDD7UVRVbolVqRXTZ4IkrtBp%2BHaWEcapkRWvADOFb21V8TvIeIphJEq%2FSfNamT"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb526784243b1-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:48 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:48 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.949716188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:49 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-08-29 10:02:50 UTC704INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:49 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24352
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEgeU8hCan4Fn9yhR5Jy9WtcrXM0RRK176mDBn9zHZGyJpnj3hdWAbKU2vYDWLMWi8PiWCwCeZyJJgnCsUu80pvpi02KHvNZgQzff%2FQeHaJpJLPGBS4ed%2FFwpp3vJQz72KkeY8iP"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb52e68a717b9-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:50 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:50 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.949718188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:51 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              Connection: Keep-Alive
              2024-08-29 10:02:51 UTC706INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:51 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24354
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DRa24k4RnwwuVTIA1guGqZnJMUHufuQPugR5dc8O5Dr4yzOQvj920mMEElLqn2aM98%2B8OFEzNiKpl0Jr2oNdiyzITqrLLV460GZtbRa7W%2BwyS9%2FZsChEUligpQNJmXm4qCiLfpLf"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb536d99e42a0-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:51 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:51 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              7192.168.2.949720188.114.97.34432444C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              TimestampBytes transferredDirectionData
              2024-08-29 10:02:52 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
              Host: reallyfreegeoip.org
              2024-08-29 10:02:52 UTC708INHTTP/1.1 200 OK
              Date: Thu, 29 Aug 2024 10:02:52 GMT
              Content-Type: application/xml
              Transfer-Encoding: chunked
              Connection: close
              access-control-allow-origin: *
              vary: Accept-Encoding
              Cache-Control: max-age=86400
              CF-Cache-Status: HIT
              Age: 24355
              Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FIEVnA158jbjl2iPhFymuZMavD%2FIThpcNDxrGMCTjC2hhTW7yvpmq4%2BjKZfGzAHKi6pdUEGBGl95r7wKldiKqSDTFBFeFTEOnpXUjCJ%2F%2FhVl4ruJCUOuVUFJBVtXTbwLpBlBYqwX"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8babb53ee8cf41bb-EWR
              alt-svc: h3=":443"; ma=86400
              2024-08-29 10:02:52 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
              2024-08-29 10:02:52 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:06:02:37
              Start date:29/08/2024
              Path:C:\Users\user\Desktop\pagamento.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\pagamento.exe"
              Imagebase:0xba0000
              File size:1'116'160 bytes
              MD5 hash:3AED500E59BF7F4761C307FA6976FD7A
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1620768175.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:06:02:38
              Start date:29/08/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\pagamento.exe"
              Imagebase:0xb20000
              File size:45'984 bytes
              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4076883705.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4067667770.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4076883705.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.1%
                Dynamic/Decrypted Code Coverage:1.5%
                Signature Coverage:3.2%
                Total number of Nodes:2000
                Total number of Limit Nodes:64
                execution_graph 98039 ba105b 98044 ba344d 98039->98044 98041 ba106a 98075 bc00a3 29 API calls __onexit 98041->98075 98043 ba1074 98045 ba345d __wsopen_s 98044->98045 98076 baa961 98045->98076 98049 ba351c 98088 ba3357 98049->98088 98056 baa961 22 API calls 98057 ba354d 98056->98057 98109 baa6c3 98057->98109 98060 be3176 RegQueryValueExW 98061 be320c RegCloseKey 98060->98061 98062 be3193 98060->98062 98064 ba3578 98061->98064 98074 be321e _wcslen 98061->98074 98115 bbfe0b 98062->98115 98064->98041 98065 be31ac 98125 ba5722 98065->98125 98066 ba4c6d 22 API calls 98066->98074 98069 be31d4 98128 ba6b57 98069->98128 98071 be31ee ISource 98071->98061 98073 ba515f 22 API calls 98073->98074 98074->98064 98074->98066 98074->98073 98140 ba9cb3 98074->98140 98075->98043 98077 bbfe0b 22 API calls 98076->98077 98078 baa976 98077->98078 98146 bbfddb 98078->98146 98080 ba3513 98081 ba3a5a 98080->98081 98168 be1f50 98081->98168 98084 ba9cb3 22 API calls 98085 ba3a8d 98084->98085 98170 ba3aa2 98085->98170 98087 ba3a97 98087->98049 98089 be1f50 __wsopen_s 98088->98089 98090 ba3364 GetFullPathNameW 98089->98090 98091 ba3386 98090->98091 98092 ba6b57 22 API calls 98091->98092 98093 ba33a4 98092->98093 98094 ba33c6 98093->98094 98095 be30bb 98094->98095 98096 ba33dd 98094->98096 98097 bbfddb 22 API calls 98095->98097 98194 ba33ee 98096->98194 98100 be30c5 _wcslen 98097->98100 98099 ba33e8 98103 ba515f 98099->98103 98101 bbfe0b 22 API calls 98100->98101 98102 be30fe __fread_nolock 98101->98102 98104 ba516e 98103->98104 98108 ba518f __fread_nolock 98103->98108 98107 bbfe0b 22 API calls 98104->98107 98105 bbfddb 22 API calls 98106 ba3544 98105->98106 98106->98056 98107->98108 98108->98105 98110 baa6dd 98109->98110 98111 ba3556 RegOpenKeyExW 98109->98111 98112 bbfddb 22 API calls 98110->98112 98111->98060 98111->98064 98113 baa6e7 98112->98113 98114 bbfe0b 22 API calls 98113->98114 98114->98111 98118 bbfddb 98115->98118 98116 bcea0c ___std_exception_copy 21 API calls 98116->98118 98117 bbfdfa 98117->98065 98118->98116 98118->98117 98121 bbfdfc 98118->98121 98209 bc4ead 7 API calls 2 library calls 98118->98209 98120 bc066d 98211 bc32a4 RaiseException 98120->98211 98121->98120 98210 bc32a4 RaiseException 98121->98210 98123 bc068a 98123->98065 98126 bbfddb 22 API calls 98125->98126 98127 ba5734 RegQueryValueExW 98126->98127 98127->98069 98127->98071 98129 ba6b67 _wcslen 98128->98129 98130 be4ba1 98128->98130 98133 ba6b7d 98129->98133 98134 ba6ba2 98129->98134 98131 ba93b2 22 API calls 98130->98131 98132 be4baa 98131->98132 98132->98132 98212 ba6f34 22 API calls 98133->98212 98136 bbfddb 22 API calls 98134->98136 98137 ba6bae 98136->98137 98139 bbfe0b 22 API calls 98137->98139 98138 ba6b85 __fread_nolock 98138->98071 98139->98138 98141 ba9cc2 _wcslen 98140->98141 98142 bbfe0b 22 API calls 98141->98142 98143 ba9cea __fread_nolock 98142->98143 98144 bbfddb 22 API calls 98143->98144 98145 ba9d00 98144->98145 98145->98074 98149 bbfde0 98146->98149 98148 bbfdfa 98148->98080 98149->98148 98151 bbfdfc 98149->98151 98156 bcea0c 98149->98156 98163 bc4ead 7 API calls 2 library calls 98149->98163 98152 bc066d 98151->98152 98164 bc32a4 RaiseException 98151->98164 98165 bc32a4 RaiseException 98152->98165 98155 bc068a 98155->98080 98158 bd3820 _abort 98156->98158 98157 bd385e 98167 bcf2d9 20 API calls _abort 98157->98167 98158->98157 98160 bd3849 RtlAllocateHeap 98158->98160 98166 bc4ead 7 API calls 2 library calls 98158->98166 98160->98158 98161 bd385c 98160->98161 98161->98149 98163->98149 98164->98152 98165->98155 98166->98158 98167->98161 98169 ba3a67 GetModuleFileNameW 98168->98169 98169->98084 98171 be1f50 __wsopen_s 98170->98171 98172 ba3aaf GetFullPathNameW 98171->98172 98173 ba3ae9 98172->98173 98174 ba3ace 98172->98174 98176 baa6c3 22 API calls 98173->98176 98175 ba6b57 22 API calls 98174->98175 98177 ba3ada 98175->98177 98176->98177 98180 ba37a0 98177->98180 98181 ba37ae 98180->98181 98184 ba93b2 98181->98184 98183 ba37c2 98183->98087 98185 ba93c0 98184->98185 98186 ba93c9 __fread_nolock 98184->98186 98185->98186 98188 baaec9 98185->98188 98186->98183 98186->98186 98189 baaed9 __fread_nolock 98188->98189 98190 baaedc 98188->98190 98189->98186 98191 bbfddb 22 API calls 98190->98191 98192 baaee7 98191->98192 98193 bbfe0b 22 API calls 98192->98193 98193->98189 98195 ba33fe _wcslen 98194->98195 98196 be311d 98195->98196 98197 ba3411 98195->98197 98199 bbfddb 22 API calls 98196->98199 98204 baa587 98197->98204 98201 be3127 98199->98201 98200 ba341e __fread_nolock 98200->98099 98202 bbfe0b 22 API calls 98201->98202 98203 be3157 __fread_nolock 98202->98203 98205 baa59d 98204->98205 98208 baa598 __fread_nolock 98204->98208 98206 bbfe0b 22 API calls 98205->98206 98207 bef80f 98205->98207 98206->98208 98207->98207 98208->98200 98209->98118 98210->98120 98211->98123 98212->98138 98213 ba1098 98218 ba42de 98213->98218 98217 ba10a7 98219 baa961 22 API calls 98218->98219 98220 ba42f5 GetVersionExW 98219->98220 98221 ba6b57 22 API calls 98220->98221 98222 ba4342 98221->98222 98223 ba93b2 22 API calls 98222->98223 98235 ba4378 98222->98235 98224 ba436c 98223->98224 98226 ba37a0 22 API calls 98224->98226 98225 ba441b GetCurrentProcess IsWow64Process 98227 ba4437 98225->98227 98226->98235 98228 ba444f LoadLibraryA 98227->98228 98229 be3824 GetSystemInfo 98227->98229 98230 ba449c GetSystemInfo 98228->98230 98231 ba4460 GetProcAddress 98228->98231 98232 ba4476 98230->98232 98231->98230 98234 ba4470 GetNativeSystemInfo 98231->98234 98236 ba447a FreeLibrary 98232->98236 98237 ba109d 98232->98237 98233 be37df 98234->98232 98235->98225 98235->98233 98236->98237 98238 bc00a3 29 API calls __onexit 98237->98238 98238->98217 98239 baf7bf 98240 baf7d3 98239->98240 98241 bafcb6 98239->98241 98243 bafcc2 98240->98243 98244 bbfddb 22 API calls 98240->98244 98331 baaceb 23 API calls ISource 98241->98331 98332 baaceb 23 API calls ISource 98243->98332 98246 baf7e5 98244->98246 98246->98243 98247 baf83e 98246->98247 98248 bafd3d 98246->98248 98265 baed9d ISource 98247->98265 98274 bb1310 98247->98274 98333 c11155 22 API calls 98248->98333 98251 bbfddb 22 API calls 98273 baec76 ISource 98251->98273 98252 bafef7 98259 baa8c7 22 API calls 98252->98259 98252->98265 98255 baa8c7 22 API calls 98255->98273 98256 bf4600 98256->98265 98334 baa8c7 98256->98334 98257 bf4b0b 98339 c1359c 82 API calls __wsopen_s 98257->98339 98259->98265 98263 bafbe3 98263->98265 98266 bf4bdc 98263->98266 98272 baf3ae ISource 98263->98272 98264 baa961 22 API calls 98264->98273 98340 c1359c 82 API calls __wsopen_s 98266->98340 98267 bc00a3 29 API calls pre_c_initialization 98267->98273 98269 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98269->98273 98270 bf4beb 98341 c1359c 82 API calls __wsopen_s 98270->98341 98271 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98271->98273 98272->98265 98338 c1359c 82 API calls __wsopen_s 98272->98338 98273->98251 98273->98252 98273->98255 98273->98256 98273->98257 98273->98263 98273->98264 98273->98265 98273->98267 98273->98269 98273->98270 98273->98271 98273->98272 98329 bb01e0 239 API calls 2 library calls 98273->98329 98330 bb06a0 41 API calls ISource 98273->98330 98275 bb17b0 98274->98275 98276 bb1376 98274->98276 98512 bc0242 5 API calls __Init_thread_wait 98275->98512 98278 bb1390 98276->98278 98279 bf6331 98276->98279 98283 bb1940 9 API calls 98278->98283 98280 bf633d 98279->98280 98517 c2709c 239 API calls 98279->98517 98280->98273 98282 bb17ba 98284 bb17fb 98282->98284 98286 ba9cb3 22 API calls 98282->98286 98285 bb13a0 98283->98285 98290 bf6346 98284->98290 98291 bb182c 98284->98291 98287 bb1940 9 API calls 98285->98287 98295 bb17d4 98286->98295 98288 bb13b6 98287->98288 98288->98284 98289 bb13ec 98288->98289 98289->98290 98313 bb1408 __fread_nolock 98289->98313 98518 c1359c 82 API calls __wsopen_s 98290->98518 98514 baaceb 23 API calls ISource 98291->98514 98294 bb1839 98515 bbd217 239 API calls 98294->98515 98513 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98295->98513 98298 bf636e 98519 c1359c 82 API calls __wsopen_s 98298->98519 98300 bb153c 98304 bb1940 9 API calls 98300->98304 98301 bf63d1 98521 c25745 54 API calls _wcslen 98301->98521 98302 bb15c7 ISource 98307 bb1872 98302->98307 98309 bb167b ISource 98302->98309 98342 bb1940 98302->98342 98352 c16ef1 98302->98352 98432 c2958b 98302->98432 98435 c0d4ce 98302->98435 98438 ba4f39 98302->98438 98444 c2d482 98302->98444 98484 c2959f 98302->98484 98522 c1359c 82 API calls __wsopen_s 98302->98522 98306 bb1549 98304->98306 98305 bbfddb 22 API calls 98305->98313 98306->98302 98310 bb1940 9 API calls 98306->98310 98516 bbfaeb 23 API calls 98307->98516 98308 bbfe0b 22 API calls 98308->98313 98311 bb171d 98309->98311 98511 bbce17 22 API calls ISource 98309->98511 98314 bb1563 98310->98314 98311->98273 98313->98294 98313->98298 98313->98302 98313->98305 98313->98308 98317 bb152f 98313->98317 98319 bf63b2 98313->98319 98487 baec40 98313->98487 98314->98302 98322 baa8c7 22 API calls 98314->98322 98317->98300 98317->98301 98520 c1359c 82 API calls __wsopen_s 98319->98520 98322->98302 98329->98273 98330->98273 98331->98243 98332->98248 98333->98265 98335 baa8ea __fread_nolock 98334->98335 98336 baa8db 98334->98336 98335->98265 98336->98335 98337 bbfe0b 22 API calls 98336->98337 98337->98335 98338->98265 98339->98265 98340->98270 98341->98265 98343 bb1981 98342->98343 98348 bb195d 98342->98348 98523 bc0242 5 API calls __Init_thread_wait 98343->98523 98346 bb198b 98346->98348 98524 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98346->98524 98347 bb8727 98351 bb196e 98347->98351 98526 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98347->98526 98348->98351 98525 bc0242 5 API calls __Init_thread_wait 98348->98525 98351->98302 98353 baa961 22 API calls 98352->98353 98354 c16f1d 98353->98354 98355 baa961 22 API calls 98354->98355 98356 c16f26 98355->98356 98357 c16f3a 98356->98357 98735 bab567 39 API calls 98356->98735 98527 ba7510 98357->98527 98360 c16fbc 98363 ba7510 53 API calls 98360->98363 98361 c170bf 98550 ba4ecb 98361->98550 98366 c16fc8 98363->98366 98365 c16f57 _wcslen 98365->98360 98365->98361 98372 c170e9 98365->98372 98370 baa8c7 22 API calls 98366->98370 98374 c16fdb 98366->98374 98367 c170e5 98369 baa961 22 API calls 98367->98369 98367->98372 98368 ba4ecb 94 API calls 98368->98367 98371 c1711a 98369->98371 98370->98374 98375 baa961 22 API calls 98371->98375 98372->98302 98373 c17027 98377 ba7510 53 API calls 98373->98377 98374->98373 98376 c17005 98374->98376 98379 baa8c7 22 API calls 98374->98379 98378 c17126 98375->98378 98380 ba33c6 22 API calls 98376->98380 98381 c17034 98377->98381 98382 baa961 22 API calls 98378->98382 98379->98376 98384 c1700f 98380->98384 98385 c17047 98381->98385 98386 c1703d 98381->98386 98383 c1712f 98382->98383 98388 baa961 22 API calls 98383->98388 98389 ba7510 53 API calls 98384->98389 98736 c0e199 GetFileAttributesW 98385->98736 98390 baa8c7 22 API calls 98386->98390 98392 c17138 98388->98392 98393 c1701b 98389->98393 98390->98385 98391 c17050 98394 c17063 98391->98394 98397 ba4c6d 22 API calls 98391->98397 98395 ba7510 53 API calls 98392->98395 98396 ba6350 22 API calls 98393->98396 98399 ba7510 53 API calls 98394->98399 98405 c17069 98394->98405 98398 c17145 98395->98398 98396->98373 98397->98394 98572 ba525f 98398->98572 98401 c170a0 98399->98401 98737 c0d076 57 API calls 98401->98737 98402 c17166 98614 ba4c6d 98402->98614 98405->98372 98407 c171a9 98408 baa8c7 22 API calls 98407->98408 98410 c171ba 98408->98410 98409 ba4c6d 22 API calls 98411 c17186 98409->98411 98617 ba6350 98410->98617 98411->98407 98414 ba6b57 22 API calls 98411->98414 98416 c1719b 98414->98416 98415 ba6350 22 API calls 98417 c171d6 98415->98417 98418 ba6b57 22 API calls 98416->98418 98419 ba6350 22 API calls 98417->98419 98418->98407 98420 c171e4 98419->98420 98421 ba7510 53 API calls 98420->98421 98422 c171f0 98421->98422 98626 c0d7bc 98422->98626 98424 c17201 98425 c0d4ce 4 API calls 98424->98425 98426 c1720b 98425->98426 98427 ba7510 53 API calls 98426->98427 98431 c17239 98426->98431 98428 c17229 98427->98428 98680 c12947 98428->98680 98430 ba4f39 68 API calls 98430->98372 98431->98430 99395 c27f59 98432->99395 98434 c2959b 98434->98302 99487 c0dbbe lstrlenW 98435->99487 98439 ba4f4a 98438->98439 98440 ba4f43 98438->98440 98442 ba4f6a FreeLibrary 98439->98442 98443 ba4f59 98439->98443 98441 bce678 67 API calls 98440->98441 98441->98439 98442->98443 98443->98302 99492 c11e96 98444->99492 98446 c2d49d 98447 c2d4b1 98446->98447 98448 c2d4ee 98446->98448 99527 ba9c6e 22 API calls 98447->99527 98451 c2d4fc 98448->98451 99528 bab567 39 API calls 98448->99528 98452 c2d548 98451->98452 98453 c2d51f 98451->98453 98454 c2d600 98452->98454 98456 c2d55a 98452->98456 99529 ba9c6e 22 API calls 98453->99529 99496 bbf1d8 98454->99496 98458 c2d55f 98456->98458 98459 c2d59d 98456->98459 98461 ba6270 22 API calls 98458->98461 98462 bbfe0b 22 API calls 98459->98462 98466 c2d572 98461->98466 98464 c2d5a3 98462->98464 98470 ba6270 22 API calls 98464->98470 98465 c2d619 99514 ba6270 98465->99514 99530 ba6e90 98466->99530 98474 c2d5dd 98470->98474 98471 c2d582 99542 ba62b5 22 API calls 98471->99542 98472 c2d630 99519 ba6d9e MultiByteToWideChar 98472->99519 98473 c2d637 99544 ba6e14 24 API calls 98473->99544 98477 ba6e90 22 API calls 98474->98477 98480 c2d5ea 98477->98480 98479 c2d635 99545 ba62b5 22 API calls 98479->99545 99543 ba62b5 22 API calls 98480->99543 98483 c2d4be 98483->98302 98485 c27f59 120 API calls 98484->98485 98486 c295af 98485->98486 98486->98302 98507 baec76 ISource 98487->98507 98488 bc0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98488->98507 98489 bbfddb 22 API calls 98489->98507 98490 bc00a3 29 API calls pre_c_initialization 98490->98507 98491 bafef7 98497 baa8c7 22 API calls 98491->98497 98504 baed9d ISource 98491->98504 98494 bf4600 98500 baa8c7 22 API calls 98494->98500 98494->98504 98495 bf4b0b 99553 c1359c 82 API calls __wsopen_s 98495->99553 98497->98504 98499 baa8c7 22 API calls 98499->98507 98500->98504 98502 bafbe3 98502->98504 98505 bf4bdc 98502->98505 98510 baf3ae ISource 98502->98510 98503 baa961 22 API calls 98503->98507 98504->98313 99554 c1359c 82 API calls __wsopen_s 98505->99554 98507->98488 98507->98489 98507->98490 98507->98491 98507->98494 98507->98495 98507->98499 98507->98502 98507->98503 98507->98504 98508 bf4beb 98507->98508 98509 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98507->98509 98507->98510 99550 bb01e0 239 API calls 2 library calls 98507->99550 99551 bb06a0 41 API calls ISource 98507->99551 99555 c1359c 82 API calls __wsopen_s 98508->99555 98509->98507 98510->98504 99552 c1359c 82 API calls __wsopen_s 98510->99552 98511->98309 98512->98282 98513->98284 98514->98294 98515->98307 98516->98307 98517->98280 98518->98302 98519->98302 98520->98302 98521->98314 98522->98302 98523->98346 98524->98348 98525->98347 98526->98351 98528 ba7522 98527->98528 98529 ba7525 98527->98529 98528->98365 98530 ba755b 98529->98530 98531 ba752d 98529->98531 98533 be50f6 98530->98533 98534 ba756d 98530->98534 98541 be500f 98530->98541 98738 bc51c6 26 API calls 98531->98738 98741 bc5183 26 API calls 98533->98741 98739 bbfb21 51 API calls 98534->98739 98535 ba753d 98540 bbfddb 22 API calls 98535->98540 98538 be510e 98538->98538 98542 ba7547 98540->98542 98544 bbfe0b 22 API calls 98541->98544 98549 be5088 98541->98549 98543 ba9cb3 22 API calls 98542->98543 98543->98528 98546 be5058 98544->98546 98545 bbfddb 22 API calls 98547 be507f 98545->98547 98546->98545 98548 ba9cb3 22 API calls 98547->98548 98548->98549 98740 bbfb21 51 API calls 98549->98740 98742 ba4e90 LoadLibraryA 98550->98742 98555 be3ccf 98558 ba4f39 68 API calls 98555->98558 98556 ba4ef6 LoadLibraryExW 98750 ba4e59 LoadLibraryA 98556->98750 98559 be3cd6 98558->98559 98561 ba4e59 3 API calls 98559->98561 98563 be3cde 98561->98563 98772 ba50f5 98563->98772 98564 ba4f20 98564->98563 98565 ba4f2c 98564->98565 98567 ba4f39 68 API calls 98565->98567 98569 ba4f31 98567->98569 98569->98367 98569->98368 98571 be3d05 98573 baa961 22 API calls 98572->98573 98574 ba5275 98573->98574 98575 baa961 22 API calls 98574->98575 98576 ba527d 98575->98576 98577 baa961 22 API calls 98576->98577 98578 ba5285 98577->98578 98579 baa961 22 API calls 98578->98579 98580 ba528d 98579->98580 98581 be3df5 98580->98581 98582 ba52c1 98580->98582 98583 baa8c7 22 API calls 98581->98583 98584 ba6d25 22 API calls 98582->98584 98585 be3dfe 98583->98585 98586 ba52cf 98584->98586 98588 baa6c3 22 API calls 98585->98588 98587 ba93b2 22 API calls 98586->98587 98589 ba52d9 98587->98589 98590 ba5304 98588->98590 98589->98590 98591 ba6d25 22 API calls 98589->98591 98592 ba5349 98590->98592 98593 ba5325 98590->98593 98601 be3e20 98590->98601 98595 ba52fa 98591->98595 99040 ba6d25 98592->99040 98593->98592 98599 ba4c6d 22 API calls 98593->98599 98597 ba93b2 22 API calls 98595->98597 98596 ba535a 98598 ba5370 98596->98598 98604 baa8c7 22 API calls 98596->98604 98597->98590 98602 ba5384 98598->98602 98607 baa8c7 22 API calls 98598->98607 98603 ba5332 98599->98603 98600 ba6b57 22 API calls 98609 be3ee0 98600->98609 98601->98600 98605 ba538f 98602->98605 98608 baa8c7 22 API calls 98602->98608 98603->98592 98606 ba6d25 22 API calls 98603->98606 98604->98598 98610 baa8c7 22 API calls 98605->98610 98612 ba539a 98605->98612 98606->98592 98607->98602 98608->98605 98609->98592 98611 ba4c6d 22 API calls 98609->98611 99053 ba49bd 22 API calls __fread_nolock 98609->99053 98610->98612 98611->98609 98612->98402 98615 baaec9 22 API calls 98614->98615 98616 ba4c78 98615->98616 98616->98407 98616->98409 98618 ba6362 98617->98618 98619 be4a51 98617->98619 99055 ba6373 98618->99055 99065 ba4a88 22 API calls __fread_nolock 98619->99065 98622 ba636e 98622->98415 98623 be4a5b 98624 be4a67 98623->98624 98625 baa8c7 22 API calls 98623->98625 98625->98624 98627 c0d7d8 98626->98627 98628 c0d7f3 98627->98628 98629 c0d7dd 98627->98629 98630 baa961 22 API calls 98628->98630 98631 baa8c7 22 API calls 98629->98631 98679 c0d7ee 98629->98679 98632 c0d7fb 98630->98632 98631->98679 98633 baa961 22 API calls 98632->98633 98634 c0d803 98633->98634 98635 baa961 22 API calls 98634->98635 98636 c0d80e 98635->98636 98637 baa961 22 API calls 98636->98637 98638 c0d816 98637->98638 98639 baa961 22 API calls 98638->98639 98640 c0d81e 98639->98640 98641 baa961 22 API calls 98640->98641 98642 c0d826 98641->98642 98643 baa961 22 API calls 98642->98643 98644 c0d82e 98643->98644 98645 baa961 22 API calls 98644->98645 98646 c0d836 98645->98646 98647 ba525f 22 API calls 98646->98647 98648 c0d84d 98647->98648 98649 ba525f 22 API calls 98648->98649 98650 c0d866 98649->98650 98651 ba4c6d 22 API calls 98650->98651 98652 c0d872 98651->98652 98653 c0d885 98652->98653 98654 ba93b2 22 API calls 98652->98654 98655 ba4c6d 22 API calls 98653->98655 98654->98653 98656 c0d88e 98655->98656 98657 c0d89e 98656->98657 98659 ba93b2 22 API calls 98656->98659 98658 c0d8b0 98657->98658 98660 baa8c7 22 API calls 98657->98660 98661 ba6350 22 API calls 98658->98661 98659->98657 98660->98658 98662 c0d8bb 98661->98662 99066 c0d978 22 API calls 98662->99066 98664 c0d8ca 99067 c0d978 22 API calls 98664->99067 98666 c0d8dd 98667 ba4c6d 22 API calls 98666->98667 98668 c0d8e7 98667->98668 98669 c0d8ec 98668->98669 98670 c0d8fe 98668->98670 98672 ba33c6 22 API calls 98669->98672 98671 ba4c6d 22 API calls 98670->98671 98673 c0d907 98671->98673 98674 c0d8f9 98672->98674 98675 c0d925 98673->98675 98676 ba33c6 22 API calls 98673->98676 98677 ba6350 22 API calls 98674->98677 98678 ba6350 22 API calls 98675->98678 98676->98674 98677->98675 98678->98679 98679->98424 98681 c12954 __wsopen_s 98680->98681 98682 bbfe0b 22 API calls 98681->98682 98683 c12971 98682->98683 98684 ba5722 22 API calls 98683->98684 98685 c1297b 98684->98685 98686 c1274e 27 API calls 98685->98686 98687 c12986 98686->98687 98688 ba511f 64 API calls 98687->98688 98689 c1299b 98688->98689 98690 c12a6c 98689->98690 98691 c129bf 98689->98691 98692 c12e66 75 API calls 98690->98692 99094 c12e66 98691->99094 98694 c12a38 98692->98694 98697 ba50f5 40 API calls 98694->98697 98700 c12a75 ISource 98694->98700 98698 c12a91 98697->98698 98699 ba50f5 40 API calls 98698->98699 98702 c12aa1 98699->98702 98700->98431 98701 c129ed 99101 bcd583 26 API calls 98701->99101 98703 ba50f5 40 API calls 98702->98703 98705 c12abc 98703->98705 98706 ba50f5 40 API calls 98705->98706 98707 c12acc 98706->98707 98708 ba50f5 40 API calls 98707->98708 98709 c12ae7 98708->98709 98710 ba50f5 40 API calls 98709->98710 98711 c12af7 98710->98711 98712 ba50f5 40 API calls 98711->98712 98713 c12b07 98712->98713 98714 ba50f5 40 API calls 98713->98714 98715 c12b17 98714->98715 99068 c13017 GetTempPathW GetTempFileNameW 98715->99068 98717 c12b22 98718 bce5eb 29 API calls 98717->98718 98728 c12b33 98718->98728 98719 c12bed 99078 bce678 98719->99078 98721 c12bf8 98723 c12c12 98721->98723 98724 c12bfe DeleteFileW 98721->98724 98722 ba50f5 40 API calls 98722->98728 98725 c12c91 CopyFileW 98723->98725 98731 c12c18 98723->98731 98724->98700 98726 c12ca7 DeleteFileW 98725->98726 98727 c12cb9 DeleteFileW 98725->98727 98726->98700 99091 c12fd8 CreateFileW 98727->99091 98728->98700 98728->98719 98728->98722 99069 bcdbb3 98728->99069 99102 c122ce 98731->99102 98734 c12c80 DeleteFileW 98734->98700 98735->98357 98736->98391 98737->98405 98738->98535 98739->98535 98740->98533 98741->98538 98743 ba4ea8 GetProcAddress 98742->98743 98744 ba4ec6 98742->98744 98745 ba4eb8 98743->98745 98747 bce5eb 98744->98747 98745->98744 98746 ba4ebf FreeLibrary 98745->98746 98746->98744 98780 bce52a 98747->98780 98749 ba4eea 98749->98555 98749->98556 98751 ba4e6e GetProcAddress 98750->98751 98752 ba4e8d 98750->98752 98753 ba4e7e 98751->98753 98755 ba4f80 98752->98755 98753->98752 98754 ba4e86 FreeLibrary 98753->98754 98754->98752 98756 bbfe0b 22 API calls 98755->98756 98757 ba4f95 98756->98757 98758 ba5722 22 API calls 98757->98758 98759 ba4fa1 __fread_nolock 98758->98759 98760 be3d1d 98759->98760 98761 ba50a5 98759->98761 98770 ba4fdc 98759->98770 98859 c1304d 74 API calls 98760->98859 98848 ba42a2 CreateStreamOnHGlobal 98761->98848 98764 be3d22 98766 ba511f 64 API calls 98764->98766 98765 ba50f5 40 API calls 98765->98770 98767 be3d45 98766->98767 98768 ba50f5 40 API calls 98767->98768 98771 ba506e ISource 98768->98771 98770->98764 98770->98765 98770->98771 98854 ba511f 98770->98854 98771->98564 98773 ba5107 98772->98773 98774 be3d70 98772->98774 98881 bce8c4 98773->98881 98777 c128fe 99023 c1274e 98777->99023 98779 c12919 98779->98571 98783 bce536 BuildCatchObjectHelperInternal 98780->98783 98781 bce544 98805 bcf2d9 20 API calls _abort 98781->98805 98783->98781 98785 bce574 98783->98785 98784 bce549 98806 bd27ec 26 API calls _strftime 98784->98806 98787 bce579 98785->98787 98788 bce586 98785->98788 98807 bcf2d9 20 API calls _abort 98787->98807 98797 bd8061 98788->98797 98791 bce58f 98792 bce595 98791->98792 98793 bce5a2 98791->98793 98808 bcf2d9 20 API calls _abort 98792->98808 98809 bce5d4 LeaveCriticalSection __fread_nolock 98793->98809 98795 bce554 __fread_nolock 98795->98749 98798 bd806d BuildCatchObjectHelperInternal 98797->98798 98810 bd2f5e EnterCriticalSection 98798->98810 98800 bd807b 98811 bd80fb 98800->98811 98804 bd80ac __fread_nolock 98804->98791 98805->98784 98806->98795 98807->98795 98808->98795 98809->98795 98810->98800 98818 bd811e 98811->98818 98812 bd8177 98829 bd4c7d 98812->98829 98817 bd8189 98819 bd8088 98817->98819 98842 bd3405 11 API calls 2 library calls 98817->98842 98818->98812 98818->98819 98827 bc918d EnterCriticalSection 98818->98827 98828 bc91a1 LeaveCriticalSection 98818->98828 98824 bd80b7 98819->98824 98822 bd81a8 98843 bc918d EnterCriticalSection 98822->98843 98847 bd2fa6 LeaveCriticalSection 98824->98847 98826 bd80be 98826->98804 98827->98818 98828->98818 98834 bd4c8a _abort 98829->98834 98830 bd4cca 98845 bcf2d9 20 API calls _abort 98830->98845 98831 bd4cb5 RtlAllocateHeap 98832 bd4cc8 98831->98832 98831->98834 98836 bd29c8 98832->98836 98834->98830 98834->98831 98844 bc4ead 7 API calls 2 library calls 98834->98844 98837 bd29fc _free 98836->98837 98838 bd29d3 RtlFreeHeap 98836->98838 98837->98817 98838->98837 98839 bd29e8 98838->98839 98846 bcf2d9 20 API calls _abort 98839->98846 98841 bd29ee GetLastError 98841->98837 98842->98822 98843->98819 98844->98834 98845->98832 98846->98841 98847->98826 98849 ba42d9 98848->98849 98850 ba42bc FindResourceExW 98848->98850 98849->98770 98850->98849 98851 be35ba LoadResource 98850->98851 98851->98849 98852 be35cf SizeofResource 98851->98852 98852->98849 98853 be35e3 LockResource 98852->98853 98853->98849 98855 ba512e 98854->98855 98858 be3d90 98854->98858 98860 bcece3 98855->98860 98859->98764 98863 bceaaa 98860->98863 98862 ba513c 98862->98770 98865 bceab6 BuildCatchObjectHelperInternal 98863->98865 98864 bceac2 98876 bcf2d9 20 API calls _abort 98864->98876 98865->98864 98866 bceae8 98865->98866 98878 bc918d EnterCriticalSection 98866->98878 98869 bceac7 98877 bd27ec 26 API calls _strftime 98869->98877 98870 bceaf4 98879 bcec0a 62 API calls 2 library calls 98870->98879 98873 bceb08 98880 bceb27 LeaveCriticalSection __fread_nolock 98873->98880 98875 bcead2 __fread_nolock 98875->98862 98876->98869 98877->98875 98878->98870 98879->98873 98880->98875 98884 bce8e1 98881->98884 98883 ba5118 98883->98777 98885 bce8ed BuildCatchObjectHelperInternal 98884->98885 98886 bce925 __fread_nolock 98885->98886 98887 bce92d 98885->98887 98888 bce900 ___scrt_fastfail 98885->98888 98886->98883 98897 bc918d EnterCriticalSection 98887->98897 98911 bcf2d9 20 API calls _abort 98888->98911 98890 bce937 98898 bce6f8 98890->98898 98892 bce91a 98912 bd27ec 26 API calls _strftime 98892->98912 98897->98890 98899 bce70a ___scrt_fastfail 98898->98899 98904 bce727 98898->98904 98900 bce717 98899->98900 98899->98904 98909 bce76a __fread_nolock 98899->98909 98986 bcf2d9 20 API calls _abort 98900->98986 98902 bce71c 98987 bd27ec 26 API calls _strftime 98902->98987 98913 bce96c LeaveCriticalSection __fread_nolock 98904->98913 98905 bce886 ___scrt_fastfail 98989 bcf2d9 20 API calls _abort 98905->98989 98909->98904 98909->98905 98914 bcd955 98909->98914 98921 bd8d45 98909->98921 98988 bccf78 26 API calls 4 library calls 98909->98988 98911->98892 98912->98886 98913->98886 98915 bcd976 98914->98915 98916 bcd961 98914->98916 98915->98909 98990 bcf2d9 20 API calls _abort 98916->98990 98918 bcd966 98991 bd27ec 26 API calls _strftime 98918->98991 98920 bcd971 98920->98909 98922 bd8d6f 98921->98922 98923 bd8d57 98921->98923 98925 bd90d9 98922->98925 98930 bd8db4 98922->98930 99001 bcf2c6 20 API calls _abort 98923->99001 99017 bcf2c6 20 API calls _abort 98925->99017 98926 bd8d5c 99002 bcf2d9 20 API calls _abort 98926->99002 98929 bd90de 99018 bcf2d9 20 API calls _abort 98929->99018 98932 bd8dbf 98930->98932 98933 bd8d64 98930->98933 98937 bd8def 98930->98937 99003 bcf2c6 20 API calls _abort 98932->99003 98933->98909 98934 bd8dcc 99019 bd27ec 26 API calls _strftime 98934->99019 98936 bd8dc4 99004 bcf2d9 20 API calls _abort 98936->99004 98940 bd8e08 98937->98940 98941 bd8e2e 98937->98941 98942 bd8e4a 98937->98942 98940->98941 98946 bd8e15 98940->98946 99005 bcf2c6 20 API calls _abort 98941->99005 99008 bd3820 21 API calls 2 library calls 98942->99008 98945 bd8e33 99006 bcf2d9 20 API calls _abort 98945->99006 98992 bdf89b 98946->98992 98947 bd8e61 98950 bd29c8 _free 20 API calls 98947->98950 98953 bd8e6a 98950->98953 98951 bd8fb3 98954 bd9029 98951->98954 98958 bd8fcc GetConsoleMode 98951->98958 98952 bd8e3a 99007 bd27ec 26 API calls _strftime 98952->99007 98956 bd29c8 _free 20 API calls 98953->98956 98957 bd902d ReadFile 98954->98957 98960 bd8e71 98956->98960 98961 bd9047 98957->98961 98962 bd90a1 GetLastError 98957->98962 98958->98954 98959 bd8fdd 98958->98959 98959->98957 98963 bd8fe3 ReadConsoleW 98959->98963 98964 bd8e7b 98960->98964 98965 bd8e96 98960->98965 98961->98962 98968 bd901e 98961->98968 98966 bd90ae 98962->98966 98967 bd9005 98962->98967 98963->98968 98969 bd8fff GetLastError 98963->98969 99009 bcf2d9 20 API calls _abort 98964->99009 99011 bd9424 28 API calls __wsopen_s 98965->99011 99015 bcf2d9 20 API calls _abort 98966->99015 98983 bd8e45 __fread_nolock 98967->98983 99012 bcf2a3 20 API calls 2 library calls 98967->99012 98978 bd906c 98968->98978 98979 bd9083 98968->98979 98968->98983 98969->98967 98970 bd29c8 _free 20 API calls 98970->98933 98975 bd8e80 99010 bcf2c6 20 API calls _abort 98975->99010 98976 bd90b3 99016 bcf2c6 20 API calls _abort 98976->99016 99013 bd8a61 31 API calls 4 library calls 98978->99013 98982 bd909a 98979->98982 98979->98983 99014 bd88a1 29 API calls __wsopen_s 98982->99014 98983->98970 98985 bd909f 98985->98983 98986->98902 98987->98904 98988->98909 98989->98902 98990->98918 98991->98920 98993 bdf8a8 98992->98993 98994 bdf8b5 98992->98994 99020 bcf2d9 20 API calls _abort 98993->99020 98996 bdf8c1 98994->98996 99021 bcf2d9 20 API calls _abort 98994->99021 98996->98951 98998 bdf8ad 98998->98951 98999 bdf8e2 99022 bd27ec 26 API calls _strftime 98999->99022 99001->98926 99002->98933 99003->98936 99004->98934 99005->98945 99006->98952 99007->98983 99008->98947 99009->98975 99010->98983 99011->98946 99012->98983 99013->98983 99014->98985 99015->98976 99016->98983 99017->98929 99018->98934 99019->98933 99020->98998 99021->98999 99022->98998 99026 bce4e8 99023->99026 99025 c1275d 99025->98779 99029 bce469 99026->99029 99028 bce505 99028->99025 99030 bce48c 99029->99030 99031 bce478 99029->99031 99035 bce488 __alldvrm 99030->99035 99039 bd333f 11 API calls 2 library calls 99030->99039 99037 bcf2d9 20 API calls _abort 99031->99037 99034 bce47d 99038 bd27ec 26 API calls _strftime 99034->99038 99035->99028 99037->99034 99038->99035 99039->99035 99041 ba6d91 99040->99041 99042 ba6d34 99040->99042 99043 ba93b2 22 API calls 99041->99043 99042->99041 99044 ba6d3f 99042->99044 99049 ba6d62 __fread_nolock 99043->99049 99045 ba6d5a 99044->99045 99046 be4c9d 99044->99046 99054 ba6f34 22 API calls 99045->99054 99048 bbfddb 22 API calls 99046->99048 99050 be4ca7 99048->99050 99049->98596 99051 bbfe0b 22 API calls 99050->99051 99052 be4cda 99051->99052 99053->98609 99054->99049 99056 ba63b6 __fread_nolock 99055->99056 99057 ba6382 99055->99057 99056->98622 99057->99056 99058 be4a82 99057->99058 99059 ba63a9 99057->99059 99061 bbfddb 22 API calls 99058->99061 99060 baa587 22 API calls 99059->99060 99060->99056 99062 be4a91 99061->99062 99063 bbfe0b 22 API calls 99062->99063 99064 be4ac5 __fread_nolock 99063->99064 99065->98623 99066->98664 99067->98666 99068->98717 99070 bcdbc1 99069->99070 99071 bcdbdd 99069->99071 99070->99071 99072 bcdbcd 99070->99072 99073 bcdbe3 99070->99073 99071->98728 99134 bcf2d9 20 API calls _abort 99072->99134 99131 bcd9cc 99073->99131 99076 bcdbd2 99135 bd27ec 26 API calls _strftime 99076->99135 99079 bce684 BuildCatchObjectHelperInternal 99078->99079 99080 bce6aa 99079->99080 99081 bce695 99079->99081 99089 bce6a5 __fread_nolock 99080->99089 99270 bc918d EnterCriticalSection 99080->99270 99287 bcf2d9 20 API calls _abort 99081->99287 99084 bce69a 99288 bd27ec 26 API calls _strftime 99084->99288 99085 bce6c6 99271 bce602 99085->99271 99088 bce6d1 99289 bce6ee LeaveCriticalSection __fread_nolock 99088->99289 99089->98721 99092 c13013 99091->99092 99093 c12fff SetFileTime CloseHandle 99091->99093 99092->98700 99093->99092 99099 c12e7a 99094->99099 99095 c129c4 99095->98700 99100 bcd583 26 API calls 99095->99100 99096 ba50f5 40 API calls 99096->99099 99097 c128fe 27 API calls 99097->99099 99098 ba511f 64 API calls 99098->99099 99099->99095 99099->99096 99099->99097 99099->99098 99100->98701 99101->98694 99103 c122d9 99102->99103 99104 c122e7 99102->99104 99105 bce5eb 29 API calls 99103->99105 99106 c1232c 99104->99106 99107 bce5eb 29 API calls 99104->99107 99117 c122f0 99104->99117 99105->99104 99363 c12557 99106->99363 99108 c12311 99107->99108 99108->99106 99110 c1231a 99108->99110 99114 bce678 67 API calls 99110->99114 99110->99117 99111 c12370 99112 c12395 99111->99112 99113 c12374 99111->99113 99367 c12171 99112->99367 99116 bce678 67 API calls 99113->99116 99119 c12381 99113->99119 99114->99117 99116->99119 99117->98727 99117->98734 99118 c1239d 99121 c123c3 99118->99121 99122 c123a3 99118->99122 99119->99117 99120 bce678 67 API calls 99119->99120 99120->99117 99374 c123f3 99121->99374 99124 c123b0 99122->99124 99125 bce678 67 API calls 99122->99125 99124->99117 99126 bce678 67 API calls 99124->99126 99125->99124 99126->99117 99127 c123ca 99128 c123de 99127->99128 99129 bce678 67 API calls 99127->99129 99128->99117 99130 bce678 67 API calls 99128->99130 99129->99128 99130->99117 99136 bcd97b 99131->99136 99133 bcd9f0 99133->99071 99134->99076 99135->99071 99137 bcd987 BuildCatchObjectHelperInternal 99136->99137 99144 bc918d EnterCriticalSection 99137->99144 99139 bcd995 99145 bcd9f4 99139->99145 99143 bcd9b3 __fread_nolock 99143->99133 99144->99139 99153 bd49a1 99145->99153 99151 bcd9a2 99152 bcd9c0 LeaveCriticalSection __fread_nolock 99151->99152 99152->99143 99154 bcd955 __fread_nolock 26 API calls 99153->99154 99155 bd49b0 99154->99155 99156 bdf89b __fread_nolock 26 API calls 99155->99156 99157 bd49b6 99156->99157 99161 bcda09 99157->99161 99174 bd3820 21 API calls 2 library calls 99157->99174 99159 bd4a15 99160 bd29c8 _free 20 API calls 99159->99160 99160->99161 99162 bcda3a 99161->99162 99165 bcda4c 99162->99165 99169 bcda24 99162->99169 99163 bcda5a 99200 bcf2d9 20 API calls _abort 99163->99200 99165->99163 99168 bcda85 __fread_nolock 99165->99168 99165->99169 99166 bcda5f 99201 bd27ec 26 API calls _strftime 99166->99201 99168->99169 99171 bcd955 __fread_nolock 26 API calls 99168->99171 99175 bd59be 99168->99175 99202 bcdc0b 99168->99202 99173 bd4a56 62 API calls 99169->99173 99171->99168 99173->99151 99174->99159 99176 bd59ca BuildCatchObjectHelperInternal 99175->99176 99177 bd59d2 99176->99177 99179 bd59ea 99176->99179 99262 bcf2c6 20 API calls _abort 99177->99262 99178 bd5a88 99267 bcf2c6 20 API calls _abort 99178->99267 99179->99178 99184 bd5a1f 99179->99184 99182 bd59d7 99263 bcf2d9 20 API calls _abort 99182->99263 99183 bd5a8d 99268 bcf2d9 20 API calls _abort 99183->99268 99208 bd5147 EnterCriticalSection 99184->99208 99188 bd5a95 99269 bd27ec 26 API calls _strftime 99188->99269 99189 bd5a25 99191 bd5a56 99189->99191 99192 bd5a41 99189->99192 99209 bd5aa9 99191->99209 99264 bcf2d9 20 API calls _abort 99192->99264 99195 bd5a46 99265 bcf2c6 20 API calls _abort 99195->99265 99196 bd59df __fread_nolock 99196->99168 99197 bd5a51 99266 bd5a80 LeaveCriticalSection __wsopen_s 99197->99266 99200->99166 99201->99169 99203 bcdc23 99202->99203 99205 bcdc1f 99202->99205 99204 bcd955 __fread_nolock 26 API calls 99203->99204 99203->99205 99206 bcdc43 99204->99206 99205->99168 99207 bd59be __wsopen_s 62 API calls 99206->99207 99207->99205 99208->99189 99210 bd5ad7 99209->99210 99248 bd5ad0 99209->99248 99211 bd5adb 99210->99211 99213 bd5afa 99210->99213 99212 bcf2c6 __dosmaperr 20 API calls 99211->99212 99216 bd5ae0 99212->99216 99217 bd5b4b 99213->99217 99218 bd5b2e 99213->99218 99214 bc0a8c CatchGuardHandler 5 API calls 99215 bd5cb1 99214->99215 99215->99197 99221 bd5b61 99217->99221 99224 bd9424 __wsopen_s 28 API calls 99217->99224 99219 bcf2c6 __dosmaperr 20 API calls 99218->99219 99224->99221 99248->99214 99262->99182 99263->99196 99264->99195 99265->99197 99266->99196 99267->99183 99268->99188 99269->99196 99270->99085 99272 bce60f 99271->99272 99273 bce624 99271->99273 99309 bcf2d9 20 API calls _abort 99272->99309 99276 bcdc0b 62 API calls 99273->99276 99279 bce61f 99273->99279 99275 bce614 99310 bd27ec 26 API calls _strftime 99275->99310 99278 bce638 99276->99278 99290 bd4d7a 99278->99290 99279->99088 99282 bcd955 __fread_nolock 26 API calls 99283 bce646 99282->99283 99294 bd862f 99283->99294 99286 bd29c8 _free 20 API calls 99286->99279 99287->99084 99288->99089 99289->99089 99291 bce640 99290->99291 99292 bd4d90 99290->99292 99291->99282 99292->99291 99293 bd29c8 _free 20 API calls 99292->99293 99293->99291 99295 bd863e 99294->99295 99296 bd8653 99294->99296 99314 bcf2c6 20 API calls _abort 99295->99314 99298 bd868e 99296->99298 99302 bd867a 99296->99302 99316 bcf2c6 20 API calls _abort 99298->99316 99299 bd8643 99315 bcf2d9 20 API calls _abort 99299->99315 99311 bd8607 99302->99311 99303 bd8693 99317 bcf2d9 20 API calls _abort 99303->99317 99306 bce64c 99306->99279 99306->99286 99307 bd869b 99318 bd27ec 26 API calls _strftime 99307->99318 99309->99275 99310->99279 99319 bd8585 99311->99319 99313 bd862b 99313->99306 99314->99299 99315->99306 99316->99303 99317->99307 99318->99306 99320 bd8591 BuildCatchObjectHelperInternal 99319->99320 99330 bd5147 EnterCriticalSection 99320->99330 99322 bd859f 99323 bd85c6 99322->99323 99324 bd85d1 99322->99324 99331 bd86ae 99323->99331 99346 bcf2d9 20 API calls _abort 99324->99346 99327 bd85cc 99347 bd85fb LeaveCriticalSection __wsopen_s 99327->99347 99329 bd85ee __fread_nolock 99329->99313 99330->99322 99348 bd53c4 99331->99348 99333 bd86c4 99361 bd5333 21 API calls 3 library calls 99333->99361 99335 bd86be 99335->99333 99338 bd53c4 __wsopen_s 26 API calls 99335->99338 99344 bd86f6 99335->99344 99336 bd53c4 __wsopen_s 26 API calls 99340 bd86ed 99338->99340 99344->99333 99344->99336 99346->99327 99347->99329 99349 bd53d1 99348->99349 99350 bd53e6 99348->99350 99351 bcf2c6 __dosmaperr 20 API calls 99349->99351 99352 bcf2c6 __dosmaperr 20 API calls 99350->99352 99354 bd540b 99350->99354 99353 bd53d6 99351->99353 99355 bd5416 99352->99355 99356 bcf2d9 _free 20 API calls 99353->99356 99354->99335 99358 bcf2d9 _free 20 API calls 99355->99358 99357 bd53de 99356->99357 99357->99335 99364 c1257c 99363->99364 99366 c12565 __fread_nolock 99363->99366 99365 bce8c4 __fread_nolock 40 API calls 99364->99365 99365->99366 99366->99111 99368 bcea0c ___std_exception_copy 21 API calls 99367->99368 99369 c1217f 99368->99369 99370 bcea0c ___std_exception_copy 21 API calls 99369->99370 99371 c12190 99370->99371 99372 bcea0c ___std_exception_copy 21 API calls 99371->99372 99373 c1219c 99372->99373 99373->99118 99375 c12408 99374->99375 99376 c124c0 99375->99376 99378 c124c7 99375->99378 99379 c121cc 40 API calls 99375->99379 99382 c12606 99375->99382 99390 c12269 40 API calls 99375->99390 99386 c12724 99376->99386 99378->99127 99379->99375 99383 c12617 99382->99383 99384 c1261d 99382->99384 99383->99384 99391 c126d7 99383->99391 99384->99375 99387 c12731 99386->99387 99388 c12742 99386->99388 99389 bcdbb3 65 API calls 99387->99389 99388->99378 99389->99388 99390->99375 99393 c12714 99391->99393 99393->99383 99396 ba7510 53 API calls 99395->99396 99397 c27f90 99396->99397 99422 c27fd5 ISource 99397->99422 99433 c28cd3 99397->99433 99399 c28281 99400 c2844f 99399->99400 99404 c2828f 99399->99404 99474 c28ee4 60 API calls 99400->99474 99403 c2845e 99403->99404 99405 c2846a 99403->99405 99446 c27e86 99404->99446 99405->99422 99406 ba7510 53 API calls 99424 c28049 99406->99424 99411 c282c8 99461 bbfc70 99411->99461 99414 c28302 99468 ba63eb 22 API calls 99414->99468 99415 c282e8 99467 c1359c 82 API calls __wsopen_s 99415->99467 99418 c282f3 GetCurrentProcess TerminateProcess 99418->99414 99419 c28311 99469 ba6a50 22 API calls 99419->99469 99421 c2832a 99432 c28352 99421->99432 99470 bb04f0 22 API calls 99421->99470 99422->98434 99424->99399 99424->99406 99424->99422 99465 c0417d 22 API calls __fread_nolock 99424->99465 99466 c2851d 42 API calls _strftime 99424->99466 99425 c284c5 99425->99422 99428 c284d9 FreeLibrary 99425->99428 99426 c28341 99471 c28b7b 75 API calls 99426->99471 99428->99422 99432->99425 99472 bb04f0 22 API calls 99432->99472 99473 baaceb 23 API calls ISource 99432->99473 99475 c28b7b 75 API calls 99432->99475 99434 baaec9 22 API calls 99433->99434 99435 c28cee CharLowerBuffW 99434->99435 99476 c08e54 99435->99476 99439 baa961 22 API calls 99440 c28d2a 99439->99440 99441 ba6d25 22 API calls 99440->99441 99442 c28d3e 99441->99442 99443 ba93b2 22 API calls 99442->99443 99445 c28d48 _wcslen 99443->99445 99444 c28e5e _wcslen 99444->99424 99445->99444 99483 c2851d 42 API calls _strftime 99445->99483 99447 c27ea1 99446->99447 99451 c27eec 99446->99451 99448 bbfe0b 22 API calls 99447->99448 99449 c27ec3 99448->99449 99450 bbfddb 22 API calls 99449->99450 99449->99451 99450->99449 99452 c29096 99451->99452 99453 c292ab ISource 99452->99453 99460 c290ba _strcat _wcslen 99452->99460 99453->99411 99454 bab567 39 API calls 99454->99460 99455 bab38f 39 API calls 99455->99460 99456 bab6b5 39 API calls 99456->99460 99457 ba7510 53 API calls 99457->99460 99458 bcea0c 21 API calls ___std_exception_copy 99458->99460 99460->99453 99460->99454 99460->99455 99460->99456 99460->99457 99460->99458 99486 c0efae 24 API calls _wcslen 99460->99486 99462 bbfc85 99461->99462 99463 bbfd1d VirtualAlloc 99462->99463 99464 bbfceb 99462->99464 99463->99464 99464->99414 99464->99415 99465->99424 99466->99424 99467->99418 99468->99419 99469->99421 99470->99426 99471->99432 99472->99432 99473->99432 99474->99403 99475->99432 99478 c08e74 _wcslen 99476->99478 99477 c08f63 99477->99439 99477->99445 99478->99477 99481 c08ea9 99478->99481 99482 c08f68 99478->99482 99481->99477 99484 bbce60 41 API calls 99481->99484 99482->99477 99485 bbce60 41 API calls 99482->99485 99483->99444 99484->99481 99485->99482 99486->99460 99488 c0d4d5 99487->99488 99489 c0dbdc GetFileAttributesW 99487->99489 99488->98302 99489->99488 99490 c0dbe8 FindFirstFileW 99489->99490 99490->99488 99491 c0dbf9 FindClose 99490->99491 99491->99488 99493 c11ea4 99492->99493 99494 c11e9f 99492->99494 99493->98446 99546 c10f67 24 API calls __fread_nolock 99494->99546 99497 bbfe0b 22 API calls 99496->99497 99498 bbf1ef 99497->99498 99499 bbfddb 22 API calls 99498->99499 99500 bbf1fb 99499->99500 99501 bbf733 99500->99501 99502 bbf77f 99501->99502 99504 bbf741 99501->99504 99548 c0ca5b 22 API calls __fread_nolock 99502->99548 99504->99502 99505 bbf74c 99504->99505 99506 bff2fe 99505->99506 99507 bbf75a 99505->99507 99509 bbfddb 22 API calls 99506->99509 99547 bbf788 22 API calls 99507->99547 99511 bff308 99509->99511 99510 bbf762 __fread_nolock 99510->98465 99512 bbfe0b 22 API calls 99511->99512 99513 bff32d 99512->99513 99515 bbfe0b 22 API calls 99514->99515 99516 ba6295 99515->99516 99517 bbfddb 22 API calls 99516->99517 99518 ba62a3 99517->99518 99518->98472 99518->98473 99520 ba6e0b 99519->99520 99521 ba6dc7 99519->99521 99522 baa6c3 22 API calls 99520->99522 99523 bbfe0b 22 API calls 99521->99523 99526 ba6dff 99522->99526 99524 ba6ddc MultiByteToWideChar 99523->99524 99525 ba6e90 22 API calls 99524->99525 99525->99526 99526->98479 99527->98483 99528->98451 99529->98483 99531 ba6ea3 99530->99531 99532 ba6f24 99530->99532 99531->99532 99534 ba6eaf 99531->99534 99533 ba93b2 22 API calls 99532->99533 99541 ba6ec1 __fread_nolock 99533->99541 99535 ba6eb9 99534->99535 99536 ba6ee7 99534->99536 99549 ba6f34 22 API calls 99535->99549 99538 bbfddb 22 API calls 99536->99538 99539 ba6ef1 99538->99539 99540 bbfe0b 22 API calls 99539->99540 99540->99541 99541->98471 99542->98483 99543->98483 99544->98479 99545->98483 99546->99493 99547->99510 99548->99510 99549->99541 99550->98507 99551->98507 99552->98504 99553->98504 99554->98508 99555->98504 99556 bd90fa 99557 bd9107 99556->99557 99562 bd911f 99556->99562 99606 bcf2d9 20 API calls _abort 99557->99606 99559 bd910c 99607 bd27ec 26 API calls _strftime 99559->99607 99561 bd917a 99563 bcd955 __fread_nolock 26 API calls 99561->99563 99562->99561 99570 bd9117 99562->99570 99608 bdfdc4 21 API calls 2 library calls 99562->99608 99565 bd9192 99563->99565 99576 bd8c32 99565->99576 99567 bd9199 99568 bcd955 __fread_nolock 26 API calls 99567->99568 99567->99570 99569 bd91c5 99568->99569 99569->99570 99571 bcd955 __fread_nolock 26 API calls 99569->99571 99572 bd91d3 99571->99572 99572->99570 99573 bcd955 __fread_nolock 26 API calls 99572->99573 99574 bd91e3 99573->99574 99575 bcd955 __fread_nolock 26 API calls 99574->99575 99575->99570 99577 bd8c3e BuildCatchObjectHelperInternal 99576->99577 99578 bd8c5e 99577->99578 99579 bd8c46 99577->99579 99581 bd8d24 99578->99581 99584 bd8c97 99578->99584 99610 bcf2c6 20 API calls _abort 99579->99610 99617 bcf2c6 20 API calls _abort 99581->99617 99583 bd8c4b 99611 bcf2d9 20 API calls _abort 99583->99611 99587 bd8cbb 99584->99587 99588 bd8ca6 99584->99588 99585 bd8d29 99618 bcf2d9 20 API calls _abort 99585->99618 99609 bd5147 EnterCriticalSection 99587->99609 99612 bcf2c6 20 API calls _abort 99588->99612 99592 bd8cb3 99619 bd27ec 26 API calls _strftime 99592->99619 99593 bd8cab 99613 bcf2d9 20 API calls _abort 99593->99613 99594 bd8cc1 99596 bd8cdd 99594->99596 99597 bd8cf2 99594->99597 99614 bcf2d9 20 API calls _abort 99596->99614 99601 bd8d45 __fread_nolock 38 API calls 99597->99601 99599 bd8c53 __fread_nolock 99599->99567 99602 bd8ced 99601->99602 99616 bd8d1c LeaveCriticalSection __wsopen_s 99602->99616 99603 bd8ce2 99615 bcf2c6 20 API calls _abort 99603->99615 99606->99559 99607->99570 99608->99561 99609->99594 99610->99583 99611->99599 99612->99593 99613->99592 99614->99603 99615->99602 99616->99599 99617->99585 99618->99592 99619->99599 99620 bc03fb 99621 bc0407 BuildCatchObjectHelperInternal 99620->99621 99649 bbfeb1 99621->99649 99623 bc0561 99676 bc083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99623->99676 99625 bc040e 99625->99623 99627 bc0438 99625->99627 99626 bc0568 99677 bc4e52 28 API calls _abort 99626->99677 99638 bc0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99627->99638 99660 bd247d 99627->99660 99629 bc056e 99678 bc4e04 28 API calls _abort 99629->99678 99633 bc0576 99634 bc0457 99636 bc04d8 99668 bc0959 99636->99668 99638->99636 99672 bc4e1a 38 API calls 2 library calls 99638->99672 99640 bc04de 99641 bc04f3 99640->99641 99673 bc0992 GetModuleHandleW 99641->99673 99643 bc04fa 99643->99626 99644 bc04fe 99643->99644 99645 bc0507 99644->99645 99674 bc4df5 28 API calls _abort 99644->99674 99675 bc0040 13 API calls 2 library calls 99645->99675 99648 bc050f 99648->99634 99650 bbfeba 99649->99650 99679 bc0698 IsProcessorFeaturePresent 99650->99679 99652 bbfec6 99680 bc2c94 10 API calls 3 library calls 99652->99680 99654 bbfecb 99659 bbfecf 99654->99659 99681 bd2317 99654->99681 99657 bbfee6 99657->99625 99659->99625 99662 bd2494 99660->99662 99661 bc0a8c CatchGuardHandler 5 API calls 99663 bc0451 99661->99663 99662->99661 99663->99634 99664 bd2421 99663->99664 99667 bd2450 99664->99667 99665 bc0a8c CatchGuardHandler 5 API calls 99666 bd2479 99665->99666 99666->99638 99667->99665 99740 bc2340 99668->99740 99671 bc097f 99671->99640 99672->99636 99673->99643 99674->99645 99675->99648 99676->99626 99677->99629 99678->99633 99679->99652 99680->99654 99685 bdd1f6 99681->99685 99684 bc2cbd 8 API calls 3 library calls 99684->99659 99687 bdd20f 99685->99687 99689 bdd213 99685->99689 99703 bc0a8c 99687->99703 99688 bbfed8 99688->99657 99688->99684 99689->99687 99691 bd4bfb 99689->99691 99692 bd4c07 BuildCatchObjectHelperInternal 99691->99692 99710 bd2f5e EnterCriticalSection 99692->99710 99694 bd4c0e 99711 bd50af 99694->99711 99696 bd4c1d 99697 bd4c2c 99696->99697 99724 bd4a8f 29 API calls 99696->99724 99726 bd4c48 LeaveCriticalSection _abort 99697->99726 99700 bd4c27 99725 bd4b45 GetStdHandle GetFileType 99700->99725 99702 bd4c3d __fread_nolock 99702->99689 99704 bc0a95 99703->99704 99705 bc0a97 IsProcessorFeaturePresent 99703->99705 99704->99688 99707 bc0c5d 99705->99707 99739 bc0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99707->99739 99709 bc0d40 99709->99688 99710->99694 99712 bd50bb BuildCatchObjectHelperInternal 99711->99712 99713 bd50df 99712->99713 99714 bd50c8 99712->99714 99727 bd2f5e EnterCriticalSection 99713->99727 99735 bcf2d9 20 API calls _abort 99714->99735 99717 bd50cd 99736 bd27ec 26 API calls _strftime 99717->99736 99719 bd50d7 __fread_nolock 99719->99696 99720 bd5117 99737 bd513e LeaveCriticalSection _abort 99720->99737 99722 bd50eb 99722->99720 99728 bd5000 99722->99728 99724->99700 99725->99697 99726->99702 99727->99722 99729 bd4c7d _abort 20 API calls 99728->99729 99731 bd5012 99729->99731 99730 bd501f 99732 bd29c8 _free 20 API calls 99730->99732 99731->99730 99738 bd3405 11 API calls 2 library calls 99731->99738 99734 bd5071 99732->99734 99734->99722 99735->99717 99736->99719 99737->99719 99738->99731 99739->99709 99741 bc096c GetStartupInfoW 99740->99741 99741->99671 99742 ba1033 99747 ba4c91 99742->99747 99746 ba1042 99748 baa961 22 API calls 99747->99748 99749 ba4cff 99748->99749 99755 ba3af0 99749->99755 99751 ba4d9c 99753 ba1038 99751->99753 99758 ba51f7 22 API calls __fread_nolock 99751->99758 99754 bc00a3 29 API calls __onexit 99753->99754 99754->99746 99759 ba3b1c 99755->99759 99758->99751 99760 ba3b0f 99759->99760 99761 ba3b29 99759->99761 99760->99751 99761->99760 99762 ba3b30 RegOpenKeyExW 99761->99762 99762->99760 99763 ba3b4a RegQueryValueExW 99762->99763 99764 ba3b6b 99763->99764 99765 ba3b80 RegCloseKey 99763->99765 99764->99765 99765->99760 99766 badf10 99769 bab710 99766->99769 99770 bab72b 99769->99770 99771 bf00f8 99770->99771 99772 bf0146 99770->99772 99796 bab750 99770->99796 99775 bf0102 99771->99775 99778 bf010f 99771->99778 99771->99796 99811 c258a2 239 API calls 2 library calls 99772->99811 99809 c25d33 239 API calls 99775->99809 99789 baba20 99778->99789 99810 c261d0 239 API calls 2 library calls 99778->99810 99781 bf03d9 99781->99781 99784 baba4e 99786 bf0322 99814 c25c0c 82 API calls 99786->99814 99789->99784 99815 c1359c 82 API calls __wsopen_s 99789->99815 99794 bbd336 40 API calls 99794->99796 99795 babbe0 40 API calls 99795->99796 99796->99784 99796->99786 99796->99789 99796->99794 99796->99795 99797 baec40 239 API calls 99796->99797 99798 baa8c7 22 API calls 99796->99798 99800 baa81b 41 API calls 99796->99800 99801 bbd2f0 40 API calls 99796->99801 99802 bba01b 239 API calls 99796->99802 99803 bc0242 5 API calls __Init_thread_wait 99796->99803 99804 bbedcd 22 API calls 99796->99804 99805 bc00a3 29 API calls __onexit 99796->99805 99806 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99796->99806 99807 bbee53 82 API calls 99796->99807 99808 bbe5ca 239 API calls 99796->99808 99812 baaceb 23 API calls ISource 99796->99812 99813 bff6bf 23 API calls 99796->99813 99797->99796 99798->99796 99800->99796 99801->99796 99802->99796 99803->99796 99804->99796 99805->99796 99806->99796 99807->99796 99808->99796 99809->99778 99810->99789 99811->99796 99812->99796 99813->99796 99814->99789 99815->99781 99816 bf3f75 99827 bbceb1 99816->99827 99818 bf3f8b 99819 bf4006 99818->99819 99894 bbe300 23 API calls 99818->99894 99836 babf40 99819->99836 99822 bf3fe6 99823 bf4052 99822->99823 99895 c11abf 22 API calls 99822->99895 99825 bf4a88 99823->99825 99896 c1359c 82 API calls __wsopen_s 99823->99896 99828 bbcebf 99827->99828 99829 bbced2 99827->99829 99897 baaceb 23 API calls ISource 99828->99897 99831 bbced7 99829->99831 99832 bbcf05 99829->99832 99834 bbfddb 22 API calls 99831->99834 99898 baaceb 23 API calls ISource 99832->99898 99835 bbcec9 99834->99835 99835->99818 99899 baadf0 99836->99899 99838 babf9d 99839 babfa9 99838->99839 99840 bf04b6 99838->99840 99841 bf04c6 99839->99841 99842 bac01e 99839->99842 99912 c1359c 82 API calls __wsopen_s 99840->99912 99913 c1359c 82 API calls __wsopen_s 99841->99913 99904 baac91 99842->99904 99846 bf04f5 99860 bf055a 99846->99860 99914 bbd217 239 API calls 99846->99914 99848 c07120 22 API calls 99856 bac039 ISource __fread_nolock 99848->99856 99849 bac7da 99852 bbfe0b 22 API calls 99849->99852 99859 bac808 __fread_nolock 99852->99859 99856->99846 99856->99848 99856->99849 99857 bbfddb 22 API calls 99856->99857 99858 baaf8a 22 API calls 99856->99858 99856->99859 99856->99860 99862 bf091a 99856->99862 99865 baec40 239 API calls 99856->99865 99866 bf08a5 99856->99866 99870 bf0591 99856->99870 99874 bf08f6 99856->99874 99876 babbe0 40 API calls 99856->99876 99879 bac237 99856->99879 99880 bbfe0b 22 API calls 99856->99880 99882 bac603 99856->99882 99888 bf09bf 99856->99888 99908 baad81 22 API calls 99856->99908 99917 c07099 22 API calls __fread_nolock 99856->99917 99918 c25745 54 API calls _wcslen 99856->99918 99919 bbaa42 22 API calls ISource 99856->99919 99920 c0f05c 40 API calls 99856->99920 99921 baa993 41 API calls 99856->99921 99922 baaceb 23 API calls ISource 99856->99922 99857->99856 99858->99856 99861 bbfe0b 22 API calls 99859->99861 99860->99882 99915 c1359c 82 API calls __wsopen_s 99860->99915 99892 bac350 ISource __fread_nolock 99861->99892 99925 c13209 23 API calls 99862->99925 99865->99856 99867 baec40 239 API calls 99866->99867 99868 bf08cf 99867->99868 99868->99882 99923 baa81b 41 API calls 99868->99923 99916 c1359c 82 API calls __wsopen_s 99870->99916 99924 c1359c 82 API calls __wsopen_s 99874->99924 99876->99856 99878 bac253 99883 bf0976 99878->99883 99886 bac297 ISource 99878->99886 99879->99878 99881 baa8c7 22 API calls 99879->99881 99880->99856 99881->99878 99882->99823 99926 baaceb 23 API calls ISource 99883->99926 99886->99888 99909 baaceb 23 API calls ISource 99886->99909 99888->99882 99927 c1359c 82 API calls __wsopen_s 99888->99927 99889 bac335 99889->99888 99890 bac342 99889->99890 99910 baa704 22 API calls ISource 99890->99910 99893 bac3ac 99892->99893 99911 bbce17 22 API calls ISource 99892->99911 99893->99823 99894->99822 99895->99819 99896->99825 99897->99835 99898->99835 99900 baae01 99899->99900 99903 baae1c ISource 99899->99903 99901 baaec9 22 API calls 99900->99901 99902 baae09 CharUpperBuffW 99901->99902 99902->99903 99903->99838 99905 baacae 99904->99905 99907 baacd1 99905->99907 99928 c1359c 82 API calls __wsopen_s 99905->99928 99907->99856 99908->99856 99909->99889 99910->99892 99911->99892 99912->99841 99913->99882 99914->99860 99915->99882 99916->99882 99917->99856 99918->99856 99919->99856 99920->99856 99921->99856 99922->99856 99923->99874 99924->99882 99925->99879 99926->99888 99927->99882 99928->99907 99929 ba3156 99932 ba3170 99929->99932 99933 ba3187 99932->99933 99934 ba31eb 99933->99934 99935 ba318c 99933->99935 99972 ba31e9 99933->99972 99937 be2dfb 99934->99937 99938 ba31f1 99934->99938 99939 ba3199 99935->99939 99940 ba3265 PostQuitMessage 99935->99940 99936 ba31d0 DefWindowProcW 99974 ba316a 99936->99974 99981 ba18e2 10 API calls 99937->99981 99941 ba31f8 99938->99941 99942 ba321d SetTimer RegisterWindowMessageW 99938->99942 99944 be2e7c 99939->99944 99945 ba31a4 99939->99945 99940->99974 99946 be2d9c 99941->99946 99947 ba3201 KillTimer 99941->99947 99949 ba3246 CreatePopupMenu 99942->99949 99942->99974 99996 c0bf30 34 API calls ___scrt_fastfail 99944->99996 99950 ba31ae 99945->99950 99951 be2e68 99945->99951 99953 be2dd7 MoveWindow 99946->99953 99954 be2da1 99946->99954 99977 ba30f2 Shell_NotifyIconW ___scrt_fastfail 99947->99977 99948 be2e1c 99982 bbe499 42 API calls 99948->99982 99949->99974 99958 be2e4d 99950->99958 99959 ba31b9 99950->99959 99995 c0c161 27 API calls ___scrt_fastfail 99951->99995 99953->99974 99961 be2dc6 SetFocus 99954->99961 99962 be2da7 99954->99962 99958->99936 99994 c00ad7 22 API calls 99958->99994 99964 ba3253 99959->99964 99970 ba31c4 99959->99970 99960 be2e8e 99960->99936 99960->99974 99961->99974 99965 be2db0 99962->99965 99962->99970 99963 ba3214 99978 ba3c50 DeleteObject DestroyWindow 99963->99978 99979 ba326f 44 API calls ___scrt_fastfail 99964->99979 99980 ba18e2 10 API calls 99965->99980 99969 ba3263 99969->99974 99970->99936 99983 ba30f2 Shell_NotifyIconW ___scrt_fastfail 99970->99983 99972->99936 99975 be2e41 99984 ba3837 99975->99984 99977->99963 99978->99974 99979->99969 99980->99974 99981->99948 99982->99970 99983->99975 99985 ba3862 ___scrt_fastfail 99984->99985 99997 ba4212 99985->99997 99988 ba38e8 99990 be3386 Shell_NotifyIconW 99988->99990 99991 ba3906 Shell_NotifyIconW 99988->99991 100001 ba3923 99991->100001 99993 ba391c 99993->99972 99994->99972 99995->99969 99996->99960 99998 be35a4 99997->99998 99999 ba38b7 99997->99999 99998->99999 100000 be35ad DestroyIcon 99998->100000 99999->99988 100023 c0c874 42 API calls _strftime 99999->100023 100000->99999 100002 ba393f 100001->100002 100003 ba3a13 100001->100003 100004 ba6270 22 API calls 100002->100004 100003->99993 100005 ba394d 100004->100005 100006 ba395a 100005->100006 100007 be3393 LoadStringW 100005->100007 100008 ba6b57 22 API calls 100006->100008 100009 be33ad 100007->100009 100010 ba396f 100008->100010 100015 baa8c7 22 API calls 100009->100015 100017 ba3994 ___scrt_fastfail 100009->100017 100011 ba397c 100010->100011 100012 be33c9 100010->100012 100011->100009 100013 ba3986 100011->100013 100014 ba6350 22 API calls 100012->100014 100016 ba6350 22 API calls 100013->100016 100018 be33d7 100014->100018 100015->100017 100016->100017 100020 ba39f9 Shell_NotifyIconW 100017->100020 100018->100017 100019 ba33c6 22 API calls 100018->100019 100021 be33f9 100019->100021 100020->100003 100022 ba33c6 22 API calls 100021->100022 100022->100017 100023->99988 100024 ba2e37 100025 baa961 22 API calls 100024->100025 100026 ba2e4d 100025->100026 100103 ba4ae3 100026->100103 100028 ba2e6b 100029 ba3a5a 24 API calls 100028->100029 100030 ba2e7f 100029->100030 100031 ba9cb3 22 API calls 100030->100031 100032 ba2e8c 100031->100032 100033 ba4ecb 94 API calls 100032->100033 100034 ba2ea5 100033->100034 100035 ba2ead 100034->100035 100036 be2cb0 100034->100036 100039 baa8c7 22 API calls 100035->100039 100133 c12cf9 100036->100133 100038 be2cc3 100040 be2ccf 100038->100040 100042 ba4f39 68 API calls 100038->100042 100041 ba2ec3 100039->100041 100044 ba4f39 68 API calls 100040->100044 100117 ba6f88 22 API calls 100041->100117 100042->100040 100046 be2ce5 100044->100046 100045 ba2ecf 100047 ba9cb3 22 API calls 100045->100047 100159 ba3084 22 API calls 100046->100159 100048 ba2edc 100047->100048 100118 baa81b 41 API calls 100048->100118 100051 ba2eec 100053 ba9cb3 22 API calls 100051->100053 100052 be2d02 100160 ba3084 22 API calls 100052->100160 100054 ba2f12 100053->100054 100119 baa81b 41 API calls 100054->100119 100057 be2d1e 100058 ba3a5a 24 API calls 100057->100058 100059 be2d44 100058->100059 100161 ba3084 22 API calls 100059->100161 100060 ba2f21 100063 baa961 22 API calls 100060->100063 100062 be2d50 100064 baa8c7 22 API calls 100062->100064 100065 ba2f3f 100063->100065 100066 be2d5e 100064->100066 100120 ba3084 22 API calls 100065->100120 100162 ba3084 22 API calls 100066->100162 100069 ba2f4b 100121 bc4a28 40 API calls 2 library calls 100069->100121 100071 ba2f59 100071->100046 100073 ba2f63 100071->100073 100072 be2d6d 100074 baa8c7 22 API calls 100072->100074 100122 bc4a28 40 API calls 2 library calls 100073->100122 100076 be2d83 100074->100076 100163 ba3084 22 API calls 100076->100163 100077 ba2f6e 100077->100052 100078 ba2f78 100077->100078 100123 bc4a28 40 API calls 2 library calls 100078->100123 100081 be2d90 100082 ba2f83 100082->100057 100083 ba2f8d 100082->100083 100124 bc4a28 40 API calls 2 library calls 100083->100124 100085 ba2f98 100086 ba2fdc 100085->100086 100125 ba3084 22 API calls 100085->100125 100086->100072 100087 ba2fe8 100086->100087 100087->100081 100127 ba63eb 22 API calls 100087->100127 100090 ba2fbf 100092 baa8c7 22 API calls 100090->100092 100091 ba2ff8 100128 ba6a50 22 API calls 100091->100128 100094 ba2fcd 100092->100094 100126 ba3084 22 API calls 100094->100126 100095 ba3006 100129 ba70b0 23 API calls 100095->100129 100100 ba3021 100101 ba3065 100100->100101 100130 ba6f88 22 API calls 100100->100130 100131 ba70b0 23 API calls 100100->100131 100132 ba3084 22 API calls 100100->100132 100104 ba4af0 __wsopen_s 100103->100104 100105 ba6b57 22 API calls 100104->100105 100106 ba4b22 100104->100106 100105->100106 100107 ba4c6d 22 API calls 100106->100107 100116 ba4b58 100106->100116 100107->100106 100108 ba4c6d 22 API calls 100108->100116 100109 ba9cb3 22 API calls 100111 ba4c52 100109->100111 100110 ba9cb3 22 API calls 100110->100116 100112 ba515f 22 API calls 100111->100112 100114 ba4c5e 100112->100114 100113 ba515f 22 API calls 100113->100116 100114->100028 100115 ba4c29 100115->100109 100115->100114 100116->100108 100116->100110 100116->100113 100116->100115 100117->100045 100118->100051 100119->100060 100120->100069 100121->100071 100122->100077 100123->100082 100124->100085 100125->100090 100126->100086 100127->100091 100128->100095 100129->100100 100130->100100 100131->100100 100132->100100 100134 c12d15 100133->100134 100135 ba511f 64 API calls 100134->100135 100136 c12d29 100135->100136 100137 c12e66 75 API calls 100136->100137 100138 c12d3b 100137->100138 100139 c12d3f 100138->100139 100140 ba50f5 40 API calls 100138->100140 100139->100038 100141 c12d56 100140->100141 100142 ba50f5 40 API calls 100141->100142 100143 c12d66 100142->100143 100144 ba50f5 40 API calls 100143->100144 100145 c12d81 100144->100145 100146 ba50f5 40 API calls 100145->100146 100147 c12d9c 100146->100147 100148 ba511f 64 API calls 100147->100148 100149 c12db3 100148->100149 100150 bcea0c ___std_exception_copy 21 API calls 100149->100150 100151 c12dba 100150->100151 100152 bcea0c ___std_exception_copy 21 API calls 100151->100152 100153 c12dc4 100152->100153 100154 ba50f5 40 API calls 100153->100154 100155 c12dd8 100154->100155 100156 c128fe 27 API calls 100155->100156 100157 c12dee 100156->100157 100157->100139 100158 c122ce 79 API calls 100157->100158 100158->100139 100159->100052 100160->100057 100161->100062 100162->100072 100163->100081 100164 22f295b 100165 22f2960 100164->100165 100173 22f0000 100165->100173 100167 22f296c 100168 22f298a 100167->100168 100169 22f2a20 100167->100169 100176 22f2630 100168->100176 100189 22f32d0 9 API calls 100169->100189 100172 22f2a07 100190 22f34e0 GetPEB 100173->100190 100175 22f068b 100175->100167 100177 22f0000 GetPEB 100176->100177 100178 22f26cf 100177->100178 100181 22f2729 VirtualAlloc 100178->100181 100182 22f270d 100178->100182 100187 22f2830 FindCloseChangeNotification 100178->100187 100188 22f2840 VirtualFree 100178->100188 100192 22f3540 GetPEB 100178->100192 100180 22f2700 CreateFileW 100180->100178 100180->100182 100181->100182 100183 22f274a ReadFile 100181->100183 100184 22f291c VirtualFree 100182->100184 100185 22f292a 100182->100185 100183->100182 100186 22f2768 VirtualAlloc 100183->100186 100184->100185 100185->100172 100186->100178 100186->100182 100187->100178 100188->100178 100189->100172 100191 22f350a 100190->100191 100191->100175 100193 22f356a 100192->100193 100193->100180 100194 ba1cad SystemParametersInfoW 100195 ba2de3 100196 ba2df0 __wsopen_s 100195->100196 100197 ba2e09 100196->100197 100198 be2c2b ___scrt_fastfail 100196->100198 100199 ba3aa2 23 API calls 100197->100199 100200 be2c47 GetOpenFileNameW 100198->100200 100201 ba2e12 100199->100201 100203 be2c96 100200->100203 100211 ba2da5 100201->100211 100205 ba6b57 22 API calls 100203->100205 100207 be2cab 100205->100207 100207->100207 100208 ba2e27 100229 ba44a8 100208->100229 100212 be1f50 __wsopen_s 100211->100212 100213 ba2db2 GetLongPathNameW 100212->100213 100214 ba6b57 22 API calls 100213->100214 100215 ba2dda 100214->100215 100216 ba3598 100215->100216 100217 baa961 22 API calls 100216->100217 100218 ba35aa 100217->100218 100219 ba3aa2 23 API calls 100218->100219 100220 ba35b5 100219->100220 100221 ba35c0 100220->100221 100225 be32eb 100220->100225 100222 ba515f 22 API calls 100221->100222 100224 ba35cc 100222->100224 100258 ba35f3 100224->100258 100227 be330d 100225->100227 100264 bbce60 41 API calls 100225->100264 100228 ba35df 100228->100208 100230 ba4ecb 94 API calls 100229->100230 100231 ba44cd 100230->100231 100232 be3833 100231->100232 100233 ba4ecb 94 API calls 100231->100233 100234 c12cf9 80 API calls 100232->100234 100236 ba44e1 100233->100236 100235 be3848 100234->100235 100237 be384c 100235->100237 100238 be3869 100235->100238 100236->100232 100239 ba44e9 100236->100239 100240 ba4f39 68 API calls 100237->100240 100241 bbfe0b 22 API calls 100238->100241 100242 be3854 100239->100242 100243 ba44f5 100239->100243 100240->100242 100257 be38ae 100241->100257 100280 c0da5a 82 API calls 100242->100280 100279 ba940c 136 API calls 2 library calls 100243->100279 100246 be3862 100246->100238 100247 ba2e31 100248 ba4f39 68 API calls 100251 be3a5f 100248->100251 100251->100248 100284 c0989b 82 API calls __wsopen_s 100251->100284 100254 ba9cb3 22 API calls 100254->100257 100257->100251 100257->100254 100265 baa4a1 100257->100265 100273 ba3ff7 100257->100273 100281 c0967e 22 API calls __fread_nolock 100257->100281 100282 c095ad 42 API calls _wcslen 100257->100282 100283 c10b5a 22 API calls 100257->100283 100259 ba3605 100258->100259 100263 ba3624 __fread_nolock 100258->100263 100262 bbfe0b 22 API calls 100259->100262 100260 bbfddb 22 API calls 100261 ba363b 100260->100261 100261->100228 100262->100263 100263->100260 100264->100225 100267 baa52b 100265->100267 100271 baa4b1 __fread_nolock 100265->100271 100266 bbfddb 22 API calls 100268 baa4b8 100266->100268 100269 bbfe0b 22 API calls 100267->100269 100270 bbfddb 22 API calls 100268->100270 100272 baa4d6 100268->100272 100269->100271 100270->100272 100271->100266 100272->100257 100274 ba400a 100273->100274 100276 ba40ae 100273->100276 100275 bbfe0b 22 API calls 100274->100275 100278 ba403c 100274->100278 100275->100278 100276->100257 100277 bbfddb 22 API calls 100277->100278 100278->100276 100278->100277 100279->100247 100280->100246 100281->100257 100282->100257 100283->100257 100284->100251 100285 be2ba5 100286 be2baf 100285->100286 100287 ba2b25 100285->100287 100289 ba3a5a 24 API calls 100286->100289 100313 ba2b83 7 API calls 100287->100313 100291 be2bb8 100289->100291 100293 ba9cb3 22 API calls 100291->100293 100295 be2bc6 100293->100295 100294 ba2b2f 100300 ba3837 49 API calls 100294->100300 100302 ba2b44 100294->100302 100296 be2bce 100295->100296 100297 be2bf5 100295->100297 100298 ba33c6 22 API calls 100296->100298 100299 ba33c6 22 API calls 100297->100299 100301 be2bd9 100298->100301 100311 be2bf1 GetForegroundWindow ShellExecuteW 100299->100311 100300->100302 100303 ba6350 22 API calls 100301->100303 100307 ba2b5f 100302->100307 100317 ba30f2 Shell_NotifyIconW ___scrt_fastfail 100302->100317 100306 be2be7 100303->100306 100309 ba33c6 22 API calls 100306->100309 100310 ba2b66 SetCurrentDirectoryW 100307->100310 100308 be2c26 100308->100307 100309->100311 100312 ba2b7a 100310->100312 100311->100308 100318 ba2cd4 7 API calls 100313->100318 100315 ba2b2a 100316 ba2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100315->100316 100316->100294 100317->100307 100318->100315 100319 ba1044 100324 ba10f3 100319->100324 100321 ba104a 100360 bc00a3 29 API calls __onexit 100321->100360 100323 ba1054 100361 ba1398 100324->100361 100328 ba116a 100329 baa961 22 API calls 100328->100329 100330 ba1174 100329->100330 100331 baa961 22 API calls 100330->100331 100332 ba117e 100331->100332 100333 baa961 22 API calls 100332->100333 100334 ba1188 100333->100334 100335 baa961 22 API calls 100334->100335 100336 ba11c6 100335->100336 100337 baa961 22 API calls 100336->100337 100338 ba1292 100337->100338 100371 ba171c 100338->100371 100342 ba12c4 100343 baa961 22 API calls 100342->100343 100344 ba12ce 100343->100344 100345 bb1940 9 API calls 100344->100345 100346 ba12f9 100345->100346 100392 ba1aab 100346->100392 100348 ba1315 100349 ba1325 GetStdHandle 100348->100349 100350 ba137a 100349->100350 100351 be2485 100349->100351 100355 ba1387 OleInitialize 100350->100355 100351->100350 100352 be248e 100351->100352 100353 bbfddb 22 API calls 100352->100353 100354 be2495 100353->100354 100399 c1011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 100354->100399 100355->100321 100357 be249e 100400 c10944 CreateThread 100357->100400 100359 be24aa CloseHandle 100359->100350 100360->100323 100401 ba13f1 100361->100401 100364 ba13f1 22 API calls 100365 ba13d0 100364->100365 100366 baa961 22 API calls 100365->100366 100367 ba13dc 100366->100367 100368 ba6b57 22 API calls 100367->100368 100369 ba1129 100368->100369 100370 ba1bc3 6 API calls 100369->100370 100370->100328 100372 baa961 22 API calls 100371->100372 100373 ba172c 100372->100373 100374 baa961 22 API calls 100373->100374 100375 ba1734 100374->100375 100376 baa961 22 API calls 100375->100376 100377 ba174f 100376->100377 100378 bbfddb 22 API calls 100377->100378 100379 ba129c 100378->100379 100380 ba1b4a 100379->100380 100381 ba1b58 100380->100381 100382 baa961 22 API calls 100381->100382 100383 ba1b63 100382->100383 100384 baa961 22 API calls 100383->100384 100385 ba1b6e 100384->100385 100386 baa961 22 API calls 100385->100386 100387 ba1b79 100386->100387 100388 baa961 22 API calls 100387->100388 100389 ba1b84 100388->100389 100390 bbfddb 22 API calls 100389->100390 100391 ba1b96 RegisterWindowMessageW 100390->100391 100391->100342 100393 ba1abb 100392->100393 100394 be272d 100392->100394 100395 bbfddb 22 API calls 100393->100395 100408 c13209 23 API calls 100394->100408 100398 ba1ac3 100395->100398 100397 be2738 100398->100348 100399->100357 100400->100359 100409 c1092a 28 API calls 100400->100409 100402 baa961 22 API calls 100401->100402 100403 ba13fc 100402->100403 100404 baa961 22 API calls 100403->100404 100405 ba1404 100404->100405 100406 baa961 22 API calls 100405->100406 100407 ba13c6 100406->100407 100407->100364 100408->100397 100410 bf2a00 100425 bad7b0 ISource 100410->100425 100411 badb11 PeekMessageW 100411->100425 100412 bad807 GetInputState 100412->100411 100412->100425 100413 bf1cbe TranslateAcceleratorW 100413->100425 100415 badb8f PeekMessageW 100415->100425 100416 bada04 timeGetTime 100416->100425 100417 badb73 TranslateMessage DispatchMessageW 100417->100415 100418 badbaf Sleep 100435 badbc0 100418->100435 100419 bf2b74 Sleep 100419->100435 100420 bbe551 timeGetTime 100420->100435 100421 bf1dda timeGetTime 100473 bbe300 23 API calls 100421->100473 100424 bf2c0b GetExitCodeProcess 100429 bf2c37 CloseHandle 100424->100429 100430 bf2c21 WaitForSingleObject 100424->100430 100425->100411 100425->100412 100425->100413 100425->100415 100425->100416 100425->100417 100425->100418 100425->100419 100425->100421 100427 bad9d5 100425->100427 100438 baec40 239 API calls 100425->100438 100439 bb1310 239 API calls 100425->100439 100440 babf40 239 API calls 100425->100440 100442 badd50 100425->100442 100449 badfd0 100425->100449 100472 bbedf6 IsDialogMessageW GetClassLongW 100425->100472 100474 c13a2a 23 API calls 100425->100474 100475 c1359c 82 API calls __wsopen_s 100425->100475 100426 c329bf GetForegroundWindow 100426->100435 100429->100435 100430->100425 100430->100429 100431 bf2a31 100431->100427 100432 bf2ca9 Sleep 100432->100425 100435->100420 100435->100424 100435->100425 100435->100426 100435->100427 100435->100431 100435->100432 100476 c25658 23 API calls 100435->100476 100477 c0e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100435->100477 100478 c0d4dc 47 API calls 100435->100478 100438->100425 100439->100425 100440->100425 100443 badd6f 100442->100443 100444 badd83 100442->100444 100479 bad260 239 API calls 2 library calls 100443->100479 100480 c1359c 82 API calls __wsopen_s 100444->100480 100447 badd7a 100447->100425 100448 bf2f75 100448->100448 100450 bae010 100449->100450 100461 bae0dc ISource 100450->100461 100483 bc0242 5 API calls __Init_thread_wait 100450->100483 100453 bae3e1 100453->100425 100454 bf2fca 100456 baa961 22 API calls 100454->100456 100454->100461 100455 baa961 22 API calls 100455->100461 100457 bf2fe4 100456->100457 100484 bc00a3 29 API calls __onexit 100457->100484 100461->100453 100461->100455 100466 baec40 239 API calls 100461->100466 100467 baa8c7 22 API calls 100461->100467 100468 c1359c 82 API calls 100461->100468 100469 bb04f0 22 API calls 100461->100469 100481 baa81b 41 API calls 100461->100481 100482 bba308 239 API calls 100461->100482 100486 bc0242 5 API calls __Init_thread_wait 100461->100486 100487 bc00a3 29 API calls __onexit 100461->100487 100488 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100461->100488 100489 c247d4 239 API calls 100461->100489 100490 c268c1 239 API calls 100461->100490 100462 bf2fee 100485 bc01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 100462->100485 100466->100461 100467->100461 100468->100461 100469->100461 100472->100425 100473->100425 100474->100425 100475->100425 100476->100435 100477->100435 100478->100435 100479->100447 100480->100448 100481->100461 100482->100461 100483->100454 100484->100462 100485->100461 100486->100461 100487->100461 100488->100461 100489->100461 100490->100461 100491 bd8402 100496 bd81be 100491->100496 100494 bd842a 100501 bd81ef try_get_first_available_module 100496->100501 100498 bd83ee 100515 bd27ec 26 API calls _strftime 100498->100515 100500 bd8343 100500->100494 100508 be0984 100500->100508 100507 bd8338 100501->100507 100511 bc8e0b 40 API calls 2 library calls 100501->100511 100503 bd838c 100503->100507 100512 bc8e0b 40 API calls 2 library calls 100503->100512 100505 bd83ab 100505->100507 100513 bc8e0b 40 API calls 2 library calls 100505->100513 100507->100500 100514 bcf2d9 20 API calls _abort 100507->100514 100516 be0081 100508->100516 100510 be099f 100510->100494 100511->100503 100512->100505 100513->100507 100514->100498 100515->100500 100517 be008d BuildCatchObjectHelperInternal 100516->100517 100518 be009b 100517->100518 100520 be00d4 100517->100520 100574 bcf2d9 20 API calls _abort 100518->100574 100527 be065b 100520->100527 100521 be00a0 100575 bd27ec 26 API calls _strftime 100521->100575 100526 be00aa __fread_nolock 100526->100510 100577 be042f 100527->100577 100530 be068d 100609 bcf2c6 20 API calls _abort 100530->100609 100531 be06a6 100595 bd5221 100531->100595 100534 be06ab 100536 be06cb 100534->100536 100537 be06b4 100534->100537 100535 be0692 100610 bcf2d9 20 API calls _abort 100535->100610 100608 be039a CreateFileW 100536->100608 100611 bcf2c6 20 API calls _abort 100537->100611 100541 be06b9 100612 bcf2d9 20 API calls _abort 100541->100612 100542 be00f8 100576 be0121 LeaveCriticalSection __wsopen_s 100542->100576 100544 be0781 GetFileType 100545 be078c GetLastError 100544->100545 100546 be07d3 100544->100546 100615 bcf2a3 20 API calls 2 library calls 100545->100615 100617 bd516a 21 API calls 3 library calls 100546->100617 100547 be0756 GetLastError 100614 bcf2a3 20 API calls 2 library calls 100547->100614 100549 be0704 100549->100544 100549->100547 100613 be039a CreateFileW 100549->100613 100551 be079a CloseHandle 100551->100535 100553 be07c3 100551->100553 100616 bcf2d9 20 API calls _abort 100553->100616 100555 be0749 100555->100544 100555->100547 100557 be07f4 100559 be0840 100557->100559 100618 be05ab 72 API calls 4 library calls 100557->100618 100558 be07c8 100558->100535 100563 be086d 100559->100563 100619 be014d 72 API calls 4 library calls 100559->100619 100562 be0866 100562->100563 100564 be087e 100562->100564 100565 bd86ae __wsopen_s 29 API calls 100563->100565 100564->100542 100566 be08fc CloseHandle 100564->100566 100565->100542 100620 be039a CreateFileW 100566->100620 100568 be0927 100569 be095d 100568->100569 100570 be0931 GetLastError 100568->100570 100569->100542 100621 bcf2a3 20 API calls 2 library calls 100570->100621 100572 be093d 100622 bd5333 21 API calls 3 library calls 100572->100622 100574->100521 100575->100526 100576->100526 100578 be046a 100577->100578 100579 be0450 100577->100579 100623 be03bf 100578->100623 100579->100578 100630 bcf2d9 20 API calls _abort 100579->100630 100581 be04a2 100585 be04d1 100581->100585 100632 bcf2d9 20 API calls _abort 100581->100632 100583 be045f 100631 bd27ec 26 API calls _strftime 100583->100631 100593 be0524 100585->100593 100634 bcd70d 26 API calls 2 library calls 100585->100634 100588 be051f 100590 be059e 100588->100590 100588->100593 100589 be04c6 100633 bd27ec 26 API calls _strftime 100589->100633 100635 bd27fc 11 API calls _abort 100590->100635 100593->100530 100593->100531 100594 be05aa 100596 bd522d BuildCatchObjectHelperInternal 100595->100596 100638 bd2f5e EnterCriticalSection 100596->100638 100598 bd527b 100639 bd532a 100598->100639 100599 bd5234 100599->100598 100600 bd5259 100599->100600 100605 bd52c7 EnterCriticalSection 100599->100605 100602 bd5000 __wsopen_s 21 API calls 100600->100602 100604 bd525e 100602->100604 100603 bd52a4 __fread_nolock 100603->100534 100604->100598 100642 bd5147 EnterCriticalSection 100604->100642 100605->100598 100606 bd52d4 LeaveCriticalSection 100605->100606 100606->100599 100608->100549 100609->100535 100610->100542 100611->100541 100612->100535 100613->100555 100614->100535 100615->100551 100616->100558 100617->100557 100618->100559 100619->100562 100620->100568 100621->100572 100622->100569 100626 be03d7 100623->100626 100624 be03f2 100624->100581 100626->100624 100636 bcf2d9 20 API calls _abort 100626->100636 100627 be0416 100637 bd27ec 26 API calls _strftime 100627->100637 100629 be0421 100629->100581 100630->100583 100631->100578 100632->100589 100633->100585 100634->100588 100635->100594 100636->100627 100637->100629 100638->100599 100643 bd2fa6 LeaveCriticalSection 100639->100643 100641 bd5331 100641->100603 100642->100598 100643->100641 100644 22f23b0 100645 22f0000 GetPEB 100644->100645 100646 22f24b1 100645->100646 100658 22f22a0 100646->100658 100659 22f22a9 Sleep 100658->100659 100660 22f22b7 100659->100660

                Executed Functions

                Function 00BA42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 234 ba42de-ba434d call baa961 GetVersionExW call ba6b57 239 be3617-be362a 234->239 240 ba4353 234->240 241 be362b-be362f 239->241 242 ba4355-ba4357 240->242 243 be3632-be363e 241->243 244 be3631 241->244 245 ba435d-ba43bc call ba93b2 call ba37a0 242->245 246 be3656 242->246 243->241 247 be3640-be3642 243->247 244->243 263 be37df-be37e6 245->263 264 ba43c2-ba43c4 245->264 250 be365d-be3660 246->250 247->242 249 be3648-be364f 247->249 249->239 252 be3651 249->252 253 ba441b-ba4435 GetCurrentProcess IsWow64Process 250->253 254 be3666-be36a8 250->254 252->246 256 ba4437 253->256 257 ba4494-ba449a 253->257 254->253 258 be36ae-be36b1 254->258 260 ba443d-ba4449 256->260 257->260 261 be36db-be36e5 258->261 262 be36b3-be36bd 258->262 270 ba444f-ba445e LoadLibraryA 260->270 271 be3824-be3828 GetSystemInfo 260->271 266 be36f8-be3702 261->266 267 be36e7-be36f3 261->267 272 be36bf-be36c5 262->272 273 be36ca-be36d6 262->273 268 be37e8 263->268 269 be3806-be3809 263->269 264->250 265 ba43ca-ba43dd 264->265 274 be3726-be372f 265->274 275 ba43e3-ba43e5 265->275 277 be3704-be3710 266->277 278 be3715-be3721 266->278 267->253 276 be37ee 268->276 279 be380b-be381a 269->279 280 be37f4-be37fc 269->280 281 ba449c-ba44a6 GetSystemInfo 270->281 282 ba4460-ba446e GetProcAddress 270->282 272->253 273->253 286 be373c-be3748 274->286 287 be3731-be3737 274->287 284 ba43eb-ba43ee 275->284 285 be374d-be3762 275->285 276->280 277->253 278->253 279->276 288 be381c-be3822 279->288 280->269 283 ba4476-ba4478 281->283 282->281 289 ba4470-ba4474 GetNativeSystemInfo 282->289 294 ba447a-ba447b FreeLibrary 283->294 295 ba4481-ba4493 283->295 290 ba43f4-ba440f 284->290 291 be3791-be3794 284->291 292 be376f-be377b 285->292 293 be3764-be376a 285->293 286->253 287->253 288->280 289->283 296 be3780-be378c 290->296 297 ba4415 290->297 291->253 298 be379a-be37c1 291->298 292->253 293->253 294->295 296->253 297->253 299 be37ce-be37da 298->299 300 be37c3-be37c9 298->300 299->253 300->253
                APIs
                • GetVersionExW.KERNEL32(?), ref: 00BA430D
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • GetCurrentProcess.KERNEL32(?,00C3CB64,00000000,?,?), ref: 00BA4422
                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00BA4429
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BA4454
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BA4466
                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BA4474
                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00BA447B
                • GetSystemInfo.KERNEL32(?,?,?), ref: 00BA44A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                • API String ID: 3290436268-3101561225
                • Opcode ID: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                • Instruction ID: 5a827c6c20eeb1e3bf1b46455a2c64685be6b4cee80763da5124aa17cc3f121c
                • Opcode Fuzzy Hash: 645464ad87388bf772f681e67cad357595e00f5eb0fdddfb93dd3d8095b5c009
                • Instruction Fuzzy Hash: 33A1AF7691E2C0CFCB11CB6D688679D7EE4AB67700B0C48D9E88D97B72D7604A84CB21
                Function 00BA42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 661 ba42a2-ba42ba CreateStreamOnHGlobal 662 ba42da-ba42dd 661->662 663 ba42bc-ba42d3 FindResourceExW 661->663 664 ba42d9 663->664 665 be35ba-be35c9 LoadResource 663->665 664->662 665->664 666 be35cf-be35dd SizeofResource 665->666 666->664 667 be35e3-be35ee LockResource 666->667 667->664 668 be35f4-be3612 667->668 668->664
                APIs
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BA50AA,?,?,00000000,00000000), ref: 00BA42B2
                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BA50AA,?,?,00000000,00000000), ref: 00BA42C9
                • LoadResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35BE
                • SizeofResource.KERNEL32(?,00000000,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20), ref: 00BE35D3
                • LockResource.KERNEL32(00BA50AA,?,?,00BA50AA,?,?,00000000,00000000,?,?,?,?,?,?,00BA4F20,?), ref: 00BE35E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                • String ID: SCRIPT
                • API String ID: 3051347437-3967369404
                • Opcode ID: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                • Instruction ID: a6dd6a417527cd41f70e930dbdcfcad3f3c5ec40e13291b6ccc8d200e9fce0c5
                • Opcode Fuzzy Hash: 5f6c4f637b9f840993261accb0167effb3a53e39a22e77ae0e67e074ea5dd6bb
                • Instruction Fuzzy Hash: 44118E71250700BFDB258B65DC88F2B7BF9EBC6B51F1081A9F412E6290DBB1DC048720
                Function 00BE2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                  • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00C62224), ref: 00BE2C10
                • ShellExecuteW.SHELL32(00000000,?,?,00C62224), ref: 00BE2C17
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                • String ID: runas
                • API String ID: 448630720-4000483414
                • Opcode ID: 8be7c67b5a0bdb26bacdc5b26fb7b0c066fec219054c5b82b615ce40d5eca7d0
                • Instruction ID: da9943d95218873ea81f685ee95af72df766417e60de403edff8d5f47a53db72
                • Opcode Fuzzy Hash: 8be7c67b5a0bdb26bacdc5b26fb7b0c066fec219054c5b82b615ce40d5eca7d0
                • Instruction Fuzzy Hash: 8E11D63110C3415BCB14FF68D891ABE77E4DB93750F4854ADF586520A2DF21894A9712
                Function 00C0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,00BE5222), ref: 00C0DBCE
                • GetFileAttributesW.KERNELBASE(?), ref: 00C0DBDD
                • FindFirstFileW.KERNELBASE(?,?), ref: 00C0DBEE
                • FindClose.KERNEL32(00000000), ref: 00C0DBFA
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirstlstrlen
                • String ID:
                • API String ID: 2695905019-0
                • Opcode ID: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                • Instruction ID: fe24c1004dd8a196e86a7f776994fada3b88bdc3eb72679568397f8a9043aff6
                • Opcode Fuzzy Hash: aa34bcdc64dc46a3e0b6d0a38e49bf4ebf163754b71cfac8dbf0e209ae7e63b6
                • Instruction Fuzzy Hash: F2F0A03182092057D3206BB8AC4DAAF3B6C9E01334B104702F836D20F0EBB15A54CA95
                Function 00BAD730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 00BAD807
                • timeGetTime.WINMM ref: 00BADA07
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB28
                • TranslateMessage.USER32(?), ref: 00BADB7B
                • DispatchMessageW.USER32(?), ref: 00BADB89
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BADB9F
                • Sleep.KERNEL32(0000000A), ref: 00BADBB1
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                • String ID:
                • API String ID: 2189390790-0
                • Opcode ID: a335d3b8c50c1b7e7be586c75ab29dc9ed8091f31cb778bca56976721010d5a8
                • Instruction ID: 0e159acf8913b425c1f7fcddb3605f0f61d277c70c8426d6c6fb1c317c2febd5
                • Opcode Fuzzy Hash: a335d3b8c50c1b7e7be586c75ab29dc9ed8091f31cb778bca56976721010d5a8
                • Instruction Fuzzy Hash: 0642D270608245EFD724CF24C885BBEB7E0FF46314F548A99E956876A1D770E888CB92
                Function 00BA2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00BA2D07
                • RegisterClassExW.USER32(00000030), ref: 00BA2D31
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                • InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                • LoadIconW.USER32(000000A9), ref: 00BA2D85
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                • Instruction ID: 1db19bc23099b8cbce6645c38330fe09e18854f7c3ef2235aeac71814e8b2a6f
                • Opcode Fuzzy Hash: 89dff7ec86aa9627b16f3e70ca84627a8e5f26b2b299b929abc9c2d3c388d880
                • Instruction Fuzzy Hash: A621C4B5921319AFDB00DFA8EC89BDDBBB4FB08700F04411AFA15B62A0D7B54584CFA1
                Function 00BE065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 302 be065b-be068b call be042f 305 be068d-be0698 call bcf2c6 302->305 306 be06a6-be06b2 call bd5221 302->306 313 be069a-be06a1 call bcf2d9 305->313 311 be06cb-be0714 call be039a 306->311 312 be06b4-be06c9 call bcf2c6 call bcf2d9 306->312 321 be0716-be071f 311->321 322 be0781-be078a GetFileType 311->322 312->313 323 be097d-be0983 313->323 327 be0756-be077c GetLastError call bcf2a3 321->327 328 be0721-be0725 321->328 324 be078c-be07bd GetLastError call bcf2a3 CloseHandle 322->324 325 be07d3-be07d6 322->325 324->313 339 be07c3-be07ce call bcf2d9 324->339 330 be07df-be07e5 325->330 331 be07d8-be07dd 325->331 327->313 328->327 332 be0727-be0754 call be039a 328->332 336 be07e9-be0837 call bd516a 330->336 337 be07e7 330->337 331->336 332->322 332->327 345 be0839-be0845 call be05ab 336->345 346 be0847-be086b call be014d 336->346 337->336 339->313 345->346 351 be086f-be0879 call bd86ae 345->351 352 be087e-be08c1 346->352 353 be086d 346->353 351->323 355 be08e2-be08f0 352->355 356 be08c3-be08c7 352->356 353->351 359 be097b 355->359 360 be08f6-be08fa 355->360 356->355 358 be08c9-be08dd 356->358 358->355 359->323 360->359 361 be08fc-be092f CloseHandle call be039a 360->361 364 be0963-be0977 361->364 365 be0931-be095d GetLastError call bcf2a3 call bd5333 361->365 364->359 365->364
                APIs
                  • Part of subcall function 00BE039A: CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000,?,00BE0704,00000000,0000000C), ref: 00BE03B7
                • GetLastError.KERNEL32 ref: 00BE076F
                • __dosmaperr.LIBCMT ref: 00BE0776
                • GetFileType.KERNELBASE(00000000), ref: 00BE0782
                • GetLastError.KERNEL32 ref: 00BE078C
                • __dosmaperr.LIBCMT ref: 00BE0795
                • CloseHandle.KERNEL32(00000000), ref: 00BE07B5
                • CloseHandle.KERNEL32(?), ref: 00BE08FF
                • GetLastError.KERNEL32 ref: 00BE0931
                • __dosmaperr.LIBCMT ref: 00BE0938
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                • Instruction ID: dd7f728e3958d2194c2cc81d58a96596140589a5693ad5fa8f40b78accd84a3f
                • Opcode Fuzzy Hash: 371a11f128b02b2610d3055cb4f15cae8445f60cf40bc5c86177501ac23e539f
                • Instruction Fuzzy Hash: 58A12732A241858FDF19AF68D891BAD7BE1EB06320F24019DF815AF391D7719C52CB91
                Function 00BA344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00BA3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                  • Part of subcall function 00BA3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BA3379
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BA356A
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BE318D
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BE31CE
                • RegCloseKey.ADVAPI32(?), ref: 00BE3210
                • _wcslen.LIBCMT ref: 00BE3277
                • _wcslen.LIBCMT ref: 00BE3286
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 98802146-2727554177
                • Opcode ID: ef6d837d964f2ac1342d6eefb79acf7bac2c6cb88b6e1c04ee1f0be202689032
                • Instruction ID: 1cb656bf6837cd50c13a6efe6eb9a0c68239e14e2f39c544110a232966deea75
                • Opcode Fuzzy Hash: ef6d837d964f2ac1342d6eefb79acf7bac2c6cb88b6e1c04ee1f0be202689032
                • Instruction Fuzzy Hash: C3716C714083019EC714DF65DC86AAFBBE8FF85740F40486EF589971B0EB749A88CB62
                Function 00BA2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 00BA2B8E
                • LoadCursorW.USER32(00000000,00007F00), ref: 00BA2B9D
                • LoadIconW.USER32(00000063), ref: 00BA2BB3
                • LoadIconW.USER32(000000A4), ref: 00BA2BC5
                • LoadIconW.USER32(000000A2), ref: 00BA2BD7
                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BA2BEF
                • RegisterClassExW.USER32(?), ref: 00BA2C40
                  • Part of subcall function 00BA2CD4: GetSysColorBrush.USER32(0000000F), ref: 00BA2D07
                  • Part of subcall function 00BA2CD4: RegisterClassExW.USER32(00000030), ref: 00BA2D31
                  • Part of subcall function 00BA2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BA2D42
                  • Part of subcall function 00BA2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00BA2D5F
                  • Part of subcall function 00BA2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BA2D6F
                  • Part of subcall function 00BA2CD4: LoadIconW.USER32(000000A9), ref: 00BA2D85
                  • Part of subcall function 00BA2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BA2D94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                • Instruction ID: b9479b51329311dbee1999ce43af53599c62661c670dfda503b6c095f151123f
                • Opcode Fuzzy Hash: 13d06ffe798a7e246abf685aada5fb68d022afb327a9cc8f1e60060a6e5428c0
                • Instruction Fuzzy Hash: FC212C75E10314ABDB109FA9EC95BAD7FB8FB48B50F08405AFA08B66B0D7B14584CF90
                Function 00BA3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 443 ba3170-ba3185 444 ba3187-ba318a 443->444 445 ba31e5-ba31e7 443->445 447 ba31eb 444->447 448 ba318c-ba3193 444->448 445->444 446 ba31e9 445->446 449 ba31d0-ba31d8 DefWindowProcW 446->449 450 be2dfb-be2e23 call ba18e2 call bbe499 447->450 451 ba31f1-ba31f6 447->451 452 ba3199-ba319e 448->452 453 ba3265-ba326d PostQuitMessage 448->453 454 ba31de-ba31e4 449->454 485 be2e28-be2e2f 450->485 456 ba31f8-ba31fb 451->456 457 ba321d-ba3244 SetTimer RegisterWindowMessageW 451->457 459 be2e7c-be2e90 call c0bf30 452->459 460 ba31a4-ba31a8 452->460 455 ba3219-ba321b 453->455 455->454 461 be2d9c-be2d9f 456->461 462 ba3201-ba3214 KillTimer call ba30f2 call ba3c50 456->462 457->455 464 ba3246-ba3251 CreatePopupMenu 457->464 459->455 476 be2e96 459->476 465 ba31ae-ba31b3 460->465 466 be2e68-be2e77 call c0c161 460->466 468 be2dd7-be2df6 MoveWindow 461->468 469 be2da1-be2da5 461->469 462->455 464->455 473 be2e4d-be2e54 465->473 474 ba31b9-ba31be 465->474 466->455 468->455 477 be2dc6-be2dd2 SetFocus 469->477 478 be2da7-be2daa 469->478 473->449 479 be2e5a-be2e63 call c00ad7 473->479 483 ba3253-ba3263 call ba326f 474->483 484 ba31c4-ba31ca 474->484 476->449 477->455 478->484 486 be2db0-be2dc1 call ba18e2 478->486 479->449 483->455 484->449 484->485 485->449 491 be2e35-be2e48 call ba30f2 call ba3837 485->491 486->455 491->449
                APIs
                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BA316A,?,?), ref: 00BA31D8
                • KillTimer.USER32(?,00000001,?,?,?,?,?,00BA316A,?,?), ref: 00BA3204
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BA3227
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BA316A,?,?), ref: 00BA3232
                • CreatePopupMenu.USER32 ref: 00BA3246
                • PostQuitMessage.USER32(00000000), ref: 00BA3267
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                • Instruction ID: fed6f469296af68d4a6d5b11d7fa5aeec69ba4551373413fec8a8a573b160c78
                • Opcode Fuzzy Hash: f1a4f549b30cd9926737be490e783fd32bc2c464b33c2c5f08f3763e620db56d
                • Instruction Fuzzy Hash: 4B413B3125C304ABDF145B7C9C8EB7D3AD9E747B40F0841A6FE0AA61A1CB71CE8097A1
                Function 00BD8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 499 bd8d45-bd8d55 500 bd8d6f-bd8d71 499->500 501 bd8d57-bd8d6a call bcf2c6 call bcf2d9 499->501 503 bd90d9-bd90e6 call bcf2c6 call bcf2d9 500->503 504 bd8d77-bd8d7d 500->504 517 bd90f1 501->517 522 bd90ec call bd27ec 503->522 504->503 507 bd8d83-bd8dae 504->507 507->503 510 bd8db4-bd8dbd 507->510 513 bd8dbf-bd8dd2 call bcf2c6 call bcf2d9 510->513 514 bd8dd7-bd8dd9 510->514 513->522 515 bd8ddf-bd8de3 514->515 516 bd90d5-bd90d7 514->516 515->516 520 bd8de9-bd8ded 515->520 521 bd90f4-bd90f9 516->521 517->521 520->513 524 bd8def-bd8e06 520->524 522->517 528 bd8e08-bd8e0b 524->528 529 bd8e23-bd8e2c 524->529 530 bd8e0d-bd8e13 528->530 531 bd8e15-bd8e1e 528->531 532 bd8e2e-bd8e45 call bcf2c6 call bcf2d9 call bd27ec 529->532 533 bd8e4a-bd8e54 529->533 530->531 530->532 536 bd8ebf-bd8ed9 531->536 561 bd900c 532->561 534 bd8e5b-bd8e79 call bd3820 call bd29c8 * 2 533->534 535 bd8e56-bd8e58 533->535 569 bd8e7b-bd8e91 call bcf2d9 call bcf2c6 534->569 570 bd8e96-bd8ebc call bd9424 534->570 535->534 538 bd8fad-bd8fb6 call bdf89b 536->538 539 bd8edf-bd8eef 536->539 552 bd9029 538->552 553 bd8fb8-bd8fca 538->553 539->538 542 bd8ef5-bd8ef7 539->542 542->538 546 bd8efd-bd8f23 542->546 546->538 550 bd8f29-bd8f3c 546->550 550->538 555 bd8f3e-bd8f40 550->555 557 bd902d-bd9045 ReadFile 552->557 553->552 558 bd8fcc-bd8fdb GetConsoleMode 553->558 555->538 562 bd8f42-bd8f6d 555->562 564 bd9047-bd904d 557->564 565 bd90a1-bd90ac GetLastError 557->565 558->552 560 bd8fdd-bd8fe1 558->560 560->557 566 bd8fe3-bd8ffd ReadConsoleW 560->566 567 bd900f-bd9019 call bd29c8 561->567 562->538 568 bd8f6f-bd8f82 562->568 564->565 573 bd904f 564->573 571 bd90ae-bd90c0 call bcf2d9 call bcf2c6 565->571 572 bd90c5-bd90c8 565->572 574 bd8fff GetLastError 566->574 575 bd901e-bd9027 566->575 567->521 568->538 579 bd8f84-bd8f86 568->579 569->561 570->536 571->561 576 bd90ce-bd90d0 572->576 577 bd9005-bd900b call bcf2a3 572->577 583 bd9052-bd9064 573->583 574->577 575->583 576->567 577->561 579->538 588 bd8f88-bd8fa8 579->588 583->567 585 bd9066-bd906a 583->585 592 bd906c-bd907c call bd8a61 585->592 593 bd9083-bd908e 585->593 588->538 604 bd907f-bd9081 592->604 598 bd909a-bd909f call bd88a1 593->598 599 bd9090 call bd8bb1 593->599 605 bd9095-bd9098 598->605 599->605 604->567 605->604
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee680eb173d958d23881d8f84c9c7e85cd414fd96d7428cc008453b6662bfb9f
                • Instruction ID: 7295aff2e4bcdf2238edd0132d2a23a8bba2a8a2fee7f410a3fd238b7029ab40
                • Opcode Fuzzy Hash: ee680eb173d958d23881d8f84c9c7e85cd414fd96d7428cc008453b6662bfb9f
                • Instruction Fuzzy Hash: 96C1D274A04289AFDB11DFA8D881BADFBF5EF09310F1441DAF519AB392E7309941CB61
                Function 022F2630 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 607 22f2630-22f26de call 22f0000 610 22f26e5-22f270b call 22f3540 CreateFileW 607->610 613 22f270d 610->613 614 22f2712-22f2722 610->614 615 22f285d-22f2861 613->615 619 22f2729-22f2743 VirtualAlloc 614->619 620 22f2724 614->620 617 22f28a3-22f28a6 615->617 618 22f2863-22f2867 615->618 621 22f28a9-22f28b0 617->621 622 22f2869-22f286c 618->622 623 22f2873-22f2877 618->623 626 22f274a-22f2761 ReadFile 619->626 627 22f2745 619->627 620->615 628 22f2905-22f291a 621->628 629 22f28b2-22f28bd 621->629 622->623 624 22f2879-22f2883 623->624 625 22f2887-22f288b 623->625 624->625 632 22f288d-22f2897 625->632 633 22f289b 625->633 634 22f2768-22f27a8 VirtualAlloc 626->634 635 22f2763 626->635 627->615 630 22f291c-22f2927 VirtualFree 628->630 631 22f292a-22f2932 628->631 636 22f28bf 629->636 637 22f28c1-22f28cd 629->637 630->631 632->633 633->617 638 22f27af-22f27ca call 22f3790 634->638 639 22f27aa 634->639 635->615 636->628 640 22f28cf-22f28df 637->640 641 22f28e1-22f28ed 637->641 647 22f27d5-22f27df 638->647 639->615 643 22f2903 640->643 644 22f28ef-22f28f8 641->644 645 22f28fa-22f2900 641->645 643->621 644->643 645->643 648 22f2812-22f2826 call 22f35a0 647->648 649 22f27e1-22f2810 call 22f3790 647->649 655 22f282a-22f282e 648->655 656 22f2828 648->656 649->647 657 22f283a-22f283e 655->657 658 22f2830-22f2834 FindCloseChangeNotification 655->658 656->615 659 22f284e-22f2857 657->659 660 22f2840-22f284b VirtualFree 657->660 658->657 659->610 659->615 660->659
                APIs
                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 022F2701
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 022F2927
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: CreateFileFreeVirtual
                • String ID:
                • API String ID: 204039940-0
                • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                • Instruction ID: 7410b40f41513384e5860ec5398ad19c1a935f4a00a60d713c499a95b608d32a
                • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                • Instruction Fuzzy Hash: 33A10574E10209EBDB54CBE4C894BEEF7B5BF49304F208269EA11AB284D7759A41CF64
                Function 00BA2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 671 ba2c63-ba2cd3 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BA2C91
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BA2CB2
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA1CAD,?), ref: 00BA2CC6
                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00BA1CAD,?), ref: 00BA2CCF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                • Instruction ID: a48c3de1440006b2c8658a92cfc95de2b1ba6c8dbf49228059e5364e3d3a646d
                • Opcode Fuzzy Hash: e08e79312e522d4f92d1a19ae9dda4c1b07f8d77cd68cb702dbfefb17566e9ed
                • Instruction Fuzzy Hash: CEF0B7755503907AEB211B2BAC49F7F2EBDD7C6F50F05405AFD08A25B0C6615890DAB0
                Function 022F23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 786 22f23b0-22f252a call 22f0000 call 22f22a0 CreateFileW 793 22f252c 786->793 794 22f2531-22f2541 786->794 795 22f25e1-22f25e6 793->795 797 22f2548-22f2562 VirtualAlloc 794->797 798 22f2543 794->798 799 22f2566-22f257d ReadFile 797->799 800 22f2564 797->800 798->795 801 22f257f 799->801 802 22f2581-22f25bb call 22f22e0 call 22f12a0 799->802 800->795 801->795 807 22f25bd-22f25d2 call 22f2330 802->807 808 22f25d7-22f25df ExitProcess 802->808 807->808 808->795
                APIs
                  • Part of subcall function 022F22A0: Sleep.KERNELBASE(000001F4), ref: 022F22B1
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 022F251D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: 8X288UADW1D93C5U0RW3U6OJ60
                • API String ID: 2694422964-1574367872
                • Opcode ID: bddf912b56989e720c76ddb94c04c9b196013034c222336049132b99a51a3e01
                • Instruction ID: ae49ac46de9fe41805b0d5d090ca65b9ded31c0c62bd900798d2b83cf048b6ab
                • Opcode Fuzzy Hash: bddf912b56989e720c76ddb94c04c9b196013034c222336049132b99a51a3e01
                • Instruction Fuzzy Hash: 1C617230D14289DAEF11DBE4C8547DEFB79AF19304F044199E648BB2C1D7BA0B45CBA6
                Function 00C12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12C05
                • DeleteFileW.KERNEL32(?), ref: 00C12C87
                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C12C9D
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CAE
                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C12CC0
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: File$Delete$Copy
                • String ID:
                • API String ID: 3226157194-0
                • Opcode ID: 2080fe75faa5aa90a7a79e0197b6e05146e87553923f6b7f14e0c3a1d4daf05d
                • Instruction ID: bd187421c508937b840c64f8433b0d8881b8d8373cfcb53ef35fcc95b7bbad11
                • Opcode Fuzzy Hash: 2080fe75faa5aa90a7a79e0197b6e05146e87553923f6b7f14e0c3a1d4daf05d
                • Instruction Fuzzy Hash: 6FB16F75D00119ABDF21DBA4CC85EEEB7BDEF09350F1040AAF609E6141EB309B949FA1
                Function 00BA3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 952 ba3b1c-ba3b27 953 ba3b99-ba3b9b 952->953 954 ba3b29-ba3b2e 952->954 955 ba3b8c-ba3b8f 953->955 954->953 956 ba3b30-ba3b48 RegOpenKeyExW 954->956 956->953 957 ba3b4a-ba3b69 RegQueryValueExW 956->957 958 ba3b6b-ba3b76 957->958 959 ba3b80-ba3b8b RegCloseKey 957->959 960 ba3b78-ba3b7a 958->960 961 ba3b90-ba3b97 958->961 959->955 962 ba3b7e 960->962 961->962 962->959
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B40
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B61
                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BA3B0F,SwapMouseButtons,00000004,?), ref: 00BA3B83
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                • Instruction ID: 0c6927233e4692cb64434c16aa44e2443da6f074418bf5b0aeb08b64548914fc
                • Opcode Fuzzy Hash: 49caf1a63d93ec09161174a6d7f9b2ec332523609fdd5cfde451a54102b63123
                • Instruction Fuzzy Hash: A5112AB5525208FFDB208FA5DC85AAEB7F9EF05B44B504499B805E7110D3319E4097A0
                Function 022F12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 022F1ACD
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022F1AF1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022F1B13
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                • Instruction ID: d851ae4ab4be09ae81d3f567810d374732a6e751241bc8d21380e41f1b1a5d24
                • Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                • Instruction Fuzzy Hash: 49621D30A24258DBEB64CFA4C850BDEB372EF58700F5091A9D20DEB394E7759E81CB59
                Function 00BADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 00BF32B7
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: 8e54119a8ebb8423241b0a993f737988b07871185ba067067d3229b4642b1bda
                • Instruction ID: 382387238894c04fe7f9a963349100f74c9b6c0fee14a15923caecc386f0806f
                • Opcode Fuzzy Hash: 8e54119a8ebb8423241b0a993f737988b07871185ba067067d3229b4642b1bda
                • Instruction Fuzzy Hash: 70C28A70A04215CFCB24CF58C880AADB7F1FF4A710F2485A9E926AB391D775ED85CB91
                Function 00BA3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BE33A2
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BA3A04
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_wcslen
                • String ID: Line:
                • API String ID: 2289894680-1585850449
                • Opcode ID: c64495955b08f14609caf973d27bace774528697eabd96c04c6c05abd62dd2d0
                • Instruction ID: bc1af932e88dc4e4eba3c59e283edf7264fb9ff1b7280e22c5e18049e9a22422
                • Opcode Fuzzy Hash: c64495955b08f14609caf973d27bace774528697eabd96c04c6c05abd62dd2d0
                • Instruction Fuzzy Hash: BB31D47140C304AEC725EB24DC46FEFB7E8AB42B10F0845AEF599930A1DB749648C7D6
                Function 00BBFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                  • Part of subcall function 00BC32A4: RaiseException.KERNEL32(?,?,?,00BC068A,?,00C71444,?,?,?,?,?,?,00BC068A,00BA1129,00C68738,00BA1129), ref: 00BC3304
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Exception@8Throw$ExceptionRaise
                • String ID: Unknown exception
                • API String ID: 3476068407-410509341
                • Opcode ID: 27830cf8d18001f4028d5a76c9b6e9515578cf62467896d70aac20cf7f36ceed
                • Instruction ID: 806fa79cd8fadffe371e95eaee117b274694158504e1a5519fda6ae4af080b0d
                • Opcode Fuzzy Hash: 27830cf8d18001f4028d5a76c9b6e9515578cf62467896d70aac20cf7f36ceed
                • Instruction Fuzzy Hash: 65F0FC3490020DF7CF10BA64DC86EAD77EC9E00710B6045F9B924D5591EF71DB5AC6D0
                Function 00C13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C1302F
                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C13044
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Temp$FileNamePath
                • String ID: aut
                • API String ID: 3285503233-3010740371
                • Opcode ID: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                • Instruction ID: 5a07b95d4f2a66afda7ab29d3332e4e06308f160628ce0ec83b9cd509334dc80
                • Opcode Fuzzy Hash: a3bc9d102db2f1da93c4cd97f8cbb5a34591bb6ac25c66c52ef82d6adf212780
                • Instruction Fuzzy Hash: 5AD05EB250032867DA30A7A4AC8EFCF3A6CDB04750F0002A1BA55E2091DAB59984CBD0
                Function 00C27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C282F5
                • TerminateProcess.KERNEL32(00000000), ref: 00C282FC
                • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C284DD
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$CurrentFreeLibraryTerminate
                • String ID:
                • API String ID: 146820519-0
                • Opcode ID: 053a7ffe0cfc199c02d94a1de59874c2c3df177b6e66eef38c08bf9f41a4aa17
                • Instruction ID: f7ed40220d91022090ce5a1f1b738f169c89b3ced2a2b4a2d71399bc9ab508ed
                • Opcode Fuzzy Hash: 053a7ffe0cfc199c02d94a1de59874c2c3df177b6e66eef38c08bf9f41a4aa17
                • Instruction Fuzzy Hash: 70127C719083119FD714DF28D484B6ABBE1FF89318F04895DE8998B252CB31ED49CF92
                Function 00BD5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                • Instruction ID: f7c454ec3ceb878cd7bd132df6b981b8d80bc70cd255905d1f68cf0b3bfeaa11
                • Opcode Fuzzy Hash: 73721f3aa7ede0b81baf5642a6bae919def0cdee38a1aef1e1adabd1536ba49f
                • Instruction Fuzzy Hash: 17517D7191060AABDB319FA8C885FAEFBF8EF45310F1800DBF405AB391E6719941DB61
                Function 00BA10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                  • Part of subcall function 00BA1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                  • Part of subcall function 00BA1B4A: RegisterWindowMessageW.USER32(00000004,?,00BA12C4), ref: 00BA1BA2
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BA136A
                • OleInitialize.OLE32 ref: 00BA1388
                • CloseHandle.KERNEL32(00000000,00000000), ref: 00BE24AB
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: fb16e8a56c098c76b1801f030735e95b6b88be7676040434038e4ceec3a10fe1
                • Instruction ID: 2cac8da65eb89a586f56828bafc3c1507a904ce9666d110ab220d230a23cbbd1
                • Opcode Fuzzy Hash: fb16e8a56c098c76b1801f030735e95b6b88be7676040434038e4ceec3a10fe1
                • Instruction Fuzzy Hash: A271AAB49253408ECBC8EF7DA88675D3AE4FB8935475D866AEC0ED72A1EB304484CF51
                Function 00BD86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00BD85CC,?,00C68CC8,0000000C), ref: 00BD8704
                • GetLastError.KERNEL32(?,00BD85CC,?,00C68CC8,0000000C), ref: 00BD870E
                • __dosmaperr.LIBCMT ref: 00BD8739
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                • String ID:
                • API String ID: 490808831-0
                • Opcode ID: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                • Instruction ID: ec4793a7e545bc96244883514d40a2ac4c2e1ce305a0253b7fc102a5f01456f4
                • Opcode Fuzzy Hash: 89274544c349577dc0f5524533d1585e817b10497afe6766ae7ea02fd9c4c34d
                • Instruction Fuzzy Hash: DB018E3660566026D27467346885B7EEBC9CB81776F3901DBF8199B3D2FEA0CC818254
                Function 00C12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00C12CD4,?,?,?,00000004,00000001), ref: 00C12FF2
                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C13006
                • CloseHandle.KERNEL32(00000000,?,00C12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C1300D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                • Instruction ID: 68da2fbcbd2aab7459757291cd615752c7d2aa9bd922b47d1376cb45d29b52d4
                • Opcode Fuzzy Hash: fbcc368de16dc81a2d79be1a2fce99e801a517c56b8c789be36b779e882960ff
                • Instruction Fuzzy Hash: 61E0863229021077D6301755BC4DFCF3A5CD78AB75F104210F729750D046A0560163A8
                Function 00BB1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 00BB17F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID: CALL
                • API String ID: 1385522511-4196123274
                • Opcode ID: 77b4ae165d93329d924ce5877a9996064b934407073d9618dfaffed5868a0918
                • Instruction ID: d2206001ee52aeda8c9ccada2d0c0104b1bd0ebb2f710cbc4ac630587cf6ad56
                • Opcode Fuzzy Hash: 77b4ae165d93329d924ce5877a9996064b934407073d9618dfaffed5868a0918
                • Instruction Fuzzy Hash: 36228B706082019FC714DF18C8A0ABABBF1FF95314F5489ADF9968B361D7B1E845CB92
                Function 00C16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00C16F6B
                  • Part of subcall function 00BA4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LibraryLoad_wcslen
                • String ID: >>>AUTOIT SCRIPT<<<
                • API String ID: 3312870042-2806939583
                • Opcode ID: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                • Instruction ID: e1acfa9cd035f1a4253efcd85755e9f7ca2fa85a82bb7cba61cdba06d6f69971
                • Opcode Fuzzy Hash: 9e313aedbf13bd1e7d1e1f4d8947b3022c2a119bfc969c1e85ff395aeefdcd8b
                • Instruction Fuzzy Hash: B3B1743150C3019FCB14EF24C4919AEB7E5AF96310F14899DF496972A2DF30EE89DB92
                Function 00BA2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                Download Yara Rule
                APIs
                • GetOpenFileNameW.COMDLG32(?), ref: 00BE2C8C
                  • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                  • Part of subcall function 00BA2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA2DC4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen
                • String ID: X
                • API String ID: 779396738-3081909835
                • Opcode ID: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                • Instruction ID: 25e8497650a6088b0e23833026a7cea828c51614985f02fd09bd3e5fbf24a12f
                • Opcode Fuzzy Hash: 95a48a941a9b44382e9f4d7cc5b3478d86dab1a11104650d8ae828deadec7314
                • Instruction Fuzzy Hash: 8921C371A04298AFDF01DF98C845BEE7BFCAF49304F004099E405A7241DFB45A898BA1
                Function 00C12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID: EA06
                • API String ID: 2638373210-3962188686
                • Opcode ID: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                • Instruction ID: fbc3b2428c30e001e9f92e21b891a5e0a9f9b0a937c4beffd151a606c6eabf56
                • Opcode Fuzzy Hash: 1ec30852932a1909770c0ca27b73835e75e20b0935543a353e0c1e9596c84ddc
                • Instruction Fuzzy Hash: 0101B172944258BEDF28C7A8C856FEEBBF8DB05301F00459EE1A2D21C1E5B4E718DB60
                Function 00BA3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA3908
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: IconNotifyShell_
                • String ID:
                • API String ID: 1144537725-0
                • Opcode ID: e5294b711335830ae6edf8ba7b56f8ba19ef613aa348b5bd11b717eb82caa924
                • Instruction ID: 482c60d15a651786e3b34ed22cef15ae6a24dc605c04558e35e47cc61eb40df8
                • Opcode Fuzzy Hash: e5294b711335830ae6edf8ba7b56f8ba19ef613aa348b5bd11b717eb82caa924
                • Instruction Fuzzy Hash: 1E31A570508301DFD720DF24D88579BBBE8FB4AB08F04096EF99A93250E775AA44CB52
                Function 00BA6D9E Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00BBCF58,?,?,?), ref: 00BA6DBA
                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00BBCF58,?,?,?), ref: 00BA6DED
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: c3d4d784842e45ab3dd063bc751e9900ff72739daaf9f2767ba2484b5c774349
                • Instruction ID: 486f1a44b641965a231b9428288f505486f8a26cf352e6ad1481dcdcb3af5802
                • Opcode Fuzzy Hash: c3d4d784842e45ab3dd063bc751e9900ff72739daaf9f2767ba2484b5c774349
                • Instruction Fuzzy Hash: 7601DFB13082007FEB295B699C8BFBF7AEDDB86300F0400ADB106E61E1E9A19D009660
                Function 00BAB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                Download Yara Rule
                APIs
                • __Init_thread_footer.LIBCMT ref: 00BABB4E
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Init_thread_footer
                • String ID:
                • API String ID: 1385522511-0
                • Opcode ID: 955e474ac611054e7c734ff79ee30e81f4c00145d6e4e1258b0b55a07169daf1
                • Instruction ID: 74c19c669a48111007ee22fb4f9ca87e4cb4d491bc380a68d5d3dc17fcdfd8b0
                • Opcode Fuzzy Hash: 955e474ac611054e7c734ff79ee30e81f4c00145d6e4e1258b0b55a07169daf1
                • Instruction Fuzzy Hash: 4932AD34A082099FDB10DF54C894FBEB7F9EF46310F148099EA25AB262D774ED85CB61
                Function 022F129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 022F1ACD
                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 022F1AF1
                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 022F1B13
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: Process$ContextCreateMemoryReadThreadWow64
                • String ID:
                • API String ID: 2438371351-0
                • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                • Instruction ID: 080b711598f8c89f65b524d31ba471fd3931c8a2a7c31588a33feb0f82cb1961
                • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                • Instruction Fuzzy Hash: 3912CE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A
                Function 00BA4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E9C
                  • Part of subcall function 00BA4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA4EAE
                  • Part of subcall function 00BA4E90: FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EFD
                  • Part of subcall function 00BA4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E62
                  • Part of subcall function 00BA4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA4E74
                  • Part of subcall function 00BA4E59: FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Library$Load$AddressFreeProc
                • String ID:
                • API String ID: 2632591731-0
                • Opcode ID: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                • Instruction ID: 8e6407d895ed4c02fcbd2f57bb7480d1008f0a7fafd578079af00bfac09529d9
                • Opcode Fuzzy Hash: 9335f787675ea644e025526f3b651b90fbab8db183f0c7752fabe467f171b803
                • Instruction Fuzzy Hash: 46110132618205AACB24AB60DC42FED77E4AF81B10F2084ADF456B61C1EFB1EA049750
                Function 00BD8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: __wsopen_s
                • String ID:
                • API String ID: 3347428461-0
                • Opcode ID: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                • Instruction ID: a6736b1b8189ca2027441526837aacce89d638ad8d93be51d880dbf9cb11cfb4
                • Opcode Fuzzy Hash: 289625f387150c380de3b1124fda8b40cd4b4d0077313bfcb0522dba657b4a0c
                • Instruction Fuzzy Hash: 5B11187590410AAFCB05DF58E941A9EBBF5EF48315F10409AF808AB312EB31EA11CBA5
                Function 00BD5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00BD4C7D: RtlAllocateHeap.NTDLL(00000008,00BA1129,00000000,?,00BD2E29,00000001,00000364,?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?), ref: 00BD4CBE
                • _free.LIBCMT ref: 00BD506C
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                • Instruction ID: 06897c56f09b379ec772387a3132fd9589e601086871614e9f68adb450282985
                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                • Instruction Fuzzy Hash: DF0126722047046BE3318F659881A5AFBECFB89370F25056EE18483380FA30A805C6B4
                Function 00BCE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction ID: 8fa45faa1acfc3a790a104d441f2be8ecb1f430999cbf6bab9cfffb3cfd8efc4
                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                • Instruction Fuzzy Hash: 49F0D136521A10D6C6312A799C05F5A73DC9F62331F1007FEF431962D2EB74E80186A5
                Function 00BA9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen
                • String ID:
                • API String ID: 176396367-0
                • Opcode ID: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
                • Instruction ID: 948474a14dff7ac1b4658fbecdac9777d05af51037f390645020c7471f062556
                • Opcode Fuzzy Hash: a1aab6b1abdf35b971cbb30c4e90fbef234579797177db4f7ef5b95bc5723019
                • Instruction Fuzzy Hash: 40F0A4B26006016ED7149F28DC06FA6BBD4EB44760F10857AF619CB1D1DB71E51086A0
                Function 00BD4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000008,00BA1129,00000000,?,00BD2E29,00000001,00000364,?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?), ref: 00BD4CBE
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 37fa20e65d27263c0709b68f24d72001ae41873f2a567236bef65a9384bf6455
                • Instruction ID: 6d20ef04aba526be425b8ea9cd8f3fe9f09426a01c2ecb33a51ad2bf0f945f82
                • Opcode Fuzzy Hash: 37fa20e65d27263c0709b68f24d72001ae41873f2a567236bef65a9384bf6455
                • Instruction Fuzzy Hash: F1F0E231622224A7DB215F629C09F5FB7C9FF517A1B1D41EBFC19AA390EB70D80196E0
                Function 00BD3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                • Instruction ID: d19fa98aff6c437292b558cb8e5c1af4a9c25df0d1667f0b69002c638c3dbce3
                • Opcode Fuzzy Hash: 9c5f78b3427383a38971572370fc9e293e072ed864d10e9fe537db0d597398e6
                • Instruction Fuzzy Hash: 40E0E53120062596D72126669C00F9EBACAEB42FB0F0900E6BC0496692FB52DE01A3E2
                Function 00BA4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4F6D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID:
                • API String ID: 3664257935-0
                • Opcode ID: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                • Instruction ID: 21500f50dec0f38ffafcb2b33b58966c143d6ea654afe4d58f5d4c4c1a1df0a6
                • Opcode Fuzzy Hash: 04fdcc3eb9afffdf4ee60d1aedf11d51fcba5f06e99f2a16c6990c654fc0c756
                • Instruction Fuzzy Hash: AFF0A971009342CFCB348F20D4D0926BBE0EF4232932099BEE1EE82620C7B29844EF00
                Function 00BA2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BA2DC4
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LongNamePath_wcslen
                • String ID:
                • API String ID: 541455249-0
                • Opcode ID: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                • Instruction ID: 7ff2aad9927b9c32ef9265d81173c0603f1f13ea7cd3baeb5a507e829f469df2
                • Opcode Fuzzy Hash: 97b150eb587755d5b6787e175e2ad53dc8c3040c95d2b7ac1c4fd9cc4d802c97
                • Instruction Fuzzy Hash: BCE0C2B2A042245BCB21A2989C06FEE77EDDFC8790F0400B1FD09E7248DA70AD8086A0
                Function 00BA3A5A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C71418,?,00BA2E7F,?,?,?,00000000), ref: 00BA3A78
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Name$FileFullModulePath_wcslen
                • String ID:
                • API String ID: 1234788291-0
                • Opcode ID: 6fcbd9b246ada0b183cfd0027d7238c384b9ed052acba6552df6240a1e5099a6
                • Instruction ID: 56c2d9ae1af2ae41f5302122998f4dc7377baeb327fee1746fda126016690e3c
                • Opcode Fuzzy Hash: 6fcbd9b246ada0b183cfd0027d7238c384b9ed052acba6552df6240a1e5099a6
                • Instruction Fuzzy Hash: 41E0DF32A1812D5BDB10E740CC42FFE73ECEF04740F0004B0B546A2191EEF0AA84DAE0
                Function 00C12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID:
                • API String ID: 2638373210-0
                • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                • Instruction ID: 73931d5e4961ea489cebaffdaf34732921d92e89d4ee116c9e83bb36f9ad8383
                • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                • Instruction Fuzzy Hash: AEE048B46097005FDF395A28A8517F677D49F4A300F00045EF5AB82352E5726855964D
                Function 00BA2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BA3908
                  • Part of subcall function 00BAD730: GetInputState.USER32 ref: 00BAD807
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00BA2B6B
                  • Part of subcall function 00BA30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BA314E
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                • String ID:
                • API String ID: 3667716007-0
                • Opcode ID: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                • Instruction ID: 0dfa7a4822861e06f2200394e4163edca7e75a1fda7a277f46385f1528906e64
                • Opcode Fuzzy Hash: e2f64e3a5cd8b4a281418dcec9ac47b860a156821fb4ecfade232dc197ec6bfd
                • Instruction Fuzzy Hash: E0E0863230C24407CA08BB78A8566BDA7D9DBD3751F4455BEF54753162CE2549494351
                Function 00BE039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,00000000,?,00BE0704,?,?,00000000,?,00BE0704,00000000,0000000C), ref: 00BE03B7
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                • Instruction ID: 3cc84f7dd9126b4b376c48b0668a263ad53a2109b4972fa5bb7d7412beff5882
                • Opcode Fuzzy Hash: d78bbfb6294b15b031dc30e3127ac009dde8d443daf58e21cdd09328d1cad1d2
                • Instruction Fuzzy Hash: F2D06C3205010DBBDF028F84DD46EDE3BAAFB48714F014000BE1866020C732E821AB90
                Function 00BA1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00BA1CBC
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: InfoParametersSystem
                • String ID:
                • API String ID: 3098949447-0
                • Opcode ID: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                • Instruction ID: 3610ffe388d51e4f088d85643309c2dd117da9d5fd5c58a8e247d8c4b16269eb
                • Opcode Fuzzy Hash: 7709a27e67345eca47b616fb774b9322a94496ac67a05e789f7669d6458fb733
                • Instruction Fuzzy Hash: 8DC09B36290304DFF3144B94BC4AF1C7754A348B00F044001F64D655F3C3A11450F750
                Function 00BBFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: 182fe8f8996360e5b2391b347e9a4fb8961b35c0c630172aea8f7baf5e4578f7
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 6B31BD75A0010A9BC718CF59D880AB9FBE6FB49300B2486F5E809CB656D771EDC1CB80
                Function 022F229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 022F22B1
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction ID: 747ba245068d1236d6e3478308f3ed66d56cb442877e2832790967ac1438b26e
                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction Fuzzy Hash: FEE0BF7498110EEFDB00EFE8D9496DE7BB4EF04311F1006A1FD05D7680DB709E548A62
                Function 022F22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 022F22B1
                Memory Dump Source
                • Source File: 00000000.00000002.1620745340.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_22f0000_pagamento.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: 4d4c7b5bfbe003fb2fda34f742b3720bae8efcbccb1459215c0d9906a71ce984
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: 56E0E67498110EDFDB00EFF8D94969E7FB4EF04311F100261FD01D2280D6709D508A72

                Non-executed Functions

                Function 00C39576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C3961A
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3965B
                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C3969F
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C396C9
                • SendMessageW.USER32 ref: 00C396F2
                • GetKeyState.USER32(00000011), ref: 00C3978B
                • GetKeyState.USER32(00000009), ref: 00C39798
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C397AE
                • GetKeyState.USER32(00000010), ref: 00C397B8
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C397E9
                • SendMessageW.USER32 ref: 00C39810
                • SendMessageW.USER32(?,00001030,?,00C37E95), ref: 00C39918
                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C3992E
                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C39941
                • SetCapture.USER32(?), ref: 00C3994A
                • ClientToScreen.USER32(?,?), ref: 00C399AF
                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C399BC
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C399D6
                • ReleaseCapture.USER32 ref: 00C399E1
                • GetCursorPos.USER32(?), ref: 00C39A19
                • ScreenToClient.USER32(?,?), ref: 00C39A26
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39A80
                • SendMessageW.USER32 ref: 00C39AAE
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39AEB
                • SendMessageW.USER32 ref: 00C39B1A
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C39B3B
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C39B4A
                • GetCursorPos.USER32(?), ref: 00C39B68
                • ScreenToClient.USER32(?,?), ref: 00C39B75
                • GetParent.USER32(?), ref: 00C39B93
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C39BFA
                • SendMessageW.USER32 ref: 00C39C2B
                • ClientToScreen.USER32(?,?), ref: 00C39C84
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C39CB4
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C39CDE
                • SendMessageW.USER32 ref: 00C39D01
                • ClientToScreen.USER32(?,?), ref: 00C39D4E
                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C39D82
                  • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                • GetWindowLongW.USER32(?,000000F0), ref: 00C39E05
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                • String ID: @GUI_DRAGID$@U=u$F
                • API String ID: 3429851547-1007936534
                • Opcode ID: d4ad43c7eed82a7fcbe189dff16db97957c8c10735446e899b071172b93b227e
                • Instruction ID: 44eb61b8c8d0c5f2ad4016222db4732a933fbf9ffb495dad83f0e73121cbfec0
                • Opcode Fuzzy Hash: d4ad43c7eed82a7fcbe189dff16db97957c8c10735446e899b071172b93b227e
                • Instruction Fuzzy Hash: F9429D30225600AFD724CF28CC85FAABBF5FF49310F144619FAA9972A1D7B1A950CF91
                Function 00C34873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C348F3
                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C34908
                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C34927
                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C3494B
                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C3495C
                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C3497B
                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C349AE
                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C349D4
                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C34A0F
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A56
                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C34A7E
                • IsMenu.USER32(?), ref: 00C34A97
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C34AF2
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C34B20
                • GetWindowLongW.USER32(?,000000F0), ref: 00C34B94
                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C34BE3
                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C34C82
                • wsprintfW.USER32 ref: 00C34CAE
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34CC9
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C34CF1
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C34D13
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C34D33
                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C34D5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                • String ID: %d/%02d/%02d$@U=u
                • API String ID: 4054740463-2764005415
                • Opcode ID: 5384ab6da85a37be9f2443f0f08a3ad33b26710e007a162d835508282480a3ff
                • Instruction ID: c72c2e1ee7cd4d64845e6dbd2c49cf0b99fb17f8a84928fffbf25588f27438f9
                • Opcode Fuzzy Hash: 5384ab6da85a37be9f2443f0f08a3ad33b26710e007a162d835508282480a3ff
                • Instruction Fuzzy Hash: 2512F171620214ABEB288F65CC49FBE7BF8EF49310F144169F525EB2E1DB74AA41CB50
                Function 00BBF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BBF998
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BFF474
                • IsIconic.USER32(00000000), ref: 00BFF47D
                • ShowWindow.USER32(00000000,00000009), ref: 00BFF48A
                • SetForegroundWindow.USER32(00000000), ref: 00BFF494
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4AA
                • GetCurrentThreadId.KERNEL32 ref: 00BFF4B1
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BFF4BD
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4CE
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BFF4D6
                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BFF4DE
                • SetForegroundWindow.USER32(00000000), ref: 00BFF4E1
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF4F6
                • keybd_event.USER32(00000012,00000000), ref: 00BFF501
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF50B
                • keybd_event.USER32(00000012,00000000), ref: 00BFF510
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF519
                • keybd_event.USER32(00000012,00000000), ref: 00BFF51E
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BFF528
                • keybd_event.USER32(00000012,00000000), ref: 00BFF52D
                • SetForegroundWindow.USER32(00000000), ref: 00BFF530
                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BFF557
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 4125248594-2988720461
                • Opcode ID: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                • Instruction ID: 1ca2853e8765c7c3d576de6e263bbbf33c239e56d331c7fe2371393aed35b0b5
                • Opcode Fuzzy Hash: 33fb5981e8e9c6ee20ab1be1fb300216914e29b34f64a3c1c845d7491ef6f1ea
                • Instruction Fuzzy Hash: FD311E71A50219BBEB216BB55C8AFBF7EACEB44B50F100065FA01F61D1C6B19910ABA0
                Function 00C01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                  • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                  • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C01286
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C012A8
                • CloseHandle.KERNEL32(?), ref: 00C012B9
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C012D1
                • GetProcessWindowStation.USER32 ref: 00C012EA
                • SetProcessWindowStation.USER32(00000000), ref: 00C012F4
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C01310
                  • Part of subcall function 00C010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                  • Part of subcall function 00C010BF: CloseHandle.KERNEL32(?,?,00C011FC), ref: 00C010E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                • String ID: $default$winsta0
                • API String ID: 22674027-1027155976
                • Opcode ID: e65ff18a9b6c8e87b1a28c14d26d11d087abe463d41587500f84c412285b0e3d
                • Instruction ID: da30c6110964fbde314fec59c962c071aab0310094489e4c09208dde435f6f49
                • Opcode Fuzzy Hash: e65ff18a9b6c8e87b1a28c14d26d11d087abe463d41587500f84c412285b0e3d
                • Instruction Fuzzy Hash: DF818971910209AFDF219FA5DC89FEEBBB9EF04704F184129FD20B61A0D7758A54CB21
                Function 00C00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                  • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                  • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                  • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                  • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00BCC
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00C00
                • GetLengthSid.ADVAPI32(?), ref: 00C00C17
                • GetAce.ADVAPI32(?,00000000,?), ref: 00C00C51
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00C6D
                • GetLengthSid.ADVAPI32(?), ref: 00C00C84
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00C8C
                • HeapAlloc.KERNEL32(00000000), ref: 00C00C93
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00CB4
                • CopySid.ADVAPI32(00000000), ref: 00C00CBB
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00CEA
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00D0C
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00D1E
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D45
                • HeapFree.KERNEL32(00000000), ref: 00C00D4C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D55
                • HeapFree.KERNEL32(00000000), ref: 00C00D5C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00D65
                • HeapFree.KERNEL32(00000000), ref: 00C00D6C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00D78
                • HeapFree.KERNEL32(00000000), ref: 00C00D7F
                  • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                  • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                  • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                • Instruction ID: d61d9da36caa3073739ab7af1eb5b95033a4706bd4f4773ca92157847cb0242d
                • Opcode Fuzzy Hash: c180272a12cb1cd2077a3d7c837e8e7827a58134aa0070507f4a2fbc3ebbb454
                • Instruction Fuzzy Hash: 3771497690020AABDF10DFA4DC84FAEBBB9BF04310F254519E925B6291D775AA05CBB0
                Function 00C1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                Download Yara Rule
                APIs
                • OpenClipboard.USER32(00C3CC08), ref: 00C1EB29
                • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C1EB37
                • GetClipboardData.USER32(0000000D), ref: 00C1EB43
                • CloseClipboard.USER32 ref: 00C1EB4F
                • GlobalLock.KERNEL32(00000000), ref: 00C1EB87
                • CloseClipboard.USER32 ref: 00C1EB91
                • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C1EBBC
                • IsClipboardFormatAvailable.USER32(00000001), ref: 00C1EBC9
                • GetClipboardData.USER32(00000001), ref: 00C1EBD1
                • GlobalLock.KERNEL32(00000000), ref: 00C1EBE2
                • GlobalUnlock.KERNEL32(00000000,?), ref: 00C1EC22
                • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C1EC38
                • GetClipboardData.USER32(0000000F), ref: 00C1EC44
                • GlobalLock.KERNEL32(00000000), ref: 00C1EC55
                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C1EC77
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1EC94
                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C1ECD2
                • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00C1ECF3
                • CountClipboardFormats.USER32 ref: 00C1ED14
                • CloseClipboard.USER32 ref: 00C1ED59
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                • String ID:
                • API String ID: 420908878-0
                • Opcode ID: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                • Instruction ID: d55eae1b019832b8122d72694fa83212786bd537139e8593c099aba2e33818d7
                • Opcode Fuzzy Hash: 4938dbfad2bc83f8f08797337ccb264e9daa77da7e75d50145a39d9e59a62d1c
                • Instruction Fuzzy Hash: 0F61C1352082019FD300EF24D889FAE77E4AF86714F08455DF856E72A1DB31DA85DB62
                Function 00C1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C169BE
                • FindClose.KERNEL32(00000000), ref: 00C16A12
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A4E
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C16A75
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16AB2
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C16ADF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                • API String ID: 3830820486-3289030164
                • Opcode ID: 46c8af41749f9df0aa4ca728240128c350b016e5af7e09b42ce887d64140329a
                • Instruction ID: 6f94f553603abdc589d72ce8bb3b7d927a87dc74b15f8ec48a4fe8eb343acf1e
                • Opcode Fuzzy Hash: 46c8af41749f9df0aa4ca728240128c350b016e5af7e09b42ce887d64140329a
                • Instruction Fuzzy Hash: 67D15DB2508300AFC310EBA4CC91EAFB7ECAF89704F04495DF599D6191EB75DA48DB62
                Function 00C19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C19663
                • GetFileAttributesW.KERNEL32(?), ref: 00C196A1
                • SetFileAttributesW.KERNEL32(?,?), ref: 00C196BB
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C196D3
                • FindClose.KERNEL32(00000000), ref: 00C196DE
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C196FA
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C1974A
                • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C19768
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C19772
                • FindClose.KERNEL32(00000000), ref: 00C1977F
                • FindClose.KERNEL32(00000000), ref: 00C1978F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                • Instruction ID: 3a9a0b60acf1f460e8aaf9ce011ecd172f3d2155b78eb80ec440f34726d194ce
                • Opcode Fuzzy Hash: b5c31a544032aa073276534e4961cdb93480b8865885290d1dbe4d3309eb060b
                • Instruction Fuzzy Hash: 4E31D332500219ABDB24AFB4DC99FDE77ACDF4A320F104165F815E20E0DB31DE809B60
                Function 00C1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C197BE
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C19819
                • FindClose.KERNEL32(00000000), ref: 00C19824
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00C19840
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C19890
                • SetCurrentDirectoryW.KERNEL32(00C66B7C), ref: 00C198AE
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C198B8
                • FindClose.KERNEL32(00000000), ref: 00C198C5
                • FindClose.KERNEL32(00000000), ref: 00C198D5
                  • Part of subcall function 00C0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C0DB00
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                • Instruction ID: f943555f709fbd82b222a49a15144ef98f9a11497e6672cf628cab04d38663fb
                • Opcode Fuzzy Hash: facc63f291ef0c9fd9bdd9e9057bf69f64cc36623f9d1f88e86df9c8b9245f78
                • Instruction Fuzzy Hash: 283185325406196EEB20EFB4EC98BDE77ACDF47320F144165E824A21E0DB31DAC5EB64
                Function 00C18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 00C18257
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C18267
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C18273
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C18310
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18324
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18356
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C1838C
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00C18395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CurrentDirectoryTime$File$Local$System
                • String ID: *.*
                • API String ID: 1464919966-438819550
                • Opcode ID: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                • Instruction ID: db47ca176db92781213603e950349ff63ab42132d4214fbf9331bb1952778c32
                • Opcode Fuzzy Hash: e5c3d461f58e39a9e65955bcfaebec0e837790dd2df9ab95f0f9138bd72e6eee
                • Instruction Fuzzy Hash: 2C616D725083059FC710EF64C894A9EB3E8FF8A310F44495EF99997251DB31EA49CB92
                Function 00C0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                  • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 00C0D122
                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C0D1DD
                • MoveFileW.KERNEL32(?,?), ref: 00C0D1F0
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D20D
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D237
                  • Part of subcall function 00C0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C0D21C,?,?), ref: 00C0D2B2
                • FindClose.KERNEL32(00000000,?,?,?), ref: 00C0D253
                • FindClose.KERNEL32(00000000), ref: 00C0D264
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 1946585618-1173974218
                • Opcode ID: 8c1442a6b715dd6cf3da79c4e8e438aae8d06bdef3749ab5ee43d79fe3a8c2c2
                • Instruction ID: 0334b646f60fef2b8c44047477ce6e5d8109348afdacb6ffa31594f4d0c9262b
                • Opcode Fuzzy Hash: 8c1442a6b715dd6cf3da79c4e8e438aae8d06bdef3749ab5ee43d79fe3a8c2c2
                • Instruction Fuzzy Hash: A5617D3180511DABCF05EBE0DA92AEEB7B5AF15340F2481A5E41277192EB31AF09DB60
                Function 00C1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                • Instruction ID: ffd54b4d2ac901481512ea035174049497cab296731831480a714cf788bd424d
                • Opcode Fuzzy Hash: b32913fe9fb60109464b891747c1d412252066ae9188299943029c9162d2374d
                • Instruction Fuzzy Hash: 8641AE35204611AFD310DF25E889F5ABBE1EF45318F14C099E829DB762C775ED81CB90
                Function 00C0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                  • Part of subcall function 00C016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                  • Part of subcall function 00C016C3: GetLastError.KERNEL32 ref: 00C0174A
                • ExitWindowsEx.USER32(?,00000000), ref: 00C0E932
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $ $@$SeShutdownPrivilege
                • API String ID: 2234035333-3163812486
                • Opcode ID: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                • Instruction ID: c262a52c2d43bc4bc42ab4f7b63ba2e8442ba4500bd0f2b96c9f6b6112d6dd7f
                • Opcode Fuzzy Hash: 94694ed70d4d74382c31dbd960358baf188249bbd182bbf4cf174ef73043c407
                • Instruction Fuzzy Hash: 1601D673660211ABEB6426B59CC6BFF725CA714750F194D21FD13F21D1D5A15D40D290
                Function 00C21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C21276
                • WSAGetLastError.WSOCK32 ref: 00C21283
                • bind.WSOCK32(00000000,?,00000010), ref: 00C212BA
                • WSAGetLastError.WSOCK32 ref: 00C212C5
                • closesocket.WSOCK32(00000000), ref: 00C212F4
                • listen.WSOCK32(00000000,00000005), ref: 00C21303
                • WSAGetLastError.WSOCK32 ref: 00C2130D
                • closesocket.WSOCK32(00000000), ref: 00C2133C
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$closesocket$bindlistensocket
                • String ID:
                • API String ID: 540024437-0
                • Opcode ID: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                • Instruction ID: 536b84b721ad27afb6754a906927f4b7fba6d45d070044ef0fb0e434ac1d3677
                • Opcode Fuzzy Hash: 0ae74402c91ea0143bf677bd6d31e7abade6c275a774df1acf7b637af014fc28
                • Instruction Fuzzy Hash: 71418031A00110DFD710DF24D494B2ABBE6AF56318F188198E8669F6E3C771EE81CBE1
                Function 00BDB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BDB9D4
                • _free.LIBCMT ref: 00BDB9F8
                • _free.LIBCMT ref: 00BDBB7F
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                • _free.LIBCMT ref: 00BDBD4B
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                • String ID:
                • API String ID: 314583886-0
                • Opcode ID: 3fc885a9a10414fac2c56279962ed6eb88f41977ce2abf357c6743f4d3da0b2e
                • Instruction ID: 1cc9f0df43921ccba9589d5f0ba043ad375cb00469ae1b93c480fb39d9fd963f
                • Opcode Fuzzy Hash: 3fc885a9a10414fac2c56279962ed6eb88f41977ce2abf357c6743f4d3da0b2e
                • Instruction Fuzzy Hash: 0EC11375A04245EFCB249F698851FAEFBE8EF41360F1A41EBE89497352FB308E419750
                Function 00C0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                  • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                • FindFirstFileW.KERNEL32(?,?), ref: 00C0D420
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C0D470
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C0D481
                • FindClose.KERNEL32(00000000), ref: 00C0D498
                • FindClose.KERNEL32(00000000), ref: 00C0D4A1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                • String ID: \*.*
                • API String ID: 2649000838-1173974218
                • Opcode ID: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                • Instruction ID: d026d12556c35a264308cfb25204968efa8b8961bb9e80d884920b7757929493
                • Opcode Fuzzy Hash: b84687bd24e4a94ed647567bad68014d77eee28653fb7b7afab39fbdced2a402
                • Instruction Fuzzy Hash: 97317A7101C3419BC300EFA4D8919AFB7E8AE92340F444A5DF4E293191EB34AA09DB63
                Function 00BDE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                • Instruction ID: 8884a215ee60958b4e5e4632c6faf76e1395321a925096e4abbc434c245a4816
                • Opcode Fuzzy Hash: 3bf9c707b03175e0bbf5423fd7963f70d2b4091d6c2f171ccf27f9d4eefdf9ae
                • Instruction Fuzzy Hash: 9CC22771E086298BDB25DE289D807EAB7F5EB48305F1441EBD85EE7340E775AE818F40
                Function 00C1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00C164DC
                • CoInitialize.OLE32(00000000), ref: 00C16639
                • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C16650
                • CoUninitialize.OLE32 ref: 00C168D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: edda541633bf85ec1bab13c3daaf3d494abff9f94e15f0a8d2ca02d1c65415c2
                • Instruction ID: 16ff351823bc8b19979b4bf50c8659a57a2642ab7f2deb26f138635589f7083d
                • Opcode Fuzzy Hash: edda541633bf85ec1bab13c3daaf3d494abff9f94e15f0a8d2ca02d1c65415c2
                • Instruction Fuzzy Hash: 13D15971508201AFC314EF24C881EABB7E9FF96704F00496DF5958B291EB71EA49CB92
                Function 00C222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,00000000), ref: 00C222E8
                  • Part of subcall function 00C1E4EC: GetWindowRect.USER32(?,?), ref: 00C1E504
                • GetDesktopWindow.USER32 ref: 00C22312
                • GetWindowRect.USER32(00000000), ref: 00C22319
                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C22355
                • GetCursorPos.USER32(?), ref: 00C22381
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C223DF
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                • String ID:
                • API String ID: 2387181109-0
                • Opcode ID: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                • Instruction ID: 2cde447ff8172e4ccfb51f25541d0be105b92defe26ff5ac4c5b29196bc6b696
                • Opcode Fuzzy Hash: b97803fd062960866b6adb55ffb255831b1d9da701d8aa3e7f27ca1d17918889
                • Instruction Fuzzy Hash: 3A31AD72504325ABD720DF55D849B9FBBADFF88314F000A19F995A7191DB34EA08CB92
                Function 00C19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C19B78
                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C19C8B
                  • Part of subcall function 00C13874: GetInputState.USER32 ref: 00C138CB
                  • Part of subcall function 00C13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C19BA8
                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C19C75
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                • String ID: *.*
                • API String ID: 1972594611-438819550
                • Opcode ID: 048525aab208cd80cc09706ed72f13b4fc32bd91bf32eb2dabee8e0570b5832d
                • Instruction ID: 485559d7c1ee7fa79e2b5c560bf51a9c4e1cdbcae70e6b8ec142272f5e4cf491
                • Opcode Fuzzy Hash: 048525aab208cd80cc09706ed72f13b4fc32bd91bf32eb2dabee8e0570b5832d
                • Instruction Fuzzy Hash: 8341717190420A9FCF14DF64C8A5AEEBBF8EF06310F144095E855A2191EB309F95DFA0
                Function 00BB997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00BB9A4E
                • GetSysColor.USER32(0000000F), ref: 00BB9B23
                • SetBkColor.GDI32(?,00000000), ref: 00BB9B36
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Color$LongProcWindow
                • String ID:
                • API String ID: 3131106179-0
                • Opcode ID: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                • Instruction ID: 08d8552b83f8e61b78d8ddf24e6a9fdc02ec759dc16b86ca96e40d021371e809
                • Opcode Fuzzy Hash: fe8b2a339154643637665efcbe1d7354795d5b8cc2576794eb5fbe88edefa66e
                • Instruction Fuzzy Hash: 50A1E070258408AFE728AA2D8C99EFF3ADDDB42340F2502C9F702D7691CEA59D45D372
                Function 00C21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                  • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C2185D
                • WSAGetLastError.WSOCK32 ref: 00C21884
                • bind.WSOCK32(00000000,?,00000010), ref: 00C218DB
                • WSAGetLastError.WSOCK32 ref: 00C218E6
                • closesocket.WSOCK32(00000000), ref: 00C21915
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 1601658205-0
                • Opcode ID: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                • Instruction ID: 712dd442b65726a4c945c9e307d6d740e0618342f939140220bda0123638a11c
                • Opcode Fuzzy Hash: dd1de7b7b0c9995bc8a23c71607fbeef489faec4d6a169a1be7d983c54f2ab70
                • Instruction Fuzzy Hash: B951A271A00210AFDB10AF24D8C6F7A77E5AB45718F188498F919AF3D3C771AE418BA1
                Function 00C31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: d667df46e637cb186ec914b50dab156a34e09b62efae333e7a2730fcc938a4b6
                • Instruction ID: 10d79cdddc158dba5b9c975eed536a1750d5971dd85e98118e2dc00e6ac93b62
                • Opcode Fuzzy Hash: d667df46e637cb186ec914b50dab156a34e09b62efae333e7a2730fcc938a4b6
                • Instruction Fuzzy Hash: F421E0317602109FD7218F2AE894B6A7BE5EF85324F1C9068EC4ADB351CB71ED42CB90
                Function 00BA8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                • API String ID: 0-1546025612
                • Opcode ID: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                • Instruction ID: 0c89df2cd3f0ddf86cef32e174edf15bc2bbc42347eb5b88d696b2c5b3437c06
                • Opcode Fuzzy Hash: b240b8b9fc52c54809b92568c643f7e85e2a3f818e1786163df22d3a61f891e1
                • Instruction Fuzzy Hash: 69A26C70E0465ACBDF24CF59C8807AEB7F1FB55314F2481EAE816A7685EB709D81CB90
                Function 00C2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00C2A6AC
                • Process32FirstW.KERNEL32(00000000,?), ref: 00C2A6BA
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • Process32NextW.KERNEL32(00000000,?), ref: 00C2A79C
                • CloseHandle.KERNEL32(00000000), ref: 00C2A7AB
                  • Part of subcall function 00BBCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BE3303,?), ref: 00BBCE8A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                • String ID:
                • API String ID: 1991900642-0
                • Opcode ID: 8332f972e9c837e36f1817a3a78a6307d7f743ca3084024c167e8c073173f26c
                • Instruction ID: ac7b8419a7969f7121177d5dc921350dff8c6ea5c293e1fcc21d47ae928e4da3
                • Opcode Fuzzy Hash: 8332f972e9c837e36f1817a3a78a6307d7f743ca3084024c167e8c073173f26c
                • Instruction Fuzzy Hash: 0E514DB1508310AFD710EF24D886A6FBBE8FF89754F00896DF59997291EB70D904CB92
                Function 00C0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C0AAAC
                • SetKeyboardState.USER32(00000080), ref: 00C0AAC8
                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C0AB36
                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C0AB88
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                • Instruction ID: fa06a0c98f7a387f8dbe845c1992b259a44244ed40f6b16a6da25a71f0cad8ae
                • Opcode Fuzzy Hash: 39697747b672f2a7a4e2c3654d866e9a0863bf1ef49676f92f297bf217055f3d
                • Instruction Fuzzy Hash: 9E312671A44318AFFF35CB69CC05BFE7BAAAB44310F04421AF1A1961D1D374CA81D762
                Function 00C1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                Download Yara Rule
                APIs
                • InternetReadFile.WININET(?,?,00000400,?), ref: 00C1CE89
                • GetLastError.KERNEL32(?,00000000), ref: 00C1CEEA
                • SetEvent.KERNEL32(?,?,00000000), ref: 00C1CEFE
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorEventFileInternetLastRead
                • String ID:
                • API String ID: 234945975-0
                • Opcode ID: 07a871bbe4cc84a7c4c20c0dda3fb8ba2be76bf5a7800e72469a7600c3d54b23
                • Instruction ID: 9ad6af8b2ec6e750906179d109e76193ed34f8cf9f1c5cec5caa798177baaaf1
                • Opcode Fuzzy Hash: 07a871bbe4cc84a7c4c20c0dda3fb8ba2be76bf5a7800e72469a7600c3d54b23
                • Instruction Fuzzy Hash: EC21BD71540305ABDB30CFA5C988BABB7F8EF11314F10442EF566A2151E774EE85AB90
                Function 00C08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C082AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: lstrlen
                • String ID: ($|
                • API String ID: 1659193697-1631851259
                • Opcode ID: 65eb599b49aa33fb29644e6acccab5bece174c056d65c51264f972e053340917
                • Instruction ID: 90b2ff4b3c162037edc6d9cc102aeb13c5c39479eccdf38abc9db09c3c88d1bb
                • Opcode Fuzzy Hash: 65eb599b49aa33fb29644e6acccab5bece174c056d65c51264f972e053340917
                • Instruction Fuzzy Hash: 09322574A007059FCB28CF59C481A6AB7F1FF48710B15C56EE5AADB3A1EB70E941CB44
                Function 00C15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C15CC1
                • FindNextFileW.KERNEL32(00000000,?), ref: 00C15D17
                • FindClose.KERNEL32(?), ref: 00C15D5F
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNext
                • String ID:
                • API String ID: 3541575487-0
                • Opcode ID: 035effcbebe3965513eb772c00d7540298232c79a9dc9ecc7a0c58541e5033e2
                • Instruction ID: 1c046a8a2bdf3da15263f5a339b286da1e62886ac0369e59f815134953d55f5c
                • Opcode Fuzzy Hash: 035effcbebe3965513eb772c00d7540298232c79a9dc9ecc7a0c58541e5033e2
                • Instruction Fuzzy Hash: A951AA74604601DFC714DF28D494E9AB7E4FF8A314F14859DE96A8B3A1CB30ED44CB91
                Function 00BD2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00BD271A
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BD2724
                • UnhandledExceptionFilter.KERNEL32(?), ref: 00BD2731
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                • Instruction ID: 860fe1091a5170ceca49bf5c4ddaa63c5cd0b47585db6e2913d739b6ca33a9a9
                • Opcode Fuzzy Hash: 88eb1f8115306b7efdbc0460ea14270001452fd54937ba1d73828eaddfdd1f70
                • Instruction Fuzzy Hash: AE31C375911218ABCB21DF64D888B9DBBF8AF18310F5041EAE81CA6260E7349F818F44
                Function 00C151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C151DA
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C15238
                • SetErrorMode.KERNEL32(00000000), ref: 00C152A1
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID:
                • API String ID: 1682464887-0
                • Opcode ID: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                • Instruction ID: ecea70beacaaa79f7df76143a708c9f9be3731f2a383d412937c24a950147f80
                • Opcode Fuzzy Hash: bc35fd018812ab02f58b09bd5c15232dc8ad12ca0f12d26b566bdd0542a47ad9
                • Instruction Fuzzy Hash: B8310975A10518DFDB00DF54D884BADBBB4FF49314F048099E805AB2A2DB32E956DB90
                Function 00C016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0668
                  • Part of subcall function 00BBFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BC0685
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C0170D
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C0173A
                • GetLastError.KERNEL32 ref: 00C0174A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                • String ID:
                • API String ID: 577356006-0
                • Opcode ID: 9e1918bbebf118d50a1377f832859f04b1cddee6853a179a7ce74ddb3532bb20
                • Instruction ID: 55c46544654ab315dcf84bd73a3fbce8df2d2fbc46b906f222ddf6ba6cd26f5a
                • Opcode Fuzzy Hash: 9e1918bbebf118d50a1377f832859f04b1cddee6853a179a7ce74ddb3532bb20
                • Instruction Fuzzy Hash: 1611BCB2414205AFD718AF54DCC6EBEB7F9EB04714B24852EE46652281EBB0BC41CB20
                Function 00C0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C0D608
                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C0D645
                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C0D650
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseControlCreateDeviceFileHandle
                • String ID:
                • API String ID: 33631002-0
                • Opcode ID: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                • Instruction ID: b0b3befe03c5f93058165c503aa83b9ab5f4b1bbce6d1eb59b29548eb503dee6
                • Opcode Fuzzy Hash: 150d29fcee0224a9030ad4fa32ca7ee93fc34c3fdac2695aec24fba3db9b25a7
                • Instruction Fuzzy Hash: B7118E71E01228BFDB108F95DC84FAFBBBCEB45B60F108111F914F7290C2704A018BA1
                Function 00C01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C0168C
                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C016A1
                • FreeSid.ADVAPI32(?), ref: 00C016B1
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AllocateCheckFreeInitializeMembershipToken
                • String ID:
                • API String ID: 3429775523-0
                • Opcode ID: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                • Instruction ID: 79c4aea2ca6bae88156152c71e2be5ab9ab550ee019f5d7d1467c955376ad831
                • Opcode Fuzzy Hash: 7619bd968ccefae144ff6a5a084b0c2576cbb882c0fa5802a98d86747e89ab96
                • Instruction Fuzzy Hash: 03F0F47195030DFBDB00DFE4DD89AAEBBBCEB08704F504565E901E2181E774AA448B50
                Function 00BC4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000,?,00BD28E9), ref: 00BC4D09
                • TerminateProcess.KERNEL32(00000000,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000,?,00BD28E9), ref: 00BC4D10
                • ExitProcess.KERNEL32 ref: 00BC4D22
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 87b834bdc9266835b8fad67a61ba44f8ae88871cc2dba9dffffb2ee1fbd34164
                • Instruction ID: 60df6a7bc4d1b63bdc8e415083fbd7fc0b3df4f7c6421c07e9409a182d2d712d
                • Opcode Fuzzy Hash: 87b834bdc9266835b8fad67a61ba44f8ae88871cc2dba9dffffb2ee1fbd34164
                • Instruction Fuzzy Hash: 0DE0B631010148ABCF11BF64DD5AF9C3BA9EB42791B104468FC069A232DB35DE52DB80
                Function 00BDC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: /
                • API String ID: 0-2043925204
                • Opcode ID: 69f8fbf7ef2df067a9bd98f25050e52c8e3c7fa2489712fa182f51e7ab8126cb
                • Instruction ID: 8d783af19e5fa6bbb9700a5a6c9e58725aa77ed95a588a0135b61d8dd0d34d85
                • Opcode Fuzzy Hash: 69f8fbf7ef2df067a9bd98f25050e52c8e3c7fa2489712fa182f51e7ab8126cb
                • Instruction Fuzzy Hash: 8041287650021A6FCB249FB9CC89EBBBBF8EB84314F1042AAF905D7280F6709D41CB54
                Function 00BFD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                • GetUserNameW.ADVAPI32(?,?), ref: 00BFD28C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: NameUser
                • String ID: X64
                • API String ID: 2645101109-893830106
                • Opcode ID: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                • Instruction ID: 92bfef09a426d9a78583d7640dead04c39f90e8eb9bee6094f53b2254deefecb
                • Opcode Fuzzy Hash: 2e3fbde773c5e97a32f94a0b61788dcaf3c8cd970739fd9dd6c995ec135414bd
                • Instruction Fuzzy Hash: F5D0C9B481111DEBCB94DB90DCC8EEDB7BCBB04305F100191F106A2000D77495488F10
                Function 00BCCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction ID: 28fd9abe0a919ddc4f8c218714fc4689e0a8bd6f737a7ffd3d81ef58f0a28711
                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                • Instruction Fuzzy Hash: 16021C71E002199BDF14CFA9C880BAEBBF1EF58314F2581ADD819E7384D731AE458B94
                Function 00C168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00C16918
                • FindClose.KERNEL32(00000000), ref: 00C16961
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                • Instruction ID: 15d95bcd99a590975185353f0d4f88ddd60639b916c9ff7e11de74a72ddaebab
                • Opcode Fuzzy Hash: 6a09158affe7b5c88b531b5060860b91d8bffba1f62e5765764420a2fb296663
                • Instruction Fuzzy Hash: 811193316142109FC710DF29D484A5ABBE5FF85328F14C699E4698F3A2C731EC45CB91
                Function 00C137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137E4
                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C24891,?,?,00000035,?), ref: 00C137F4
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 5bb0ba60b4e0e0a270770fe2615b4b8bbb522ba86614dad19aa11ac05a9eee4a
                • Instruction ID: 762ffaaf9163f1779aaff96240948d3e5bb0d377f0e395aff6cf49adb1871a38
                • Opcode Fuzzy Hash: 5bb0ba60b4e0e0a270770fe2615b4b8bbb522ba86614dad19aa11ac05a9eee4a
                • Instruction Fuzzy Hash: 11F0E5B16043286AE720176A8C8DFEF3AAEEFC5765F000175F509E22D1DA609D44C7F0
                Function 00C0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                Download Yara Rule
                APIs
                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C0B25D
                • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00C0B270
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: InputSendkeybd_event
                • String ID:
                • API String ID: 3536248340-0
                • Opcode ID: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                • Instruction ID: a6d2353ff202d016ed39fb72d6e44f9dd1fdde587f1cf563bd503d639aa6cb50
                • Opcode Fuzzy Hash: cb36356681be86a67f36abcfd8d3976367fed667c19a9ec1d6a3d7f6581646e2
                • Instruction Fuzzy Hash: B5F0177181428EABDB05DFA1C806BAE7BB4FF08309F00800AF965A61A2C3798611DF94
                Function 00C010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C011FC), ref: 00C010D4
                • CloseHandle.KERNEL32(?,?,00C011FC), ref: 00C010E9
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AdjustCloseHandlePrivilegesToken
                • String ID:
                • API String ID: 81990902-0
                • Opcode ID: b7c7782673b9e86a9065e773311f2c5616e05af4228bdb3f231daa1d3c8291b8
                • Instruction ID: 6ded50b1da2994825cf9fa37c1cd15e144fde1ffb9dbf13330cd15b5a9227d64
                • Opcode Fuzzy Hash: b7c7782673b9e86a9065e773311f2c5616e05af4228bdb3f231daa1d3c8291b8
                • Instruction Fuzzy Hash: CEE0BF72014611AFE7252B51FC45FBB77E9EB04320B14886DF5A5904B1DBA2ACA0DB50
                Function 00BACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                Download Yara Rule
                Strings
                • Variable is not of type 'Object'., xrefs: 00BF0C40
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: Variable is not of type 'Object'.
                • API String ID: 0-1840281001
                • Opcode ID: 4c271294618880548e8d8f752970900a7efa03517ca54955db60235223da9f68
                • Instruction ID: 1563426346c9d7938c9b85ca076f03f62d88bdf226c105a1401eb40f85b63c03
                • Opcode Fuzzy Hash: 4c271294618880548e8d8f752970900a7efa03517ca54955db60235223da9f68
                • Instruction Fuzzy Hash: CC3259749182189FCF14EF94C981AFDBBF5FF06304F1440A9E906AB292DB75AD49CB60
                Function 00BD676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BD6766,?,?,00000008,?,?,00BDFEFE,00000000), ref: 00BD6998
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                • Instruction ID: e9b5acdc3b6853882e5f07dd56f154b7846074604275e1f5e335af621087ae34
                • Opcode Fuzzy Hash: 944870938bd24d35eca142689e128dcebe3c8a702b520325399446ff924ffef7
                • Instruction Fuzzy Hash: A4B14C316106099FD719CF28C486B65BBE0FF45364F25869AE8D9CF3A2D336E981CB40
                Function 00BBB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                • Instruction ID: 4a9c044e6eef2c703a70df0bf3c0440b3cdd1067a22336fdf59d58923134fe82
                • Opcode Fuzzy Hash: e0b042af28943c07063699c8face7394b0d322b940f9933f7b9669219b598f06
                • Instruction Fuzzy Hash: 1A126E759002299BCB24CF58C881BFEB7F5FF48710F14819AE949EB251DBB09A85CF90
                Function 00C1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 00C1EABD
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                • Instruction ID: 1dff74346acff82de6c61ebf0c9c9771448e0f2e6aa2bf0bdd5e56e93d1dc639
                • Opcode Fuzzy Hash: fc4e50c2d0e0806b3ce235c9b49372ef77cea628ba001766913906425c4dee6f
                • Instruction Fuzzy Hash: 48E04F322142049FC710EF6AD855E9AFBE9AF99760F00845AFC4AD7351DB70E8809B91
                Function 00BC09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BC03EE), ref: 00BC09DA
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                • Instruction ID: a245283cef81f1873c8332e72d379cc53c28ce91ee94d426ff211a26d772293b
                • Opcode Fuzzy Hash: 0f9c549670f404c64c2ba81dfa3026e46316505d4b0dedcc0fd1698e24bab1a1
                • Instruction Fuzzy Hash:
                Function 00BC781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction ID: 909d1e8ae6773ba9af078ce6fce3428f448a365029cb7d423f1363590ce52568
                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                • Instruction Fuzzy Hash: 0D516A716CC6056BDF38862A889DFBE23D5DB12340F1805DDEA86D7282CE61DE01DF66
                Function 00BD6DD9 Relevance: .6, Instructions: 637COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                • Instruction ID: a6a3691b097ec5e56e52cdef9cf7b512d3909555b1afdf80ead77f863a4a93e7
                • Opcode Fuzzy Hash: c962464e4a37df8790d947ccb5fdda6489dcd1f7f3d218ccfd73a76da3220204
                • Instruction Fuzzy Hash: F7322226D69F014DD7239634D822339A689AFB73C5F55C737F81AB5AAAFF29C4834100
                Function 00BBCC39 Relevance: .6, Instructions: 635COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                • Instruction ID: d425e2f241248869be8054ef29ce8ef6f605f328984b96e616e6dd1c4c7f6775
                • Opcode Fuzzy Hash: 115b9d5d900c3b8ee04efaa5ee0c5f3ca878b33566a22ae450cb8fab455f27dc
                • Instruction Fuzzy Hash: 5E32F431A0414D8BCF28CE29C6D46BD7FE1EB45300F2885EAD65ACB296D3709DC9DB81
                Function 00BA7920 Relevance: .6, Instructions: 563COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54d3ff4dc154a3eb17459d117163ed2d0e03221a0aaf20687dbe825ab531d252
                • Instruction ID: f78286f51ee86ed7d04c5d97bbd1437871879975678e53f1279e0c829c8f6796
                • Opcode Fuzzy Hash: 54d3ff4dc154a3eb17459d117163ed2d0e03221a0aaf20687dbe825ab531d252
                • Instruction Fuzzy Hash: 5C22A1B0A0860AEFDF14CF65C881AAEB3F5FF45304F1445A9E816A7291EB35AD15CB60
                Function 00BA91C0 Relevance: .5, Instructions: 475COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 478aeab7d7740ee3aef03cf64780cb631aa57a1fa8f40155eaf99f5a20aa48e4
                • Instruction ID: fe24a11c5998c9efc6efd0375eff6b58c534cb1ce195055ede8ccfcecc14261b
                • Opcode Fuzzy Hash: 478aeab7d7740ee3aef03cf64780cb631aa57a1fa8f40155eaf99f5a20aa48e4
                • Instruction Fuzzy Hash: 9D02A5B0E00246EBDB14DF65D881BAEB7F5FF44300F1081A9E8169B391EB71EA11DB95
                Function 00BC19B0 Relevance: .2, Instructions: 240COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                • Instruction ID: eca8ef6f3bec72f41531e77c5693283af363a126b6130355e6f9da5183a91734
                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                • Instruction Fuzzy Hash: 73914A722090A34ADB2D467D8574A3DFFE19A533A13190BDDE4F2DA1C2FD24C965D620
                Function 00BC7A4A Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                • Instruction ID: 3f2fdc04e442e69c2248f9a1728657ac3c04d39dd2dc3d9f9690401b0d56ba66
                • Opcode Fuzzy Hash: dcacdbfb90637a371881b614cd7cead2a12a14af116f693b82f5d278324c3a9a
                • Instruction Fuzzy Hash: 596136717C8709A6DB349A2889A5FBF23D4DF41710F1409DEF882DB281DE519E428F55
                Function 00BC7CA7 Relevance: .2, Instructions: 237COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                • Instruction ID: 65d68466db1511d181e75fd3b8e364e0a86224dbf910fb23c87b36f59bb4e46c
                • Opcode Fuzzy Hash: d59e8ed12c3cbf7e995441ff0062cdd822e6bb5b32d522b63f5a22d796f4ef69
                • Instruction Fuzzy Hash: 7C616BB26C870A67DA389A284896FBF23D8DF41740F1009FDF843DB281DE129D42CE55
                Function 00BC1706 Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                • Instruction ID: 2378da0972e3d0603f03b5f5a78a99823320c5526706a6d45649cbf201f9cb71
                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                • Instruction Fuzzy Hash: 3781777260D0A349DB2D463D857493EFFE19A933A131A0BDED4F2DA1C3EE24C955D620
                Function 00C12046 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                • Instruction ID: 2b93dd3de63335e88f9165079c2def7a7a363cfe1f1719a4d679c5a56ed5d333
                • Opcode Fuzzy Hash: 44efcf01abca864eb748ed96d3b04504d2efe77390c1dc73f4812cc06671f852
                • Instruction Fuzzy Hash: 2321A5326206118BDB28CF79C8227BE73E5A754310F25862EE4A7C37D1DE39A944DB80
                Function 00C22ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00C22B30
                • DeleteObject.GDI32(00000000), ref: 00C22B43
                • DestroyWindow.USER32 ref: 00C22B52
                • GetDesktopWindow.USER32 ref: 00C22B6D
                • GetWindowRect.USER32(00000000), ref: 00C22B74
                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C22CA3
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C22CB1
                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22CF8
                • GetClientRect.USER32(00000000,?), ref: 00C22D04
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C22D40
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D62
                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D75
                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D80
                • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D89
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22D98
                • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DA1
                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DA8
                • GlobalFree.KERNEL32(00000000), ref: 00C22DB3
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22DC5
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C3FC38,00000000), ref: 00C22DDB
                • GlobalFree.KERNEL32(00000000), ref: 00C22DEB
                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C22E11
                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C22E30
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C22E52
                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C2303F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                • String ID: $@U=u$AutoIt v3$DISPLAY$static
                • API String ID: 2211948467-3613752883
                • Opcode ID: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                • Instruction ID: 81eeff2b0e6bb7eead765bc12150f108f514772a89e218da3a95784a1b568cac
                • Opcode Fuzzy Hash: 062f213d4a729d855a8fa1cd44edefde9c7fb0073f2f496221d3e5817de8bb53
                • Instruction Fuzzy Hash: C5026971A10219AFDB14DFA4DC89FAE7BB9EF49310F048158F915AB2A1CB74ED41CB60
                Function 00C370D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(?,00000000), ref: 00C3712F
                • GetSysColorBrush.USER32(0000000F), ref: 00C37160
                • GetSysColor.USER32(0000000F), ref: 00C3716C
                • SetBkColor.GDI32(?,000000FF), ref: 00C37186
                • SelectObject.GDI32(?,?), ref: 00C37195
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00C371C0
                • GetSysColor.USER32(00000010), ref: 00C371C8
                • CreateSolidBrush.GDI32(00000000), ref: 00C371CF
                • FrameRect.USER32(?,?,00000000), ref: 00C371DE
                • DeleteObject.GDI32(00000000), ref: 00C371E5
                • InflateRect.USER32(?,000000FE,000000FE), ref: 00C37230
                • FillRect.USER32(?,?,?), ref: 00C37262
                • GetWindowLongW.USER32(?,000000F0), ref: 00C37284
                  • Part of subcall function 00C373E8: GetSysColor.USER32(00000012), ref: 00C37421
                  • Part of subcall function 00C373E8: SetTextColor.GDI32(?,?), ref: 00C37425
                  • Part of subcall function 00C373E8: GetSysColorBrush.USER32(0000000F), ref: 00C3743B
                  • Part of subcall function 00C373E8: GetSysColor.USER32(0000000F), ref: 00C37446
                  • Part of subcall function 00C373E8: GetSysColor.USER32(00000011), ref: 00C37463
                  • Part of subcall function 00C373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                  • Part of subcall function 00C373E8: SelectObject.GDI32(?,00000000), ref: 00C37482
                  • Part of subcall function 00C373E8: SetBkColor.GDI32(?,00000000), ref: 00C3748B
                  • Part of subcall function 00C373E8: SelectObject.GDI32(?,?), ref: 00C37498
                  • Part of subcall function 00C373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C374B7
                  • Part of subcall function 00C373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                  • Part of subcall function 00C373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                • String ID: @U=u
                • API String ID: 4124339563-2594219639
                • Opcode ID: ebd2b934bb31e219076f40e4e544330612fa87247c23f28d08ac7d9f1e34b1c8
                • Instruction ID: 1158584cf5a885e73b2aa752f487cde26d01bc38c808ae382ef21e405ca5a008
                • Opcode Fuzzy Hash: ebd2b934bb31e219076f40e4e544330612fa87247c23f28d08ac7d9f1e34b1c8
                • Instruction Fuzzy Hash: A7A18EB2018301EFDB109F64DC88B6F7BA9FB49321F100B19F962A61E1D775E944DB91
                Function 00BB8D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?), ref: 00BB8E14
                • SendMessageW.USER32(?,00001308,?,00000000), ref: 00BF6AC5
                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BF6AFE
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BF6F43
                  • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB8BE8,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8FC5
                • SendMessageW.USER32(?,00001053), ref: 00BF6F7F
                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BF6F96
                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FAC
                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF6FB7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                • String ID: 0$@U=u
                • API String ID: 2760611726-975001249
                • Opcode ID: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                • Instruction ID: 790a1166e1859a0b586f60b957a8a288019c676a2b377dfbdb233cf8482447da
                • Opcode Fuzzy Hash: 3092b9e54e4ee5d76bd7e05797f6096326d2d9330ee2dd4bc5eb03e5d1bb8caa
                • Instruction Fuzzy Hash: FE12AD35200205DFDB25DF28C884BB9B7F5FB44310F1884A9FA899B261CB71EC96DB91
                Function 00C22711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 00C2273E
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C2286A
                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C228A9
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C228B9
                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C22900
                • GetClientRect.USER32(00000000,?), ref: 00C2290C
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C22955
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C22964
                • GetStockObject.GDI32(00000011), ref: 00C22974
                • SelectObject.GDI32(00000000,00000000), ref: 00C22978
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C22988
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C22991
                • DeleteDC.GDI32(00000000), ref: 00C2299A
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C229C6
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C229DD
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C22A1D
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C22A31
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C22A42
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C22A77
                • GetStockObject.GDI32(00000011), ref: 00C22A82
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C22A8D
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C22A97
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-2771358697
                • Opcode ID: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                • Instruction ID: cb8c222c7c5131809b135746961c38c66b87a70e15164f491fe4c8daf6dae4cd
                • Opcode Fuzzy Hash: 5259453a481c0000c11837491c6764af6fad58ae3d28e2b03a1771b558b2c703
                • Instruction Fuzzy Hash: 87B15B71A50215AFEB14DF68DC8AFAE7BB9EB09710F048154F915E72A0DB74ED40CBA0
                Function 00C373E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 00C37421
                • SetTextColor.GDI32(?,?), ref: 00C37425
                • GetSysColorBrush.USER32(0000000F), ref: 00C3743B
                • GetSysColor.USER32(0000000F), ref: 00C37446
                • CreateSolidBrush.GDI32(?), ref: 00C3744B
                • GetSysColor.USER32(00000011), ref: 00C37463
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C37471
                • SelectObject.GDI32(?,00000000), ref: 00C37482
                • SetBkColor.GDI32(?,00000000), ref: 00C3748B
                • SelectObject.GDI32(?,?), ref: 00C37498
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00C374B7
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C374CE
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00C374DB
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C3752A
                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C37554
                • InflateRect.USER32(?,000000FD,000000FD), ref: 00C37572
                • DrawFocusRect.USER32(?,?), ref: 00C3757D
                • GetSysColor.USER32(00000011), ref: 00C3758E
                • SetTextColor.GDI32(?,00000000), ref: 00C37596
                • DrawTextW.USER32(?,00C370F5,000000FF,?,00000000), ref: 00C375A8
                • SelectObject.GDI32(?,?), ref: 00C375BF
                • DeleteObject.GDI32(?), ref: 00C375CA
                • SelectObject.GDI32(?,?), ref: 00C375D0
                • DeleteObject.GDI32(?), ref: 00C375D5
                • SetTextColor.GDI32(?,?), ref: 00C375DB
                • SetBkColor.GDI32(?,?), ref: 00C375E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID: @U=u
                • API String ID: 1996641542-2594219639
                • Opcode ID: 66b8be1f49a2b3d87780fe4eca47773492a261dea97aef02a1596209edf07724
                • Instruction ID: d35e5c2ff13cb40909102dd618a18de5befe2a87a5f567be92ffd9d92905e41d
                • Opcode Fuzzy Hash: 66b8be1f49a2b3d87780fe4eca47773492a261dea97aef02a1596209edf07724
                • Instruction Fuzzy Hash: E1615D72910218AFDF119FA4DC89BEE7FB9EB08320F114215F915BB2A1D775A940DF90
                Function 00C14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C14AED
                • GetDriveTypeW.KERNEL32(?,00C3CB68,?,\\.\,00C3CC08), ref: 00C14BCA
                • SetErrorMode.KERNEL32(00000000,00C3CB68,?,\\.\,00C3CC08), ref: 00C14D36
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                • API String ID: 2907320926-4222207086
                • Opcode ID: a0aa465b65dff5fb088843a99df45a8547419ff283390fd4075c13b14a98e41a
                • Instruction ID: 56c3de8e40159a8a9b0a22df85e0cbe10a3114e2ebdd552de4e068d2ebd8b569
                • Opcode Fuzzy Hash: a0aa465b65dff5fb088843a99df45a8547419ff283390fd4075c13b14a98e41a
                • Instruction Fuzzy Hash: 1D61B370709105EBCB18DF25CAE1DEDB7A1EB47740B2484A5F806AB291DB35DE81FB81
                Function 00C30241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00C302E5
                • _wcslen.LIBCMT ref: 00C3031F
                • _wcslen.LIBCMT ref: 00C30389
                • _wcslen.LIBCMT ref: 00C303F1
                • _wcslen.LIBCMT ref: 00C30475
                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C304C5
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C30504
                  • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                  • Part of subcall function 00C0223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02258
                  • Part of subcall function 00C0223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C0228A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                • API String ID: 1103490817-1753161424
                • Opcode ID: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                • Instruction ID: 8f96447136b9f5b661a1fe8e163d89043c95e3f2fd745ebe6d19adfe252de25c
                • Opcode Fuzzy Hash: 22957180cef18e82b594aa8b357e20b266065fbd4366b46fe8e5f498884b791f
                • Instruction Fuzzy Hash: 5BE1B4322282019FC714DF24C4A197EB7E5BF98714F24495CF8A69B7A6D730EE45CB41
                Function 00C30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00C31128
                • GetDesktopWindow.USER32 ref: 00C3113D
                • GetWindowRect.USER32(00000000), ref: 00C31144
                • GetWindowLongW.USER32(?,000000F0), ref: 00C31199
                • DestroyWindow.USER32(?), ref: 00C311B9
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C311ED
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3120B
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C3121D
                • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C31232
                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C31245
                • IsWindowVisible.USER32(00000000), ref: 00C312A1
                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C312BC
                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C312D0
                • GetWindowRect.USER32(00000000,?), ref: 00C312E8
                • MonitorFromPoint.USER32(?,?,00000002), ref: 00C3130E
                • GetMonitorInfoW.USER32(00000000,?), ref: 00C31328
                • CopyRect.USER32(?,?), ref: 00C3133F
                • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C313AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                • String ID: ($0$tooltips_class32
                • API String ID: 698492251-4156429822
                • Opcode ID: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                • Instruction ID: e6d9c4972b366d5adbedbbb57fc469153d87fe817718b4ec65444a05bf1f6cda
                • Opcode Fuzzy Hash: 476dcd323971419671ecc3b50e9e341793ffe8ce06cc54779d8ecc9dd49dfdb3
                • Instruction Fuzzy Hash: ACB19B71618341AFD704DF64C885BAEBBE4FF85310F04891CF999AB2A1CB31E944CB91
                Function 00BB8891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB8968
                • GetSystemMetrics.USER32(00000007), ref: 00BB8970
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB899B
                • GetSystemMetrics.USER32(00000008), ref: 00BB89A3
                • GetSystemMetrics.USER32(00000004), ref: 00BB89C8
                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BB89E5
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB89F5
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BB8A28
                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BB8A3C
                • GetClientRect.USER32(00000000,000000FF), ref: 00BB8A5A
                • GetStockObject.GDI32(00000011), ref: 00BB8A76
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB8A81
                  • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                  • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                  • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                  • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                • SetTimer.USER32(00000000,00000000,00000028,00BB90FC), ref: 00BB8AA8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: @U=u$AutoIt v3 GUI
                • API String ID: 1458621304-2077007950
                • Opcode ID: 1dcc9c97f5772ccc067b10465443d86b2f4abe6a3280d8477b81fd29851eb92d
                • Instruction ID: e75b06b0fa50b38b278c4ef6c3422bcb54f8c9b832887e54a72af96a54a877c8
                • Opcode Fuzzy Hash: 1dcc9c97f5772ccc067b10465443d86b2f4abe6a3280d8477b81fd29851eb92d
                • Instruction Fuzzy Hash: B9B13675A0020AAFDF14DFA8DC85BBE3BF5EB48314F144269FE19A7290DB74A841CB51
                Function 00C05A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000063), ref: 00C05A2E
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C05A40
                • SetWindowTextW.USER32(?,?), ref: 00C05A57
                • GetDlgItem.USER32(?,000003EA), ref: 00C05A6C
                • SetWindowTextW.USER32(00000000,?), ref: 00C05A72
                • GetDlgItem.USER32(?,000003E9), ref: 00C05A82
                • SetWindowTextW.USER32(00000000,?), ref: 00C05A88
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C05AA9
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C05AC3
                • GetWindowRect.USER32(?,?), ref: 00C05ACC
                • _wcslen.LIBCMT ref: 00C05B33
                • SetWindowTextW.USER32(?,?), ref: 00C05B6F
                • GetDesktopWindow.USER32 ref: 00C05B75
                • GetWindowRect.USER32(00000000), ref: 00C05B7C
                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C05BD3
                • GetClientRect.USER32(?,?), ref: 00C05BE0
                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C05C05
                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C05C2F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                • String ID: @U=u
                • API String ID: 895679908-2594219639
                • Opcode ID: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                • Instruction ID: 22487894bf3272f3d08bf58a37f36066a0a69083b17a66c0c77b9e7c07cb6817
                • Opcode Fuzzy Hash: 87234de1aedc3e52df1c688288e017486de760ab6dc99006af9358d6204935c5
                • Instruction Fuzzy Hash: 72713A31A00B09AFDB20DFA9CE86BAFBBF5FF48704F104518E556A25A0D775AA44CF50
                Function 00C3091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00C309C6
                • _wcslen.LIBCMT ref: 00C30A01
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C30A54
                • _wcslen.LIBCMT ref: 00C30A8A
                • _wcslen.LIBCMT ref: 00C30B06
                • _wcslen.LIBCMT ref: 00C30B81
                  • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                  • Part of subcall function 00C02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C02BFA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$MessageSend$BuffCharUpper
                • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 1103490817-383632319
                • Opcode ID: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                • Instruction ID: b028082f003ceba19b6eb18301c30a7a76288cf39846e790836cec07c3be7201
                • Opcode Fuzzy Hash: 5b9b73527012c06a2f3cabc3145765cb39f9a467f54cdd3a8ed3fdad194766c1
                • Instruction Fuzzy Hash: 93E1B4322183018FC714DF25C4A196AB7E1FF95718F24499DF8A69B3A2D731EE45CB81
                Function 00C00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                  • Part of subcall function 00C010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                  • Part of subcall function 00C010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                  • Part of subcall function 00C010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                  • Part of subcall function 00C010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C00DF5
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C00E29
                • GetLengthSid.ADVAPI32(?), ref: 00C00E40
                • GetAce.ADVAPI32(?,00000000,?), ref: 00C00E7A
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C00E96
                • GetLengthSid.ADVAPI32(?), ref: 00C00EAD
                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C00EB5
                • HeapAlloc.KERNEL32(00000000), ref: 00C00EBC
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C00EDD
                • CopySid.ADVAPI32(00000000), ref: 00C00EE4
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C00F13
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C00F35
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C00F47
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F6E
                • HeapFree.KERNEL32(00000000), ref: 00C00F75
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F7E
                • HeapFree.KERNEL32(00000000), ref: 00C00F85
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C00F8E
                • HeapFree.KERNEL32(00000000), ref: 00C00F95
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C00FA1
                • HeapFree.KERNEL32(00000000), ref: 00C00FA8
                  • Part of subcall function 00C01193: GetProcessHeap.KERNEL32(00000008,00C00BB1,?,00000000,?,00C00BB1,?), ref: 00C011A1
                  • Part of subcall function 00C01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C00BB1,?), ref: 00C011A8
                  • Part of subcall function 00C01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C00BB1,?), ref: 00C011B7
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                • String ID:
                • API String ID: 4175595110-0
                • Opcode ID: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                • Instruction ID: 0b47de9634c620b06575eae1293e1a23abf76ef26ab9e1f3c1ae081a716b0c55
                • Opcode Fuzzy Hash: 03bbf9fb776f00509f86d0f3de828a6875590cdaddb44079167765916421d22b
                • Instruction Fuzzy Hash: DD716A7290020AABDF20DFA4DC89FAEBBB8BF05301F254115FA69B6191D7319A15DB60
                Function 00C3833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00C3835A
                • _wcslen.LIBCMT ref: 00C3836E
                • _wcslen.LIBCMT ref: 00C38391
                • _wcslen.LIBCMT ref: 00C383B4
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C383F2
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C3361A,?), ref: 00C3844E
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C38487
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C384CA
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C38501
                • FreeLibrary.KERNEL32(?), ref: 00C3850D
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C3851D
                • DestroyIcon.USER32(?), ref: 00C3852C
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C38549
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C38555
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                • String ID: .dll$.exe$.icl$@U=u
                • API String ID: 799131459-1639919054
                • Opcode ID: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                • Instruction ID: 7c765b7232646c0b24710d88715358efab5287636242f9de66bd07d82b2ce650
                • Opcode Fuzzy Hash: a4a859d1e5bb8a2a18656546bf5ced81b4b8318f106733223a9bc22291616931
                • Instruction Fuzzy Hash: B061F072524315BEEB14DF64CC81FBE77A8FB08711F104649F825E61D1DBB4AA88CBA0
                Function 00C2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2C4BD
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C3CC08,00000000,?,00000000,?,?), ref: 00C2C544
                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C2C5A4
                • _wcslen.LIBCMT ref: 00C2C5F4
                • _wcslen.LIBCMT ref: 00C2C66F
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C2C6B2
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C2C7C1
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C2C84D
                • RegCloseKey.ADVAPI32(?), ref: 00C2C881
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2C88E
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C2C960
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 9721498-966354055
                • Opcode ID: e5539a9761df398aa39effe0e960a9d701f14bb3fbee51f4a2f3aac8c00a8efe
                • Instruction ID: 110c80bf7668785137f4ef1412ac7170cc2a91d4a9a914954c28be1d465d8664
                • Opcode Fuzzy Hash: e5539a9761df398aa39effe0e960a9d701f14bb3fbee51f4a2f3aac8c00a8efe
                • Instruction Fuzzy Hash: 6D1268356082119FCB14EF14D891B2EB7E5EF89714F04889DF89A9B7A2DB31ED41CB81
                Function 00C2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 1256254125-909552448
                • Opcode ID: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                • Instruction ID: b85f112ac694170af4ec1ec6d433e4d957815dc81f0e916352fac53878c2b00e
                • Opcode Fuzzy Hash: 5d5fee430420bec35822f1e92f4ad70b6a4f1f4d1c5e7b7705f71f4e70825798
                • Instruction Fuzzy Hash: F071043261413A8BCF20DE7CEDD16BE3391AF61794B250628F87697684EA71CF44D3A0
                Function 00BA7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 0-1645009161
                • Opcode ID: 13a8a3b027bc5eaf22aec42fb7185d8a9eebfdf12063564bac8c7ed013535537
                • Instruction ID: 2805e287fdf04938fd2144047bff4de9e001ad9038c152a334958bbe031baf60
                • Opcode Fuzzy Hash: 13a8a3b027bc5eaf22aec42fb7185d8a9eebfdf12063564bac8c7ed013535537
                • Instruction Fuzzy Hash: 9381C671A58605BBDB20AF61DC82FBE37E8EF16300F0440A5F905AA192EF70DE11D7A1
                Function 00C3856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C38592
                • GetFileSize.KERNEL32(00000000,00000000), ref: 00C385A2
                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C385AD
                • CloseHandle.KERNEL32(00000000), ref: 00C385BA
                • GlobalLock.KERNEL32(00000000), ref: 00C385C8
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C385D7
                • GlobalUnlock.KERNEL32(00000000), ref: 00C385E0
                • CloseHandle.KERNEL32(00000000), ref: 00C385E7
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C385F8
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C3FC38,?), ref: 00C38611
                • GlobalFree.KERNEL32(00000000), ref: 00C38621
                • GetObjectW.GDI32(?,00000018,000000FF), ref: 00C38641
                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C38671
                • DeleteObject.GDI32(00000000), ref: 00C38699
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C386AF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID: @U=u
                • API String ID: 3840717409-2594219639
                • Opcode ID: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                • Instruction ID: 58b6dd401ccec6fa8b0ee3be4bb1eb067f5a31db876c04bddb644f213d326417
                • Opcode Fuzzy Hash: c401f22a0ae686673e2cac2a7e48ad999b53354bc73eba01c4abcffa6b05c218
                • Instruction Fuzzy Hash: 46412875610208AFDB119FA5CC89FAF7BB8FF89B11F108059F915E7260DB319A05DB60
                Function 00BC00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BC00C6
                  • Part of subcall function 00BC00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C7070C,00000FA0,7CB7DAAC,?,?,?,?,00BE23B3,000000FF), ref: 00BC011C
                  • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0127
                  • Part of subcall function 00BC00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BE23B3,000000FF), ref: 00BC0138
                  • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BC014E
                  • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BC015C
                  • Part of subcall function 00BC00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BC016A
                  • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC0195
                  • Part of subcall function 00BC00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BC01A0
                • ___scrt_fastfail.LIBCMT ref: 00BC00E7
                  • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                Strings
                • WakeAllConditionVariable, xrefs: 00BC0162
                • InitializeConditionVariable, xrefs: 00BC0148
                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BC0122
                • kernel32.dll, xrefs: 00BC0133
                • SleepConditionVariableCS, xrefs: 00BC0154
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                • API String ID: 66158676-1714406822
                • Opcode ID: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                • Instruction ID: 078f16327c306fc38f25063f32f91889545f026190e70dfff4a8e25df0195acb
                • Opcode Fuzzy Hash: 8289751aa575cb93679fd19d55f7cfdb1f71970195cc3767b28e608bf5e72035
                • Instruction Fuzzy Hash: 7321A132A64711EBE7116BA4AC4AF7EB3E4EB05B61F14457DF805B22A1DBB49C009B90
                Function 00C030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 176396367-1603158881
                • Opcode ID: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                • Instruction ID: 7437df278c1d476c453296e9fca6745ebed2e662c1f650c28996565447c6ba53
                • Opcode Fuzzy Hash: d0de0ffb0cbafa89d54305b8b151b1311e34c73fb4ce45a86e869b2c480a833b
                • Instruction Fuzzy Hash: 35E1D731A00566ABCF249FA4C891BEDBBB8BF54710F648169E466B72D0DB30AF45C790
                Function 00C144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(00000000,00000000,00C3CC08), ref: 00C14527
                • _wcslen.LIBCMT ref: 00C1453B
                • _wcslen.LIBCMT ref: 00C14599
                • _wcslen.LIBCMT ref: 00C145F4
                • _wcslen.LIBCMT ref: 00C1463F
                • _wcslen.LIBCMT ref: 00C146A7
                  • Part of subcall function 00BBF9F2: _wcslen.LIBCMT ref: 00BBF9FD
                • GetDriveTypeW.KERNEL32(?,00C66BF0,00000061), ref: 00C14743
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$BuffCharDriveLowerType
                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 2055661098-1000479233
                • Opcode ID: 6174329b25607f63d4f26b9143ad5f7b5fb5d7b23779cf44f49ed94b43027770
                • Instruction ID: 86ae4e705645a4700cf6cc3a452d3499ad294ea956a759fd78b421093dd27b6a
                • Opcode Fuzzy Hash: 6174329b25607f63d4f26b9143ad5f7b5fb5d7b23779cf44f49ed94b43027770
                • Instruction Fuzzy Hash: 7AB1E3716083029FC718DF28C890AAEB7E5AFA7764F50491DF4A6C7291D730DA84DB92
                Function 00C36CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?), ref: 00C36DEB
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C36E5F
                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C36E81
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36E94
                • DestroyWindow.USER32(?), ref: 00C36EB5
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BA0000,00000000), ref: 00C36EE4
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C36EFD
                • GetDesktopWindow.USER32 ref: 00C36F16
                • GetWindowRect.USER32(00000000), ref: 00C36F1D
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C36F35
                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C36F4D
                  • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                • String ID: 0$@U=u$tooltips_class32
                • API String ID: 2429346358-1130792468
                • Opcode ID: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                • Instruction ID: ecb4a264474a3836ede353bf3ba75e39bb479f5bdce105510deda89ddfe3d88c
                • Opcode Fuzzy Hash: 820ed37793fa7ddc9e5bcb9a55b26bd82511829509e0f38df52e62aec125d10f
                • Instruction Fuzzy Hash: 38718B74114240AFDB21CF18DC84FAABBF9FB89304F04441DFA9997260C770EA4ACB21
                Function 00C3911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • DragQueryPoint.SHELL32(?,?), ref: 00C39147
                  • Part of subcall function 00C37674: ClientToScreen.USER32(?,?), ref: 00C3769A
                  • Part of subcall function 00C37674: GetWindowRect.USER32(?,?), ref: 00C37710
                  • Part of subcall function 00C37674: PtInRect.USER32(?,?,00C38B89), ref: 00C37720
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C391B0
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C391BB
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C391DE
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C39225
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C3923E
                • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39255
                • SendMessageW.USER32(?,000000B1,?,?), ref: 00C39277
                • DragFinish.SHELL32(?), ref: 00C3927E
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C39371
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                • API String ID: 221274066-762882726
                • Opcode ID: 336dcf0b4cfdfcd96447478f4dc1f360e3f8e5d6103270804670532893920de4
                • Instruction ID: f2e9c7c490e031dbe03e20d206f658ee4b401ecc3f93a3e6d10b8135ad25e598
                • Opcode Fuzzy Hash: 336dcf0b4cfdfcd96447478f4dc1f360e3f8e5d6103270804670532893920de4
                • Instruction Fuzzy Hash: 60616B71108301AFD701EF64DC85EAFBBF8EF89750F004A6DF595922A1DB709A49CB52
                Function 00C2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00C2B198
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1B0
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B1D4
                • _wcslen.LIBCMT ref: 00C2B200
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B214
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C2B236
                • _wcslen.LIBCMT ref: 00C2B332
                  • Part of subcall function 00C105A7: GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                • _wcslen.LIBCMT ref: 00C2B34B
                • _wcslen.LIBCMT ref: 00C2B366
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C2B3B6
                • GetLastError.KERNEL32(00000000), ref: 00C2B407
                • CloseHandle.KERNEL32(?), ref: 00C2B439
                • CloseHandle.KERNEL32(00000000), ref: 00C2B44A
                • CloseHandle.KERNEL32(00000000), ref: 00C2B45C
                • CloseHandle.KERNEL32(00000000), ref: 00C2B46E
                • CloseHandle.KERNEL32(?), ref: 00C2B4E3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                • String ID:
                • API String ID: 2178637699-0
                • Opcode ID: 609c89ead11c10dc99a7c8cfcf62e28b1a2bf91a70b0668e70ae7813e4905c27
                • Instruction ID: c38bfcd62e1858ffa6c49f6607251937f2b22ecb3598d53c8d08e97351ce09b1
                • Opcode Fuzzy Hash: 609c89ead11c10dc99a7c8cfcf62e28b1a2bf91a70b0668e70ae7813e4905c27
                • Instruction Fuzzy Hash: 2CF1AD71608310DFC714EF24D891B6EBBE1AF85310F18859DF8A99B2A2DB71ED44CB52
                Function 00BA326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemCount.USER32(00C71990), ref: 00BE2F8D
                • GetMenuItemCount.USER32(00C71990), ref: 00BE303D
                • GetCursorPos.USER32(?), ref: 00BE3081
                • SetForegroundWindow.USER32(00000000), ref: 00BE308A
                • TrackPopupMenuEx.USER32(00C71990,00000000,?,00000000,00000000,00000000), ref: 00BE309D
                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BE30A9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                • String ID: 0
                • API String ID: 36266755-4108050209
                • Opcode ID: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                • Instruction ID: fe53a2c25614156acc7c4bf2ee98a479f51a56ce45ac803f978f78ca07143f34
                • Opcode Fuzzy Hash: 0687da9bcac0de0843858e06cbb97c22fe451af00b0ae5cef704149b0c22a6d7
                • Instruction Fuzzy Hash: 86713531644255BEEB218F25CC89FAEBFE8FF01724F244256F5246A1E0C7B1AD50DB90
                Function 00C1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C4B0
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C4C3
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C4D7
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C1C4F0
                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C1C533
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C1C549
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C554
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C584
                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C1C5DC
                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C1C5F0
                • InternetCloseHandle.WININET(00000000), ref: 00C1C5FB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                • String ID:
                • API String ID: 3800310941-3916222277
                • Opcode ID: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                • Instruction ID: 877502e33412a9674532a65e17646927b15894f8579639fddd8a2e966813764d
                • Opcode Fuzzy Hash: a4354c69d8a8892ddc03aa99dcdb748f17e48ce87db77ab58a795ecb437507d3
                • Instruction Fuzzy Hash: B0513AB1540208BFDB218F65C9C8BBF7BBDEB0A754F004419F956E6210DB34EA84AB60
                Function 00C114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 00C11502
                • VariantCopy.OLEAUT32(?,?), ref: 00C1150B
                • VariantClear.OLEAUT32(?), ref: 00C11517
                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C115FB
                • VarR8FromDec.OLEAUT32(?,?), ref: 00C11657
                • VariantInit.OLEAUT32(?), ref: 00C11708
                • SysFreeString.OLEAUT32(?), ref: 00C1178C
                • VariantClear.OLEAUT32(?), ref: 00C117D8
                • VariantClear.OLEAUT32(?), ref: 00C117E7
                • VariantInit.OLEAUT32(00000000), ref: 00C11823
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                • String ID: %4d%02d%02d%02d%02d%02d$Default
                • API String ID: 1234038744-3931177956
                • Opcode ID: dfc6cda0b1c716cc8fbb2a28b8c91c3e949f514e2845f31ab0bea3ad18ff000b
                • Instruction ID: 63cec1f56a1cf3c24d126d50ad4a6ae5f36b218ed84ba707115adec0662e8d8e
                • Opcode Fuzzy Hash: dfc6cda0b1c716cc8fbb2a28b8c91c3e949f514e2845f31ab0bea3ad18ff000b
                • Instruction Fuzzy Hash: FDD11531A00119DBCB109F65D884BFDB7F6BF46700F188095FA56AB180DB78DD80EB92
                Function 00C2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2B6F4
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2B772
                • RegDeleteValueW.ADVAPI32(?,?), ref: 00C2B80A
                • RegCloseKey.ADVAPI32(?), ref: 00C2B87E
                • RegCloseKey.ADVAPI32(?), ref: 00C2B89C
                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C2B8F2
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C2B904
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2B922
                • FreeLibrary.KERNEL32(00000000), ref: 00C2B983
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2B994
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 146587525-4033151799
                • Opcode ID: 34ff2e42e157daa62557085c84c8ed3843ea3a11a1cf5696aeb93aef64bac6eb
                • Instruction ID: e728d59b44ad61e70c00fb147a64a07fccf3b152c4fd47685b07e4c17a5f94b8
                • Opcode Fuzzy Hash: 34ff2e42e157daa62557085c84c8ed3843ea3a11a1cf5696aeb93aef64bac6eb
                • Instruction Fuzzy Hash: B6C1AC34208211AFD714DF24D495F2ABBE5FF85308F14849CF5AA8B6A2CB31ED45CB91
                Function 00C3541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C35504
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C35515
                • CharNextW.USER32(00000158), ref: 00C35544
                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C35585
                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C3559B
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C355AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$CharNext
                • String ID: @U=u
                • API String ID: 1350042424-2594219639
                • Opcode ID: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                • Instruction ID: 29ec1b69d9c06257b20f639e58d91bc3ca8ef4e8d88536e3ae29c6d9a780d873
                • Opcode Fuzzy Hash: efccf3fe8b2a7243fb699121f2e4c620bc7f0e88ca799ad28e1ee09a49c9274d
                • Instruction Fuzzy Hash: 5D618B71920608AFDF10DF95CC85AFE7BB9EB0A720F108145F925AA291D7749B81DFA0
                Function 00C2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00C225D8
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C225E8
                • CreateCompatibleDC.GDI32(?), ref: 00C225F4
                • SelectObject.GDI32(00000000,?), ref: 00C22601
                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C2266D
                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C226AC
                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C226D0
                • SelectObject.GDI32(?,?), ref: 00C226D8
                • DeleteObject.GDI32(?), ref: 00C226E1
                • DeleteDC.GDI32(?), ref: 00C226E8
                • ReleaseDC.USER32(00000000,?), ref: 00C226F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                • String ID: (
                • API String ID: 2598888154-3887548279
                • Opcode ID: 7496448a6a3a1d9fa64bc916cef1497f9c92ccc4b6e43ea65e250af54daa98d0
                • Instruction ID: d9c3d8764872d0bed250352a0da5b2ecf236cbb56823d4d0eb9d3bca2b23d0b8
                • Opcode Fuzzy Hash: 7496448a6a3a1d9fa64bc916cef1497f9c92ccc4b6e43ea65e250af54daa98d0
                • Instruction Fuzzy Hash: 4261E276D00219EFCF14CFA8D884AAEBBF6FF48310F208529E955A7250D774A951DFA0
                Function 00C0E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00C0E6B4
                  • Part of subcall function 00BBE551: timeGetTime.WINMM(?,?,00C0E6D4), ref: 00BBE555
                • Sleep.KERNEL32(0000000A), ref: 00C0E6E1
                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C0E705
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C0E727
                • SetActiveWindow.USER32 ref: 00C0E746
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C0E754
                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C0E773
                • Sleep.KERNEL32(000000FA), ref: 00C0E77E
                • IsWindow.USER32 ref: 00C0E78A
                • EndDialog.USER32(00000000), ref: 00C0E79B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                • String ID: @U=u$BUTTON
                • API String ID: 1194449130-2582809321
                • Opcode ID: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                • Instruction ID: 3ada18c06d76c8fb49f3d3e6b204ad62943dbf76e9a2c520443a1bd2a4e04ceb
                • Opcode Fuzzy Hash: 4e0b38c9e1dd85083a57bcf917b7320e26c9788b2e8b0b1cabab5acd3159cf4f
                • Instruction Fuzzy Hash: 7C21A570250604AFEB106F64ECC9B2D3B6DF754389F140825F91AD11F1DB71AC40EB24
                Function 00BDDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 00BDDAA1
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD659
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD66B
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD67D
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD68F
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6A1
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6B3
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6C5
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6D7
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6E9
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD6FB
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD70D
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD71F
                  • Part of subcall function 00BDD63C: _free.LIBCMT ref: 00BDD731
                • _free.LIBCMT ref: 00BDDA96
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BDDAB8
                • _free.LIBCMT ref: 00BDDACD
                • _free.LIBCMT ref: 00BDDAD8
                • _free.LIBCMT ref: 00BDDAFA
                • _free.LIBCMT ref: 00BDDB0D
                • _free.LIBCMT ref: 00BDDB1B
                • _free.LIBCMT ref: 00BDDB26
                • _free.LIBCMT ref: 00BDDB5E
                • _free.LIBCMT ref: 00BDDB65
                • _free.LIBCMT ref: 00BDDB82
                • _free.LIBCMT ref: 00BDDB9A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: a393b98b9347255d43ac8206d6fab5d9af89111889d8ce3854470f674872c004
                • Instruction ID: e223bb26a51d9ea730e9cc9c2287456d3a94fc1fb92a36635a21e916effad5ef
                • Opcode Fuzzy Hash: a393b98b9347255d43ac8206d6fab5d9af89111889d8ce3854470f674872c004
                • Instruction Fuzzy Hash: DE315A356046459FEB21AB38E845B6AF7E8FF10314F1584ABE489D7391FA34AC409B20
                Function 00C0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 00C0369C
                • _wcslen.LIBCMT ref: 00C036A7
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C03797
                • GetClassNameW.USER32(?,?,00000400), ref: 00C0380C
                • GetDlgCtrlID.USER32(?), ref: 00C0385D
                • GetWindowRect.USER32(?,?), ref: 00C03882
                • GetParent.USER32(?), ref: 00C038A0
                • ScreenToClient.USER32(00000000), ref: 00C038A7
                • GetClassNameW.USER32(?,?,00000100), ref: 00C03921
                • GetWindowTextW.USER32(?,?,00000400), ref: 00C0395D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                • String ID: %s%u
                • API String ID: 4010501982-679674701
                • Opcode ID: bd7de48f233970aa84afb7567825555be23c34fc71d7177785a718e03a5dc67b
                • Instruction ID: 8de6e12f5f6a555d261b9e6daa6b5b5c8c73d761f517ce660d75ff8fe8af9335
                • Opcode Fuzzy Hash: bd7de48f233970aa84afb7567825555be23c34fc71d7177785a718e03a5dc67b
                • Instruction Fuzzy Hash: CE918C71204646AFDB19DF24C885FAAB7ECFF44350F008629F9A9D21D1DB30EA55CBA1
                Function 00C04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000400), ref: 00C04994
                • GetWindowTextW.USER32(?,?,00000400), ref: 00C049DA
                • _wcslen.LIBCMT ref: 00C049EB
                • CharUpperBuffW.USER32(?,00000000), ref: 00C049F7
                • _wcsstr.LIBVCRUNTIME ref: 00C04A2C
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04A64
                • GetWindowTextW.USER32(?,?,00000400), ref: 00C04A9D
                • GetClassNameW.USER32(00000018,?,00000400), ref: 00C04AE6
                • GetClassNameW.USER32(?,?,00000400), ref: 00C04B20
                • GetWindowRect.USER32(?,?), ref: 00C04B8B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                • String ID: ThumbnailClass
                • API String ID: 1311036022-1241985126
                • Opcode ID: 9f32189cec097eb2da0193328c4d067811833d7bb41439bba846363ab5283b83
                • Instruction ID: 4a447998a54827e620849f869387d999732e62eec11d0ac52c9e8562a894913a
                • Opcode Fuzzy Hash: 9f32189cec097eb2da0193328c4d067811833d7bb41439bba846363ab5283b83
                • Instruction Fuzzy Hash: 5A919CB21082059BDB18DF14C985FAB77E8FF84354F048469FE959A0D6EB30EE45CBA1
                Function 00C38D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C38D5A
                • GetFocus.USER32 ref: 00C38D6A
                • GetDlgCtrlID.USER32(00000000), ref: 00C38D75
                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C38E1D
                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C38ECF
                • GetMenuItemCount.USER32(?), ref: 00C38EEC
                • GetMenuItemID.USER32(?,00000000), ref: 00C38EFC
                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C38F2E
                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C38F70
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C38FA1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                • String ID: 0
                • API String ID: 1026556194-4108050209
                • Opcode ID: 857edbfc38d9da409f7700552ffdf57c7c3a9372e552bce426e85743e698c1db
                • Instruction ID: 54b9bc9255a1a2ce1042d32657c922e723273af9aca3f4d11a6f07f1f21db1a6
                • Opcode Fuzzy Hash: 857edbfc38d9da409f7700552ffdf57c7c3a9372e552bce426e85743e698c1db
                • Instruction Fuzzy Hash: BC81CF715183019FDB20CF24C884AAFBBE9FF88314F14095DF9A4A7291DB70DA08DBA1
                Function 00C2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C2CC64
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C2CC8D
                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD48
                  • Part of subcall function 00C2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C2CCAA
                  • Part of subcall function 00C2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C2CCBD
                  • Part of subcall function 00C2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C2CCCF
                  • Part of subcall function 00C2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C2CD05
                  • Part of subcall function 00C2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C2CD28
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C2CCF3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2734957052-4033151799
                • Opcode ID: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                • Instruction ID: 0e58cf50d1e116c287d4149a66197beb8a184db695e6b8c52b49a2c846b64817
                • Opcode Fuzzy Hash: f3bd8e2c752665007434adedbdf21698e20e75d6a941434c1bf78b294d5364d8
                • Instruction Fuzzy Hash: EE315A76901129BBDB208B65ECC8FFFBB7CEF45750F000165E916E3240DA749A45ABA0
                Function 00C0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C0EA5D
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C0EA73
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C0EA84
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C0EA96
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C0EAA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: SendString$_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2420728520-1007645807
                • Opcode ID: 342e9af40fb3cda4d9a9010306c627639e40d619f48688ccc3513b31bc777fbf
                • Instruction ID: 4682a41bcde6883a448c531ccc4dc2c5da70cbf21a7ea02c60dceae94b16deac
                • Opcode Fuzzy Hash: 342e9af40fb3cda4d9a9010306c627639e40d619f48688ccc3513b31bc777fbf
                • Instruction Fuzzy Hash: 82113731A9426979D720A762DC8AEFF6ABCEFD6F40F4408797811A20D1EFB05A45C5B0
                Function 00C05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 00C05CE2
                • GetWindowRect.USER32(00000000,?), ref: 00C05CFB
                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C05D59
                • GetDlgItem.USER32(?,00000002), ref: 00C05D69
                • GetWindowRect.USER32(00000000,?), ref: 00C05D7B
                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C05DCF
                • GetDlgItem.USER32(?,000003E9), ref: 00C05DDD
                • GetWindowRect.USER32(00000000,?), ref: 00C05DEF
                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C05E31
                • GetDlgItem.USER32(?,000003EA), ref: 00C05E44
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C05E5A
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00C05E67
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                • Instruction ID: ca8fa57b947c29638b57150983c5e5462b3b5107dcc79e2affd03a4a2f926d79
                • Opcode Fuzzy Hash: f1ac61c605ddf7b0c73d6341dd2b6f1811a19a4d4aa55578f750bb69e1127107
                • Instruction Fuzzy Hash: BA51FBB5A10619AFDF18CF68DD89BAEBBB9EB48300F148129F915E6290D7709E04CF50
                Function 00BB8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB8BE8,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8FC5
                • DestroyWindow.USER32(?), ref: 00BB8C81
                • KillTimer.USER32(00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BB8D1B
                • DestroyAcceleratorTable.USER32(00000000), ref: 00BF6973
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69A1
                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000,?), ref: 00BF69B8
                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BB8BBA,00000000), ref: 00BF69D4
                • DeleteObject.GDI32(00000000), ref: 00BF69E6
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                • String ID:
                • API String ID: 641708696-0
                • Opcode ID: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                • Instruction ID: eb75d58a7200ef7ff1b63fcda1c3751f2b41e30eddfcddfcc0b2425ad0b056f4
                • Opcode Fuzzy Hash: 9145c2a85f1f4db9d6e543b513511e4376ab68105ada99f1c610e6c86a05b6f5
                • Instruction Fuzzy Hash: B261DB31012604DFCB259F18C989BBD7BF5FB04312F1884ACEA469B5A0CBB1A8C5DF90
                Function 00BB9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                • GetSysColor.USER32(0000000F), ref: 00BB9862
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                • Instruction ID: 10383beb601937148f7ac33d2ceff3f7cad851ce27fb6e5e4ce9d103433005e7
                • Opcode Fuzzy Hash: 2897bfc5e816727288027dab07be7ac1f4f71e56c5af36775a29c3402209f22b
                • Instruction Fuzzy Hash: 51417C31144644AFDB215B389C88BBD3BF5EB16370F144699FAB2972E1D7B19842EB10
                Function 00C350D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C35186
                • ShowWindow.USER32(?,00000000), ref: 00C351C7
                • ShowWindow.USER32(?,00000005,?,00000000), ref: 00C351CD
                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C351D1
                  • Part of subcall function 00C36FBA: DeleteObject.GDI32(00000000), ref: 00C36FE6
                • GetWindowLongW.USER32(?,000000F0), ref: 00C3520D
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C3521A
                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C3524D
                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C35287
                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C35296
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                • String ID: @U=u
                • API String ID: 3210457359-2594219639
                • Opcode ID: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                • Instruction ID: 0a701ac7875dbd9aa212af1eae6d7abc91ada1c5eb15c2b32a1ca358d5cb0327
                • Opcode Fuzzy Hash: 70c767354c786eb493d6b5e8408d1ebef5a7283c1981828c5c3fdb32de1a9d74
                • Instruction Fuzzy Hash: 2C519230A60A08BFEF209F25CC4ABDD3BA5FB05361F144511FA25962E1C776AA90DB41
                Function 00BB8B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BF6890
                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BF68A9
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BF68B9
                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BF68D1
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BF68F2
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF6901
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BF691E
                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB8874,00000000,00000000,00000000,000000FF,00000000), ref: 00BF692D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend
                • String ID: @U=u
                • API String ID: 1268354404-2594219639
                • Opcode ID: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                • Instruction ID: 6d3394f21100f192ecedfa5e8cbc6f5dc5eea187f5ff9a7fab5d25e5f88b46b9
                • Opcode Fuzzy Hash: 69cae79b3289c9fb076b3cbcdd8eb27668ec76e2d1874a1765f6e5168c77be0a
                • Instruction Fuzzy Hash: 05517B70610209EFDB20CF24CC95BBE7BF9EB48760F144558FA16A72A0DBB1E990DB50
                Function 00C096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C09717
                • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09720
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BEF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C09742
                • LoadStringW.USER32(00000000,?,00BEF7F8,00000001), ref: 00C09745
                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C09866
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wcslen
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 747408836-2268648507
                • Opcode ID: 1dc0cd3f5aaf04e6d5af24b90f991f2e39cab74c73fb396869e06a225d647b4e
                • Instruction ID: a608aea76454e3e4cfe74bd34181a7f357dbb5d2d3af4b86b9d41a73cf8eb75d
                • Opcode Fuzzy Hash: 1dc0cd3f5aaf04e6d5af24b90f991f2e39cab74c73fb396869e06a225d647b4e
                • Instruction Fuzzy Hash: 10414F72804219AACF14EBE0CD86EEEB7B8EF16740F1440A5F50572092EF356F49DB61
                Function 00C006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C007A2
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C007BE
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C007DA
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C00804
                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C0082C
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C00837
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C0083C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 323675364-22481851
                • Opcode ID: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                • Instruction ID: 1b23f7332a91dd2a089fb6fa36484493de37607fd06dcf35ee7ef0e1a5fbbabc
                • Opcode Fuzzy Hash: af343ffce847e13f26031f2ee4bc0a567941afa2bb7f0ffab856165390171b46
                • Instruction Fuzzy Hash: 3D411972C14229ABCF15EBA4DC85EEDB7B8BF04750F554169E911B31A1EB345E04CBA0
                Function 00C17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 00C17AF3
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C17B8F
                • SHGetDesktopFolder.SHELL32(?), ref: 00C17BA3
                • CoCreateInstance.OLE32(00C3FD08,00000000,00000001,00C66E6C,?), ref: 00C17BEF
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C17C74
                • CoTaskMemFree.OLE32(?,?), ref: 00C17CCC
                • SHBrowseForFolderW.SHELL32(?), ref: 00C17D57
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C17D7A
                • CoTaskMemFree.OLE32(00000000), ref: 00C17D81
                • CoTaskMemFree.OLE32(00000000), ref: 00C17DD6
                • CoUninitialize.OLE32 ref: 00C17DDC
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                • String ID:
                • API String ID: 2762341140-0
                • Opcode ID: 0c158fd2b28c16c9e886e2edb280588daeee9d8c9b1cd941a2c8fec76f9fdc01
                • Instruction ID: 0c8d50c271c0d177dbf5100e69326934599bd6c384ebb28dd926aaa14122426d
                • Opcode Fuzzy Hash: 0c158fd2b28c16c9e886e2edb280588daeee9d8c9b1cd941a2c8fec76f9fdc01
                • Instruction Fuzzy Hash: 93C12C75A04109AFCB14DF64C898DAEBBF5FF49304B148599F816DB261D730EE81DB90
                Function 00BFFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BFFAAF
                • SafeArrayAllocData.OLEAUT32(?), ref: 00BFFB08
                • VariantInit.OLEAUT32(?), ref: 00BFFB1A
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BFFB3A
                • VariantCopy.OLEAUT32(?,?), ref: 00BFFB8D
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BFFBA1
                • VariantClear.OLEAUT32(?), ref: 00BFFBB6
                • SafeArrayDestroyData.OLEAUT32(?), ref: 00BFFBC3
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBCC
                • VariantClear.OLEAUT32(?), ref: 00BFFBDE
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BFFBE9
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                • Instruction ID: 5255023fa8642b312e561d6b6431156310d414f604a980a7bee255e8054cf72a
                • Opcode Fuzzy Hash: 6ea4461533c49638caf138d1abcb2a467e163b4ef4e414254c053f8f893229c0
                • Instruction Fuzzy Hash: 64412135A0021A9FCF10DF64D894ABDBBB9EF48354F008065E955A7261DB34E945CF90
                Function 00C2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 00C205BC
                • inet_addr.WSOCK32(?), ref: 00C2061C
                • gethostbyname.WSOCK32(?), ref: 00C20628
                • IcmpCreateFile.IPHLPAPI ref: 00C20636
                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206C6
                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C206E5
                • IcmpCloseHandle.IPHLPAPI(?), ref: 00C207B9
                • WSACleanup.WSOCK32 ref: 00C207BF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                • String ID: Ping
                • API String ID: 1028309954-2246546115
                • Opcode ID: 39d17166ff3e888d866625eeb1831a883a66ee246b80e76328c3702c960246b6
                • Instruction ID: 32f53fc2779a8b52fadc0214dba9eb280aa9ef97272c50ab9c3270794964ee6c
                • Opcode Fuzzy Hash: 39d17166ff3e888d866625eeb1831a883a66ee246b80e76328c3702c960246b6
                • Instruction Fuzzy Hash: 03919D356082119FD320DF15D888F1ABBE0EF45718F2485AAF4699BAA3C770EE45CF91
                Function 00C28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$BuffCharLower
                • String ID: cdecl$none$stdcall$winapi
                • API String ID: 707087890-567219261
                • Opcode ID: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                • Instruction ID: da93edcc0b84195bd5f8e4667ed6ca49ba4759488904aafad1286b04ef03437b
                • Opcode Fuzzy Hash: 1c53385dea7dd9c73ba0bad58baeb60c063ad68904a91198ae50746a9a29e12f
                • Instruction Fuzzy Hash: 9D51D236A051279BCF24DF6CD8809BEB3E5BF65724B214229E426E76C4DB30DE48C790
                Function 00C2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32 ref: 00C23774
                • CoUninitialize.OLE32 ref: 00C2377F
                • CoCreateInstance.OLE32(?,00000000,00000017,00C3FB78,?), ref: 00C237D9
                • IIDFromString.OLE32(?,?), ref: 00C2384C
                • VariantInit.OLEAUT32(?), ref: 00C238E4
                • VariantClear.OLEAUT32(?), ref: 00C23936
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 636576611-1287834457
                • Opcode ID: 1c6b356722a558adaef4676ebefcfdc5b87b5cd564ebd8ef9a138068e2f42f63
                • Instruction ID: b4eeceaf1d7bd6579d85cc5f923f8ac2ab372f432cd680dcc2090afdca353b87
                • Opcode Fuzzy Hash: 1c6b356722a558adaef4676ebefcfdc5b87b5cd564ebd8ef9a138068e2f42f63
                • Instruction Fuzzy Hash: 5661D070608361AFD310DF64D888F6EB7E8EF49714F10081AF9959B691C774EE88CB92
                Function 00BA5BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,000000EB), ref: 00BA5C7A
                  • Part of subcall function 00BA5D0A: GetClientRect.USER32(?,?), ref: 00BA5D30
                  • Part of subcall function 00BA5D0A: GetWindowRect.USER32(?,?), ref: 00BA5D71
                  • Part of subcall function 00BA5D0A: ScreenToClient.USER32(?,?), ref: 00BA5D99
                • GetDC.USER32 ref: 00BE46F5
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BE4708
                • SelectObject.GDI32(00000000,00000000), ref: 00BE4716
                • SelectObject.GDI32(00000000,00000000), ref: 00BE472B
                • ReleaseDC.USER32(?,00000000), ref: 00BE4733
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BE47C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: @U=u$U
                • API String ID: 4009187628-4110099822
                • Opcode ID: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                • Instruction ID: 8452f54488eec2a4442c97241c8e8175c56bf108d01ea65fc0ce1faacf5afcf8
                • Opcode Fuzzy Hash: 64acd5e2da4083ffe0021c1bf883849b483acebacf5ed3077e1258ccff667d29
                • Instruction Fuzzy Hash: 9271FD30404245EFCF218F65C984AAE7BF5FF4A320F1842E9ED565A2AAC7319D81DF90
                Function 00C38B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                  • Part of subcall function 00BB912D: GetCursorPos.USER32(?), ref: 00BB9141
                  • Part of subcall function 00BB912D: ScreenToClient.USER32(00000000,?), ref: 00BB915E
                  • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                  • Part of subcall function 00BB912D: GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C38B6B
                • ImageList_EndDrag.COMCTL32 ref: 00C38B71
                • ReleaseCapture.USER32 ref: 00C38B77
                • SetWindowTextW.USER32(?,00000000), ref: 00C38C12
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C38C25
                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C38CFF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                • API String ID: 1924731296-2104563098
                • Opcode ID: 614c17a7f5f9cf5032dd001e811720a93f84333c26dbfcad81d1db41e7855a6b
                • Instruction ID: 4a09a0bbef16721c231b1223e4610f9e0500be8558a0a9da1ead2df16e67a8d3
                • Opcode Fuzzy Hash: 614c17a7f5f9cf5032dd001e811720a93f84333c26dbfcad81d1db41e7855a6b
                • Instruction Fuzzy Hash: 89518A71118300AFD714DF24DC96FAE77E4FB88754F000669F996A72E1DB70AA48CB62
                Function 00C13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C133CF
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C133F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-3080491070
                • Opcode ID: 4d16f22be902fb26471ded8af9b1f99b4c32b66a28430f5d26135f7a0535cad5
                • Instruction ID: fa734f54c6a6f440d89afe2d3a662f897c2285270a598ed646b78e15d0336db3
                • Opcode Fuzzy Hash: 4d16f22be902fb26471ded8af9b1f99b4c32b66a28430f5d26135f7a0535cad5
                • Instruction Fuzzy Hash: 05518071904209ABDF15EBE0CD82EEEB7B9EF05744F1440A5F505720A2EB356F98EB60
                Function 00C0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: APPEND$EXISTS$KEYS$REMOVE
                • API String ID: 1256254125-769500911
                • Opcode ID: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                • Instruction ID: 4c4633b5693e491ebeae6250010b5ba8571c6f3b62d3f4c17522c494d4d0fcc1
                • Opcode Fuzzy Hash: 726205dacb0cfaf4e4c7ea22065479c7317ef5c43fbf3cb29f9394cc6ae435e9
                • Instruction Fuzzy Hash: 6241A432A001279ACB24DF7DC8905BEB7B5AFA1B54B244229F435DB2C4E732CE81C790
                Function 00C15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C153A0
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C15416
                • GetLastError.KERNEL32 ref: 00C15420
                • SetErrorMode.KERNEL32(00000000,READY), ref: 00C154A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                • Instruction ID: d7dbd440e434990d6d84e4907832d8a9b83b4c0e2a907faf1cf1262b18f7fbff
                • Opcode Fuzzy Hash: f851b0d210584cb2336e87ace9407193d97a7cf0fa761997607df05348d8b56b
                • Instruction Fuzzy Hash: 9A318D75A00604DFCB10DF68C484BEEBBB4EB86305F148065E415DB292DB71DEC6EB90
                Function 00C33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • CreateMenu.USER32 ref: 00C33C79
                • SetMenu.USER32(?,00000000), ref: 00C33C88
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C33D10
                • IsMenu.USER32(?), ref: 00C33D24
                • CreatePopupMenu.USER32 ref: 00C33D2E
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C33D5B
                • DrawMenuBar.USER32 ref: 00C33D63
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                • String ID: 0$F
                • API String ID: 161812096-3044882817
                • Opcode ID: 53b4b954e570449e36a7de1965f9b8d93be911f5a891535cb8b7d843c0f5499c
                • Instruction ID: 7a5a8a435446e85c275c25dc7d2436ec980c1c6ef309e2584a4b1db1b0efea26
                • Opcode Fuzzy Hash: 53b4b954e570449e36a7de1965f9b8d93be911f5a891535cb8b7d843c0f5499c
                • Instruction Fuzzy Hash: 44415779A21209AFDB14CF64D888BAE7BB5FF49350F140029FA56A7360D730AA10DF94
                Function 00C32D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00C32D1B
                • GetDC.USER32(00000000), ref: 00C32D23
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C32D2E
                • ReleaseDC.USER32(00000000,00000000), ref: 00C32D3A
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C32D76
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C32D87
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C32DC2
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C32DE1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID: @U=u
                • API String ID: 3864802216-2594219639
                • Opcode ID: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                • Instruction ID: 31b6261eee0d0d822aabf925e3bada44ca674d44cc2840e4f167ce5f724c925c
                • Opcode Fuzzy Hash: 99cd2faa21060d25f366d367d9f4bf6dd2411d7132f23bde18177cc9705a7025
                • Instruction Fuzzy Hash: 6C317C72221214BFEF218F50CC8AFEF3BA9EF09715F044055FE08AA291C6759C50CBA4
                Function 00C0209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 00C020AB
                • GetClassNameW.USER32(00000000,?,00000100), ref: 00C020C0
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C0214D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend
                • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1290815626-1428604138
                • Opcode ID: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                • Instruction ID: 86aa876274cba66310217bf5ca4596f8970e40f212179290039f60adc982f531
                • Opcode Fuzzy Hash: 227279cb58b36dfabb14001c06c358b9f6576c76bbd28bc007b2821b71e470c7
                • Instruction Fuzzy Hash: 2B113676288306BAFA252220DC0BEAE73ECCB04324F20006AFB04A40D1EB616D029614
                Function 00C33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C33A9D
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C33AA0
                • GetWindowLongW.USER32(?,000000F0), ref: 00C33AC7
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C33AEA
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C33B62
                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C33BAC
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C33BC7
                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C33BE2
                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C33BF6
                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C33C13
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                • Instruction ID: 7ff0a6847835e24355496c08d36167552d68ba840139c4702cb4886d08a1140f
                • Opcode Fuzzy Hash: 0ca7c9c4e4904eb8534fb0fc0ab503d31b6529b2e965f9b4eafb2f35c97bfdc5
                • Instruction Fuzzy Hash: 00617A75900248AFDB11DFA8CC81FEEB7F8EB09714F144199FA15A72A1C774AE81DB50
                Function 00C0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00C0B151
                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B165
                • GetWindowThreadProcessId.USER32(00000000), ref: 00C0B16C
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B17B
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0B18D
                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1A6
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1B8
                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B1FD
                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B212
                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C0A1E1,?,00000001), ref: 00C0B21D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                • Instruction ID: 347dfba4e476cece57e1e5f35bedfb7d50ee6a6deab1f17a71642c00cbd9d280
                • Opcode Fuzzy Hash: 5f313fcc12dd882cbb45eda731a08a60e92a70f55696d0b4da75d5e2ba6cc197
                • Instruction Fuzzy Hash: 2C31AB71510204BFDB10DF24DC89BAE7BB9BB61711F108409FA29E62D0D7B89E80CF60
                Function 00BD2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BD2C94
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BD2CA0
                • _free.LIBCMT ref: 00BD2CAB
                • _free.LIBCMT ref: 00BD2CB6
                • _free.LIBCMT ref: 00BD2CC1
                • _free.LIBCMT ref: 00BD2CCC
                • _free.LIBCMT ref: 00BD2CD7
                • _free.LIBCMT ref: 00BD2CE2
                • _free.LIBCMT ref: 00BD2CED
                • _free.LIBCMT ref: 00BD2CFB
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 982dd32ede494c69e789583d43bdbfbe99cf7690923fca4ca8b089e5c0576dd7
                • Instruction ID: fb7a87aa778442165bf61b72f21b847dcd549a0afc34707516f07539d131cc4d
                • Opcode Fuzzy Hash: 982dd32ede494c69e789583d43bdbfbe99cf7690923fca4ca8b089e5c0576dd7
                • Instruction Fuzzy Hash: B411A47A100148AFCB02EF54D892CDDBBA5FF15350F4144A6FA489F322EA35EE50AB90
                Function 00BA1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BA1459
                • OleUninitialize.OLE32(?,00000000), ref: 00BA14F8
                • UnregisterHotKey.USER32(?), ref: 00BA16DD
                • DestroyWindow.USER32(?), ref: 00BE24B9
                • FreeLibrary.KERNEL32(?), ref: 00BE251E
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BE254B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: 78a24d0b589901be7b11e218afc2c1d5aef667af5a32d979ea4119cf239ab4bf
                • Instruction ID: 72e37986d66f2f7beafa3f3cdf0458d02782c1b2ba25820020cce362db8d3ac6
                • Opcode Fuzzy Hash: 78a24d0b589901be7b11e218afc2c1d5aef667af5a32d979ea4119cf239ab4bf
                • Instruction Fuzzy Hash: F8D147717052528FCB19EF19C999A69F7E4BF06700F1546EDE44AAB252CB30AD12CF50
                Function 00C1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C135E4
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • LoadStringW.USER32(00C72390,?,00000FFF,?), ref: 00C1360A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LoadString$_wcslen
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 4099089115-2391861430
                • Opcode ID: 0497cafb391afa263a54f037aaea3d763f96b38b594ced1c2642a8484dc9d8ab
                • Instruction ID: 37781cfc86b801d781115f02b5d366ceb4c6ead135f02b8a91cce6c8d44f7a23
                • Opcode Fuzzy Hash: 0497cafb391afa263a54f037aaea3d763f96b38b594ced1c2642a8484dc9d8ab
                • Instruction Fuzzy Hash: 80518F71804249ABDF14EBA0CC82EEEBBB4EF05344F084165F515721A2EB301BD9EFA0
                Function 00C33886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C33925
                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C3393A
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C33954
                • _wcslen.LIBCMT ref: 00C33999
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C339C6
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C339F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$Window_wcslen
                • String ID: @U=u$SysListView32
                • API String ID: 2147712094-1908207174
                • Opcode ID: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                • Instruction ID: 5f8de08b4c8f9d5369882384cd686e0e0613b2f81c97c99417f86c1425ea3b94
                • Opcode Fuzzy Hash: 5f2acf0338083346679d402527c935b5f0e3a243a7e6b586c8c4dfff32307ba1
                • Instruction Fuzzy Hash: B341A271A10358ABEB219F64CC49FEE77A9EF08350F140566F958E7281D7719A80CB90
                Function 00C32DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C32E1C
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E4F
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32E84
                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C32EB6
                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C32EE0
                • GetWindowLongW.USER32(00000000,000000F0), ref: 00C32EF1
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C32F0B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID: @U=u
                • API String ID: 2178440468-2594219639
                • Opcode ID: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                • Instruction ID: 3008aa586455a5e060c4d8c1ffc6e6fa1c3fa9f33e165d452efcf345e3627e39
                • Opcode Fuzzy Hash: 58bfe0d3a09b618d9d9bb5819e9afdbd273f92ba1401fee07b8adb2549bd548d
                • Instruction Fuzzy Hash: 9F311331614250AFDF20CF58DC86F6937E0EB8AB21F180164FA149B2B1CB71AD80DB40
                Function 00C1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C1C29A
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C1C2CA
                • GetLastError.KERNEL32 ref: 00C1C322
                • SetEvent.KERNEL32(?), ref: 00C1C336
                • InternetCloseHandle.WININET(00000000), ref: 00C1C341
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3113390036-3916222277
                • Opcode ID: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                • Instruction ID: 43c373ca05f8a833bd47568cf31d34750a4522ad20b8cc30b9639c473c7b76f7
                • Opcode Fuzzy Hash: d99c11a14377d03f8b51ed6d09c8955a9d96fba440a1545c9c527939d2734898
                • Instruction Fuzzy Hash: 7F317FB1540604AFD7219F658CC8BEF7BFCEB4A744B50851DF466E2210DB34DD84AB61
                Function 00C0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BE3AAF,?,?,Bad directive syntax error,00C3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C098BC
                • LoadStringW.USER32(00000000,?,00BE3AAF,?), ref: 00C098C3
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C09987
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString_wcslen
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 858772685-4153970271
                • Opcode ID: 9577f4f9f498ac70a2967c6c66aefaa301307bae45b508d6e3aca6fb367bfbba
                • Instruction ID: 3031df925eec97c3373fc1ed15a3900313ca1329fe2fe2723cdc50b16c8df036
                • Opcode Fuzzy Hash: 9577f4f9f498ac70a2967c6c66aefaa301307bae45b508d6e3aca6fb367bfbba
                • Instruction Fuzzy Hash: 4C218D3280421AABCF21EF90CC46FFE77B5FF19700F0444A9F519620A2EB719A18DB50
                Function 00BDCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                • String ID:
                • API String ID: 1282221369-0
                • Opcode ID: b0d83acf32167b3380cd04ded7e95ababbbdf339df36fde8e204ab6485ae91ad
                • Instruction ID: e40bd1277902ec4af53692416abe08fffaafe8b42ae8396c1e549099cd966c53
                • Opcode Fuzzy Hash: b0d83acf32167b3380cd04ded7e95ababbbdf339df36fde8e204ab6485ae91ad
                • Instruction Fuzzy Hash: 7B610FB1904342AFDB21AFB49895BADFFE5EF11310F1441EBE94497382F6319905D790
                Function 00C1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C1C182
                • GetLastError.KERNEL32 ref: 00C1C195
                • SetEvent.KERNEL32(?), ref: 00C1C1A9
                  • Part of subcall function 00C1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C1C272
                  • Part of subcall function 00C1C253: GetLastError.KERNEL32 ref: 00C1C322
                  • Part of subcall function 00C1C253: SetEvent.KERNEL32(?), ref: 00C1C336
                  • Part of subcall function 00C1C253: InternetCloseHandle.WININET(00000000), ref: 00C1C341
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                • String ID:
                • API String ID: 337547030-0
                • Opcode ID: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                • Instruction ID: ebb8405c13f216b9efa6889b3dea77051d9b7e10140b0d73302e672544ff93a4
                • Opcode Fuzzy Hash: 8b8a0cb086132a2fe04efceae8a259efb65511a9cbb3bf70d37dc46a513857e9
                • Instruction Fuzzy Hash: 1D318F71280601BFDB219FA5DC84BAFBBF9FF1A300B10841DF96692610D731E954EB60
                Function 00C025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                  • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                  • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025BD
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C025DB
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C025DF
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C025E9
                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C02601
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C02605
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0260F
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C02623
                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C02627
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                • Instruction ID: ece1dbab26eeaaaec49efb2728a2e7ef71d93d73df16c9ffcd4624f50f2ef86a
                • Opcode Fuzzy Hash: 90e9d906a7c8c3db885e6f31241fda3b494a677b4cc2bb2129d8c28fa34fc7fb
                • Instruction Fuzzy Hash: 6201D4313A4610BBFB2067699CCEF5D3F59DB4EB12F100001F318BE0D1C9E22444EA69
                Function 00C01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C01449,?,?,00000000), ref: 00C0180C
                • HeapAlloc.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C01813
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01828
                • GetCurrentProcess.KERNEL32(?,00000000,?,00C01449,?,?,00000000), ref: 00C01830
                • DuplicateHandle.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C01833
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C01449,?,?,00000000), ref: 00C01843
                • GetCurrentProcess.KERNEL32(00C01449,00000000,?,00C01449,?,?,00000000), ref: 00C0184B
                • DuplicateHandle.KERNEL32(00000000,?,00C01449,?,?,00000000), ref: 00C0184E
                • CreateThread.KERNEL32(00000000,00000000,00C01874,00000000,00000000,00000000), ref: 00C01868
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                • Instruction ID: 72f6bdec9f375b66c51fbb3272d5422e9d29d486a310ac1aab4dd2b27ba9100c
                • Opcode Fuzzy Hash: 42d12fce873f850ba7c6289e8bab0207fd5d40662f9f3f3e4efa18769ce79d07
                • Instruction Fuzzy Hash: AF01BBB5250308BFE710ABA5DC8DF6F7BACEB89B11F018411FA05EB1A1CA70D810DB20
                Function 00C2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                  • Part of subcall function 00C0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                  • Part of subcall function 00C0D4DC: CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A16D
                • GetLastError.KERNEL32 ref: 00C2A180
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2A1B3
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C2A268
                • GetLastError.KERNEL32(00000000), ref: 00C2A273
                • CloseHandle.KERNEL32(00000000), ref: 00C2A2C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                • String ID: SeDebugPrivilege
                • API String ID: 2533919879-2896544425
                • Opcode ID: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                • Instruction ID: 1b0dc1764e1c8acc037251bb68776f494cd4069bf3c6a20dd192d499e9f2acce
                • Opcode Fuzzy Hash: 49f22f6100dd80775b82edfdebbb32acaa17270c5f3948aef7e170e73dd5fe79
                • Instruction Fuzzy Hash: BB618070208252EFD710DF19D494F19BBE1AF45318F19849CE46A8BBA3C772ED49CB92
                Function 00C0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C0BCFD
                • IsMenu.USER32(00000000), ref: 00C0BD1D
                • CreatePopupMenu.USER32 ref: 00C0BD53
                • GetMenuItemCount.USER32(01678AC0), ref: 00C0BDA4
                • InsertMenuItemW.USER32(01678AC0,?,00000001,00000030), ref: 00C0BDCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup
                • String ID: 0$2
                • API String ID: 93392585-3793063076
                • Opcode ID: 40c00c8ec68707233edcfe95bcc7a7d3b267b1282b13287443f4e5fb65edc79c
                • Instruction ID: e5edddcef9b9b26098d7913b86c5cab91f5c7d3654895076842968b391fccd47
                • Opcode Fuzzy Hash: 40c00c8ec68707233edcfe95bcc7a7d3b267b1282b13287443f4e5fb65edc79c
                • Instruction Fuzzy Hash: 57518C70A003069BDB10DFA9D8C8BAEFBF4AF55314F148259E421A72D9D770AE41CB61
                Function 00C381DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BFF3AB,00000000,?,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00C3824C
                • EnableWindow.USER32(00000000,00000000), ref: 00C38272
                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C382D1
                • ShowWindow.USER32(00000000,00000004), ref: 00C382E5
                • EnableWindow.USER32(00000000,00000001), ref: 00C3830B
                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C3832F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID: @U=u
                • API String ID: 642888154-2594219639
                • Opcode ID: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                • Instruction ID: d7510663e788f0d3c88ae2393322e976ebb54aaae22ee91d713718eacd5de308
                • Opcode Fuzzy Hash: 7d4b484fed8d06b5fa86b997dfa868e05670ab6a02be23357be72fc67dd27e36
                • Instruction Fuzzy Hash: C7419474611744AFDF11CF15CC99BE97BE0BB0A714F184169FA185B272CB32A949CB50
                Function 00C04C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00C04C95
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C04CB2
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C04CEA
                • _wcslen.LIBCMT ref: 00C04D08
                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C04D10
                • _wcsstr.LIBVCRUNTIME ref: 00C04D1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                • String ID: @U=u
                • API String ID: 72514467-2594219639
                • Opcode ID: 2d3df4f3f50a8170ffe20b7b45af52940883fe3e07fbd1eb55ff68dc9569624f
                • Instruction ID: a0631bfa4f559ae8fc48910af0254884d389c2f2401620b56c36be2908333c1d
                • Opcode Fuzzy Hash: 2d3df4f3f50a8170ffe20b7b45af52940883fe3e07fbd1eb55ff68dc9569624f
                • Instruction Fuzzy Hash: 2B21D4B2204201BBEB195B39EC4AF7F7BECDF45750F108069FA05DA191EAA1DD00D7A0
                Function 00C0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000000,00007F03), ref: 00C0C913
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                • Instruction ID: 872879ab4180d8a3c65eeebec9937cfa2c0aacb40b2a0dff6a58136f16b22063
                • Opcode Fuzzy Hash: f11daf9fe25d67657320b8f4825a356efb748a9e8e80335aae9715d58a05e6e1
                • Instruction Fuzzy Hash: B2113A32689306BAE7149B149CC3EAE37DCDF15715F20423EF904A62C2E7B09F009268
                Function 00BF7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?), ref: 00BF7452
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BF7469
                • GetWindowDC.USER32(?), ref: 00BF7475
                • GetPixel.GDI32(00000000,?,?), ref: 00BF7484
                • ReleaseDC.USER32(?,00000000), ref: 00BF7496
                • GetSysColor.USER32(00000005), ref: 00BF74B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                • String ID: @U=u
                • API String ID: 272304278-2594219639
                • Opcode ID: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                • Instruction ID: 4f6c9aa1bdf2eaab19c99ba33b6420cb25febf3572f637629be4b14b1d3c7ca0
                • Opcode Fuzzy Hash: 5e32bee735f654ad09df211eb6335d77ce95cd48a572e0c21815edac7c389e5f
                • Instruction Fuzzy Hash: FA014B31410619EFEB515F64DC49BBE7BB5FB04311F5501A4FA16A31A1CF311E51AB50
                Function 00C0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$LocalTime
                • String ID:
                • API String ID: 952045576-0
                • Opcode ID: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                • Instruction ID: e74766a4bbe17c79024f64d9dfc7a1eb7de6d35cf1cf71a6b7ffac112478f028
                • Opcode Fuzzy Hash: 57748cc3be02c37fa48cdd0eef28d6457c7c1fec482ac9dea566125d13a64f03
                • Instruction Fuzzy Hash: 45419265C1021875CB11EBF4C88AEDFB7E8AF45710F5088AAE528E3161FB34E755C3A5
                Function 00BBF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BBF953
                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BFF3D1
                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF682C,00000004,00000000,00000000), ref: 00BFF454
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ShowWindow
                • String ID:
                • API String ID: 1268545403-0
                • Opcode ID: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                • Instruction ID: c4729fdd6e982c54826d47325259358d8c59b5962af019d005f1069eb194cfcb
                • Opcode Fuzzy Hash: 19c3a5131cab2e99045c422cff9c29a376279b03b510501c5e52b09a99f2edbe
                • Instruction Fuzzy Hash: 1941D131618682BBC7398B298CC87BE7BD2EF56314F1444BCE5C663660C6B2E884DB11
                Function 00C05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                • Instruction ID: 0e0e51fd9415383db205f976afe1ce0d1aab85cbedaf7a5e969b43b3f7a9985e
                • Opcode Fuzzy Hash: 55abef86493cfca93f0e4d0e26990acafdda22f1df15020e786e977237f075ff
                • Instruction Fuzzy Hash: D321DA61A50A09B7D31459159E82FBB339CEF61388F440438FD156A7C2F722EE11CDA9
                Function 00C24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 0-572801152
                • Opcode ID: b082d32818ef89c311fa28371b1db3b0ab2b1c76bbcd2cb55c76c989023e5b4e
                • Instruction ID: 0e189781317020aa115ecfd1aee7172217ba0e17408f8f714a2675da2399b822
                • Opcode Fuzzy Hash: b082d32818ef89c311fa28371b1db3b0ab2b1c76bbcd2cb55c76c989023e5b4e
                • Instruction Fuzzy Hash: F5D1D271A0062A9FDF10CFA8D880BAEB7B5FF48344F148069E925AB690D770DE41CB90
                Function 00BE1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                Download Yara Rule
                APIs
                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BE15CE
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1651
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BE17FB,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16E4
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE16FB
                  • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BE17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BE1777
                • __freea.LIBCMT ref: 00BE17A2
                • __freea.LIBCMT ref: 00BE17AE
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                • String ID:
                • API String ID: 2829977744-0
                • Opcode ID: 9798bf93bf42f6c56788802e8f5ae85e24a97d12054abc5b47455e1444fd9114
                • Instruction ID: 884f689c7cfdc4124126ce3f8af008d29f15bd189863d0e9900f84f949d1b2a5
                • Opcode Fuzzy Hash: 9798bf93bf42f6c56788802e8f5ae85e24a97d12054abc5b47455e1444fd9114
                • Instruction Fuzzy Hash: 0D91A4B1E102969EDB208F7AC881EEEBBF5EF59710F284A99E812E7141D735DD40C760
                Function 00C24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearInit
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 2610073882-625585964
                • Opcode ID: 35c4cf8537fde383896554c4ff671b3811cfa82d5cd11b8bed3f1d139bfda47a
                • Instruction ID: b8148b542e4f29d9486c804ff52910afd6125c426bf15db2828104e75e2f9e98
                • Opcode Fuzzy Hash: 35c4cf8537fde383896554c4ff671b3811cfa82d5cd11b8bed3f1d139bfda47a
                • Instruction Fuzzy Hash: BE918471A00225AFDF24CFA5DC84FAEBBB8EF46B14F108559F525AB280D7709945CFA0
                Function 00C11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C1125C
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C11284
                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C112A8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C112D8
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C1135F
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C113C4
                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C11430
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ArraySafe$Data$Access$UnaccessVartype
                • String ID:
                • API String ID: 2550207440-0
                • Opcode ID: 4ae4035a597283cac4d51765e5c732b95a3cc69b9514c14d3c0a45d2651ca780
                • Instruction ID: 4179aa64dee31607349ad856738b32bf37165cd2b4fcd80a86ada50d9c580290
                • Opcode Fuzzy Hash: 4ae4035a597283cac4d51765e5c732b95a3cc69b9514c14d3c0a45d2651ca780
                • Instruction Fuzzy Hash: 22910471A00219AFDB00DF94D884BFEB7F5FF46710F184029EA11E7291D778A981EB90
                Function 00BB948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                • Instruction ID: 62d23c735b8524f03e68e08c489dd3de0b250face4f6c49e79fd8396272832c6
                • Opcode Fuzzy Hash: e39fa1d429353ec9bd56f9239a445be87904d2ba1ee7880564496036af4306fa
                • Instruction Fuzzy Hash: 6F911571D40219EFCB14CFA9CC84AEEBBB8FF49320F148595E615B7251D7B4AA42CB60
                Function 00C23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00C2396B
                • CharUpperBuffW.USER32(?,?), ref: 00C23A7A
                • _wcslen.LIBCMT ref: 00C23A8A
                • VariantClear.OLEAUT32(?), ref: 00C23C1F
                  • Part of subcall function 00C10CDF: VariantInit.OLEAUT32(00000000), ref: 00C10D1F
                  • Part of subcall function 00C10CDF: VariantCopy.OLEAUT32(?,?), ref: 00C10D28
                  • Part of subcall function 00C10CDF: VariantClear.OLEAUT32(?), ref: 00C10D34
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4137639002-1221869570
                • Opcode ID: 42b75fc36f155ba0c5bab75c883a28604d8c5464bb73bf715877f5eeaec6e54d
                • Instruction ID: fcabe4da6b58b6d1507983a4e233095037774fc98c98a31c83e3f65fa4de9a62
                • Opcode Fuzzy Hash: 42b75fc36f155ba0c5bab75c883a28604d8c5464bb73bf715877f5eeaec6e54d
                • Instruction Fuzzy Hash: 3091A874A083519FC700EF28C48096AB7E4FF89714F04896EF89A9B351DB34EE45CB92
                Function 00C24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?,?,00C0035E), ref: 00C0002B
                  • Part of subcall function 00C0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00046
                  • Part of subcall function 00C0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                  • Part of subcall function 00C0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?), ref: 00C00064
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C24C51
                • _wcslen.LIBCMT ref: 00C24D59
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C24DCF
                • CoTaskMemFree.OLE32(?), ref: 00C24DDA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                • String ID: NULL Pointer assignment
                • API String ID: 614568839-2785691316
                • Opcode ID: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                • Instruction ID: 9a60d1484e589c82f320a290da3187752ec272ac3137ae5538000d29b474bbcb
                • Opcode Fuzzy Hash: 7d0e4baa42b11d25ea57c6675669e7208c62b029fabf3d98a2ee55b1506ccd2b
                • Instruction Fuzzy Hash: 30912671D00229AFDF14DFA4D891AEEB7B8BF08304F108569E915A7291DB749A44CFA0
                Function 00C320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(?), ref: 00C32183
                • GetMenuItemCount.USER32(00000000), ref: 00C321B5
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C321DD
                • _wcslen.LIBCMT ref: 00C32213
                • GetMenuItemID.USER32(?,?), ref: 00C3224D
                • GetSubMenu.USER32(?,?), ref: 00C3225B
                  • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                  • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                  • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C322E3
                  • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                • String ID:
                • API String ID: 4196846111-0
                • Opcode ID: 58d91b0fd5df2355c2e39d89e9926c460c426caf4e5469100759f5cbf8bab70d
                • Instruction ID: e34065f48aca57e778595f211cfbf21ac9f6ae9e3713d95bf07cd46a011a964b
                • Opcode Fuzzy Hash: 58d91b0fd5df2355c2e39d89e9926c460c426caf4e5469100759f5cbf8bab70d
                • Instruction Fuzzy Hash: F7718F75A10205AFCF10EF65C885AAEB7F5EF48320F148499E826EB351DB35EE419F90
                Function 00C0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00C0AEF9
                • GetKeyboardState.USER32(?), ref: 00C0AF0E
                • SetKeyboardState.USER32(?), ref: 00C0AF6F
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C0AF9D
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C0AFBC
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C0AFFD
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C0B020
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                • Instruction ID: b8ec5d739811dc8055c08656f38617b21061b43704c18e89b1168cd593e8a618
                • Opcode Fuzzy Hash: ac79afc7cc43de43786b0cbf117797be81701ebdc91e0cf13c947173cf5abf48
                • Instruction Fuzzy Hash: 1351B3E06147D63DFB368374CC45BBA7EA95B06304F088589F1E9954C2C398AED4D751
                Function 00C0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(00000000), ref: 00C0AD19
                • GetKeyboardState.USER32(?), ref: 00C0AD2E
                • SetKeyboardState.USER32(?), ref: 00C0AD8F
                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C0ADBB
                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C0ADD8
                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C0AE17
                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C0AE38
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                • Instruction ID: 07e637615d420927c51a212f172b6e0e138876feb67c32d5cb36adf9bc7a18c7
                • Opcode Fuzzy Hash: 056347c09957cfb57e98c8570ad531ac4b95e8a4116299a6230c314ec9d1694b
                • Instruction Fuzzy Hash: 7F51F5A15087D53DFB378334CC95BBABEA85B46300F088489E1F5568C3D294EE98E762
                Function 00BD542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(00BE3CD6,?,?,?,?,?,?,?,?,00BD5BA3,?,?,00BE3CD6,?,?), ref: 00BD5470
                • __fassign.LIBCMT ref: 00BD54EB
                • __fassign.LIBCMT ref: 00BD5506
                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BE3CD6,00000005,00000000,00000000), ref: 00BD552C
                • WriteFile.KERNEL32(?,00BE3CD6,00000000,00BD5BA3,00000000,?,?,?,?,?,?,?,?,?,00BD5BA3,?), ref: 00BD554B
                • WriteFile.KERNEL32(?,?,00000001,00BD5BA3,00000000,?,?,?,?,?,?,?,?,?,00BD5BA3,?), ref: 00BD5584
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                • Instruction ID: 4ccc948a2ac78f6c59ba463e308bcf961e14d2cdffd417775d8d04c03c7e48b7
                • Opcode Fuzzy Hash: abcaa10018421ada28d69f3e35505c642540ef47fe17bf70c30993c7e05258ab
                • Instruction Fuzzy Hash: 0551C2749006499FDB21CFA8D881BEEFBF9EF18300F14415BE555E7391E6309A41CB60
                Function 00C36B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C36C33
                • SetWindowLongW.USER32(?,000000EC,?), ref: 00C36C4A
                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C36C73
                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C1AB79,00000000,00000000), ref: 00C36C98
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C36CC7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Long$MessageSendShow
                • String ID: @U=u
                • API String ID: 3688381893-2594219639
                • Opcode ID: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                • Instruction ID: d29d0175dcbba94f2fcffd60ce5d4dec0e581a295c721dae83350f637d0a5083
                • Opcode Fuzzy Hash: fe743b21fa6228a5191cf3c5af8aaea981353c5034a71f52ec51b93bd6e46323
                • Instruction Fuzzy Hash: 98410A35624104BFDB24CF38DC95FA9BBA4EB09350F149224FCA5A72E0C371EE41DA50
                Function 00BC2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00BC2D4B
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00BC2D53
                • _ValidateLocalCookies.LIBCMT ref: 00BC2DE1
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00BC2E0C
                • _ValidateLocalCookies.LIBCMT ref: 00BC2E61
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                • Instruction ID: f52b273df9e2acf505804c6209f24529f4e5c1611d653f36f83759c0509e1e7b
                • Opcode Fuzzy Hash: ba50ba4cce7e56378d4e7369d493abf8354407a802800d86170cf6e25ad10f55
                • Instruction Fuzzy Hash: F4418334A00209ABCF10DF68C885F9EBBF5FF55324F1481A9E915AB392D7319A15CBD1
                Function 00C210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                  • Part of subcall function 00C2304E: _wcslen.LIBCMT ref: 00C2309B
                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C21112
                • WSAGetLastError.WSOCK32 ref: 00C21121
                • WSAGetLastError.WSOCK32 ref: 00C211C9
                • closesocket.WSOCK32(00000000), ref: 00C211F9
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                • String ID:
                • API String ID: 2675159561-0
                • Opcode ID: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                • Instruction ID: 2f9dd9b1200aba4491b78a510259f9bb4d02dfdaaf36b1b35eed8ce29055ba87
                • Opcode Fuzzy Hash: ed92e9bf72093cbead237c94341f07b6bf6fdbfceb75016cdd299710d13c89a9
                • Instruction Fuzzy Hash: CB41F631600214AFDB109F24D885BAEBBE9FF55324F188059FD15AB292C774EE45CBE1
                Function 00C0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                  • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                • lstrcmpiW.KERNEL32(?,?), ref: 00C0CF45
                • MoveFileW.KERNEL32(?,?), ref: 00C0CF7F
                • _wcslen.LIBCMT ref: 00C0D005
                • _wcslen.LIBCMT ref: 00C0D01B
                • SHFileOperationW.SHELL32(?), ref: 00C0D061
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                • String ID: \*.*
                • API String ID: 3164238972-1173974218
                • Opcode ID: d6268d5cc2268f32139aa8a3f9215b365e300f2d97708292cfc4348ae68fe2f3
                • Instruction ID: c0dc893c3ae368f78847436c9c738578bf6e83e16137ccb8cc12c7ad33939441
                • Opcode Fuzzy Hash: d6268d5cc2268f32139aa8a3f9215b365e300f2d97708292cfc4348ae68fe2f3
                • Instruction Fuzzy Hash: 0C4135B19452195EDF12EBA4D9C1FDEB7F9AF48380F1000E6E505EB182EB34A784DB51
                Function 00C07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07769
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0778F
                • SysAllocString.OLEAUT32(00000000), ref: 00C07792
                • SysAllocString.OLEAUT32(?), ref: 00C077B0
                • SysFreeString.OLEAUT32(?), ref: 00C077B9
                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C077DE
                • SysAllocString.OLEAUT32(?), ref: 00C077EC
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 25cd483e9062925ff902db584b50d2d4d71ca81707d94e17dee576cde90d2b63
                • Instruction ID: 8199827e888421cfbbdcfd2fc5d3970d44f1149c83da1c65fbf11d1c9f4fc373
                • Opcode Fuzzy Hash: 25cd483e9062925ff902db584b50d2d4d71ca81707d94e17dee576cde90d2b63
                • Instruction Fuzzy Hash: 7421AE76A04219AFDB15DFACCC88EBF73ACEB093A4B008125BA14DB190D670ED41C760
                Function 00C077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07842
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C07868
                • SysAllocString.OLEAUT32(00000000), ref: 00C0786B
                • SysAllocString.OLEAUT32 ref: 00C0788C
                • SysFreeString.OLEAUT32 ref: 00C07895
                • StringFromGUID2.OLE32(?,?,00000028), ref: 00C078AF
                • SysAllocString.OLEAUT32(?), ref: 00C078BD
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: e3fd2e0cc0cd7b82fb10304949ef4a656cc9c2a3f02ed1b175bebaa6706f6319
                • Instruction ID: aa6755d6097050df353d4b6701c2d92bf05519e9c5302b28a692278ddb49ea9c
                • Opcode Fuzzy Hash: e3fd2e0cc0cd7b82fb10304949ef4a656cc9c2a3f02ed1b175bebaa6706f6319
                • Instruction Fuzzy Hash: A1216531A04104AFDB149FA8DC88EBE77ECEB097607108225F915EB1E1D674ED41CB64
                Function 00C35706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C35745
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C3579D
                • _wcslen.LIBCMT ref: 00C357AF
                • _wcslen.LIBCMT ref: 00C357BA
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID: @U=u
                • API String ID: 763830540-2594219639
                • Opcode ID: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                • Instruction ID: 784cf78b486569f930907c4177b2994d61c09e912a0b424644070fcbcbbf6272
                • Opcode Fuzzy Hash: 616cf8251dba92bae86e24b47501a4b3834e3f5340f280b4d31718363ecf42fa
                • Instruction Fuzzy Hash: 082180759246189ADB209FA5CC85BEE7BB8FF05724F108256F929EA1C0D7708A85CF50
                Function 00C104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(0000000C), ref: 00C104F2
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C1052E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                • Instruction ID: 80a5222020c3133c1601a7292bfcd3f0dcbdb77f9abc480eb8e0bcba8ff9a4d1
                • Opcode Fuzzy Hash: 00e737a86ef3255bfa1b63a1f16acaf8cc602b40cff4eb1941ea3f5293785b09
                • Instruction Fuzzy Hash: 4D218D71500305ABDB209F69DC44BDE7BA5AF46724F304A19F8B1E62E0D7B09AD0EF24
                Function 00C105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00C105C6
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C10601
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateHandlePipe
                • String ID: nul
                • API String ID: 1424370930-2873401336
                • Opcode ID: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                • Instruction ID: d7539e10c1fd4fdf51b144be98a7c6b429aba0e8b2936a8e3195187c000a1c45
                • Opcode Fuzzy Hash: e86bf891cc2fbb7b903a70398f282b77fa131878860eb4785c3b231910bc6ed6
                • Instruction Fuzzy Hash: 7E216D755002059BDB209F698844ADAB7A4AF96721F300A19FCB1E72E0D7F099E1EB20
                Function 00C340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                  • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                  • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C34112
                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C3411F
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C3412A
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C34139
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C34145
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$CreateObjectStockWindow
                • String ID: Msctls_Progress32
                • API String ID: 1025951953-3636473452
                • Opcode ID: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                • Instruction ID: 5ae09410ef85ca364b13b2fcf030644da3ab5280a34847754e05563a19f9407a
                • Opcode Fuzzy Hash: 21143cdfa200dde0b6ac16cd40e83e45187e1c37a54340424064f473734ee2cf
                • Instruction Fuzzy Hash: F31186B21502197EEF219F64CC86EEB7F6DEF09798F014111FA18A6150C6729C61DBA4
                Function 00BDD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00BDD7A3: _free.LIBCMT ref: 00BDD7CC
                • _free.LIBCMT ref: 00BDD82D
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BDD838
                • _free.LIBCMT ref: 00BDD843
                • _free.LIBCMT ref: 00BDD897
                • _free.LIBCMT ref: 00BDD8A2
                • _free.LIBCMT ref: 00BDD8AD
                • _free.LIBCMT ref: 00BDD8B8
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction ID: 7926a27bced7d7195f17d718900636a4fcc0fe919417e64c5f9b7be8ba976f39
                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                • Instruction Fuzzy Hash: 30115E71540B44AAD621BFB0CC47FCBFBDCAF10700F4008A6B2DDA6392EA69B9059664
                Function 00C0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C0DA74
                • LoadStringW.USER32(00000000), ref: 00C0DA7B
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C0DA91
                • LoadStringW.USER32(00000000), ref: 00C0DA98
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C0DADC
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 00C0DAB9
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 4072794657-3128320259
                • Opcode ID: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                • Instruction ID: 5f401959d2b8c87e6442253851494ce23eb4e99d25b784e7c98cc4332fdf4d06
                • Opcode Fuzzy Hash: 9824ee5a4b8d64f63f5d35f4141c42be7d8af0079147c7124b7960f44fda7137
                • Instruction Fuzzy Hash: AA0162F25102087FEB109BA09DC9FEF326CE708701F400495B706F2081EA749E848F74
                Function 00C1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(01671AD8,01671AD8), ref: 00C1097B
                • EnterCriticalSection.KERNEL32(01671AB8,00000000), ref: 00C1098D
                • TerminateThread.KERNEL32(00C74528,000001F6), ref: 00C1099B
                • WaitForSingleObject.KERNEL32(00C74528,000003E8), ref: 00C109A9
                • CloseHandle.KERNEL32(00C74528), ref: 00C109B8
                • InterlockedExchange.KERNEL32(01671AD8,000001F6), ref: 00C109C8
                • LeaveCriticalSection.KERNEL32(01671AB8), ref: 00C109CF
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                • Instruction ID: 8afe808afceb5fc8e97a58358b9cf6618e67e52ea690b9427150090edf106fad
                • Opcode Fuzzy Hash: f1337b27275384198cef7c1f2ebc19f77de35ab3648c5044725832cf83906070
                • Instruction Fuzzy Hash: 78F0C932452A12ABD7515BA4EEC9BDEBA29BF05702F502025F202A08A1C7B595B5DF90
                Function 00C21C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                Download Yara Rule
                APIs
                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C21DC0
                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C21DE1
                • WSAGetLastError.WSOCK32 ref: 00C21DF2
                • htons.WSOCK32(?,?,?,?,?), ref: 00C21EDB
                • inet_ntoa.WSOCK32(?), ref: 00C21E8C
                  • Part of subcall function 00C039E8: _strlen.LIBCMT ref: 00C039F2
                  • Part of subcall function 00C23224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C1EC0C), ref: 00C23240
                • _strlen.LIBCMT ref: 00C21F35
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                • String ID:
                • API String ID: 3203458085-0
                • Opcode ID: a60a126a3f852712d659047df24bcaea8fb1d42e5a2c7a4ce7dec03cd84e934c
                • Instruction ID: 89d76e8cc108dae3dc609191fb020453465c850eeb64555ae8f29a55fac8fa54
                • Opcode Fuzzy Hash: a60a126a3f852712d659047df24bcaea8fb1d42e5a2c7a4ce7dec03cd84e934c
                • Instruction Fuzzy Hash: A3B12230204350AFC320DF24D891F2A7BE5AF95318F58859CF8665B6E2CB71EE42CB91
                Function 00BD01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                Download Yara Rule
                APIs
                • __allrem.LIBCMT ref: 00BD00BA
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD00D6
                • __allrem.LIBCMT ref: 00BD00ED
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD010B
                • __allrem.LIBCMT ref: 00BD0122
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD0140
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1992179935-0
                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction ID: 7445de534b29746397984d78874ca47e2df0853635a1563f4b2202651caffbb0
                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                • Instruction Fuzzy Hash: 2381D072A01706ABE720AB29CC81B6AB3E9EF41364F2445BFF551D6381F770D9008B94
                Function 00BD61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BC82D9,00BC82D9,?,?,?,00BD644F,00000001,00000001,8BE85006), ref: 00BD6258
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BD644F,00000001,00000001,8BE85006,?,?,?), ref: 00BD62DE
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BD63D8
                • __freea.LIBCMT ref: 00BD63E5
                  • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                • __freea.LIBCMT ref: 00BD63EE
                • __freea.LIBCMT ref: 00BD6413
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide__freea$AllocateHeap
                • String ID:
                • API String ID: 1414292761-0
                • Opcode ID: 576dc3a376d2d6c43b3ba8440174bea339e3638d4eea3143cb50f4aafea5b679
                • Instruction ID: 02be3f281eb55d4ce54846e5576871e998d23ef11b2ef2c7634a17ac24a465c1
                • Opcode Fuzzy Hash: 576dc3a376d2d6c43b3ba8440174bea339e3638d4eea3143cb50f4aafea5b679
                • Instruction Fuzzy Hash: 5F51D172A00216ABDB258F68DC81FAFB7E9EB44720F1546AAFC05D6241FB34DC44D664
                Function 00C2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BCCA
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2BD25
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2BD6A
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C2BD99
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C2BDF3
                • RegCloseKey.ADVAPI32(?), ref: 00C2BDFF
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                • String ID:
                • API String ID: 1120388591-0
                • Opcode ID: ba31154d6965b7806e3985139a60fc802c29eeed08d564edfe012e7c3c3de3d5
                • Instruction ID: c8247f49a803db49b862570ee154672b50de995124306f4018313872eb83f2e6
                • Opcode Fuzzy Hash: ba31154d6965b7806e3985139a60fc802c29eeed08d564edfe012e7c3c3de3d5
                • Instruction Fuzzy Hash: D081B030218241EFC714DF24D891E6ABBE5FF85308F14899CF5594B2A2DB31EE45CB92
                Function 00BFF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000035), ref: 00BFF7B9
                • SysAllocString.OLEAUT32(00000001), ref: 00BFF860
                • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF889
                • VariantClear.OLEAUT32(00BFFA64), ref: 00BFF8AD
                • VariantCopy.OLEAUT32(00BFFA64,00000000), ref: 00BFF8B1
                • VariantClear.OLEAUT32(?), ref: 00BFF8BB
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearCopy$AllocInitString
                • String ID:
                • API String ID: 3859894641-0
                • Opcode ID: e62f976cd73bc7177a7748109dd60fde8753d114b3474548df73c11744eb6e63
                • Instruction ID: 6659c791250a91002e8579863b32eb7d8e9d51f60ae42231870b07fa912ca7ca
                • Opcode Fuzzy Hash: e62f976cd73bc7177a7748109dd60fde8753d114b3474548df73c11744eb6e63
                • Instruction Fuzzy Hash: 6E51D43551031AFACF20AB65D8D5B39B3E4EF45310B2494E6EA05DF292DBB0CC44D796
                Function 00C1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • GetOpenFileNameW.COMDLG32(00000058), ref: 00C194E5
                • _wcslen.LIBCMT ref: 00C19506
                • _wcslen.LIBCMT ref: 00C1952D
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00C19585
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$FileName$OpenSave
                • String ID: X
                • API String ID: 83654149-3081909835
                • Opcode ID: 9b433da8afbd0cc85132e65da2064f28b6dc3174fe629debbe27ce629f129d3a
                • Instruction ID: 041d51319bd8a594112c156c2dfa2bcf61ed9879cc68e0387f9945c7a7de9703
                • Opcode Fuzzy Hash: 9b433da8afbd0cc85132e65da2064f28b6dc3174fe629debbe27ce629f129d3a
                • Instruction Fuzzy Hash: B7E192715083108FD724DF24C891AAEB7E5FF86314F0485ADF8999B2A2DB31DE45CB92
                Function 00BB920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • BeginPaint.USER32(?,?,?), ref: 00BB9241
                • GetWindowRect.USER32(?,?), ref: 00BB92A5
                • ScreenToClient.USER32(?,?), ref: 00BB92C2
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB92D3
                • EndPaint.USER32(?,?,?,?,?), ref: 00BB9321
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BF71EA
                  • Part of subcall function 00BB9339: BeginPath.GDI32(00000000), ref: 00BB9357
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                • String ID:
                • API String ID: 3050599898-0
                • Opcode ID: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                • Instruction ID: 131f70406b226c8caf4c6da042ac13987e2137b4c9b279bb18e3e1327b8553da
                • Opcode Fuzzy Hash: 3dab923683e9db404ac867b82830ee534135b04785636856848a996981f29fa7
                • Instruction Fuzzy Hash: 9D41AC71104200AFD721DF28DCC5FBA7BF8EF45720F1402A9FAA4972A2C7719949DB61
                Function 00C107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C1080C
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C10847
                • EnterCriticalSection.KERNEL32(?), ref: 00C10863
                • LeaveCriticalSection.KERNEL32(?), ref: 00C108DC
                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C108F3
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C10921
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                • String ID:
                • API String ID: 3368777196-0
                • Opcode ID: 2110dcc847f279fecc4a36d20f468818bd01f13776df2810a1863ded1d1da78a
                • Instruction ID: f47aeb29e9666f01802f52663055f456494e8b19b7dbe97470ce58846415d653
                • Opcode Fuzzy Hash: 2110dcc847f279fecc4a36d20f468818bd01f13776df2810a1863ded1d1da78a
                • Instruction Fuzzy Hash: 75415971900205EBEF14AF64DC85BAE77B9FF05310F1440A9E900AA297D7B1DEA5DBA0
                Function 00C1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BA3A97,?,?,00BA2E7F,?,?,?,00000000), ref: 00BA3AC2
                • _wcslen.LIBCMT ref: 00C1587B
                • CoInitialize.OLE32(00000000), ref: 00C15995
                • CoCreateInstance.OLE32(00C3FCF8,00000000,00000001,00C3FB68,?), ref: 00C159AE
                • CoUninitialize.OLE32 ref: 00C159CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 3172280962-24824748
                • Opcode ID: 3265ba934df7b5e1d94f3f3676ed0abea7eb05a9fcbde019042dde7d17c4b42f
                • Instruction ID: d2197e7853357974e569828a895655b87ebe712260747402a2ea5909762bc18c
                • Opcode Fuzzy Hash: 3265ba934df7b5e1d94f3f3676ed0abea7eb05a9fcbde019042dde7d17c4b42f
                • Instruction Fuzzy Hash: 35D16570608701DFC714DF14C490A6ABBE1EF8A710F14889DF8999B361DB31ED86DB92
                Function 00C0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                  • Part of subcall function 00C00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                  • Part of subcall function 00C00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                  • Part of subcall function 00C00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                  • Part of subcall function 00C00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                • GetLengthSid.ADVAPI32(?,00000000,00C01335), ref: 00C017AE
                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C017BA
                • HeapAlloc.KERNEL32(00000000), ref: 00C017C1
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C017DA
                • GetProcessHeap.KERNEL32(00000000,00000000,00C01335), ref: 00C017EE
                • HeapFree.KERNEL32(00000000), ref: 00C017F5
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                • String ID:
                • API String ID: 3008561057-0
                • Opcode ID: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                • Instruction ID: a93a557f57de4dd6b0839eb7d7f8c66d7195852ab78f95919a01efac88b3f010
                • Opcode Fuzzy Hash: 42954c2818b84f0616da564492a4a7aada5c3d5b88e9f4e6cbdafb41913a9ca5
                • Instruction Fuzzy Hash: 7B119032510205FFDB149FA8CC89BAFBBF9EF45355F184018F891A7290D735AA44DB60
                Function 00C014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C014FF
                • OpenProcessToken.ADVAPI32(00000000), ref: 00C01506
                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C01515
                • CloseHandle.KERNEL32(00000004), ref: 00C01520
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C0154F
                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C01563
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                • Instruction ID: 8bad31ddd1d92d91bb44650f1a39495cc2b77257e06c788cdf4280c19d8aa7c2
                • Opcode Fuzzy Hash: bba8041bffcd65c8bbcf43746f96a9c252542708374ef415d49568f506fd822b
                • Instruction Fuzzy Hash: 8C113A7250024DABDF118F98DD89FDE7BA9EF49744F088015FE15A20A0C375CE64DB60
                Function 00BC3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00BC3379,00BC2FE5), ref: 00BC3390
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BC339E
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BC33B7
                • SetLastError.KERNEL32(00000000,?,00BC3379,00BC2FE5), ref: 00BC3409
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                • Instruction ID: f37139f7362fff9c12dd1f342d77b845bd5848988b9e7ff862595998069232e0
                • Opcode Fuzzy Hash: f94e7553d33553a8fcaa44e9a29fce31cb34f7ccc36acb5d88dcfd2a929c58fc
                • Instruction Fuzzy Hash: 7B01243220C351BEAA2427B57CD5F6E2AD4EB45B793A082BEF410812F0EF554E015288
                Function 00BD2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00BD5686,00BE3CD6,?,00000000,?,00BD5B6A,?,?,?,?,?,00BCE6D1,?,00C68A48), ref: 00BD2D78
                • _free.LIBCMT ref: 00BD2DAB
                • _free.LIBCMT ref: 00BD2DD3
                • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DE0
                • SetLastError.KERNEL32(00000000,?,?,?,?,00BCE6D1,?,00C68A48,00000010,00BA4F4A,?,?,00000000,00BE3CD6), ref: 00BD2DEC
                • _abort.LIBCMT ref: 00BD2DF2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 2f77b2c1bc4cc2323427ce7381b6e5be94fad7c3dbaac3de919dabee473ce241
                • Instruction ID: 086772910e2ee64241cd9c17c2ec5280853442622d2269d95963f4c1869b6862
                • Opcode Fuzzy Hash: 2f77b2c1bc4cc2323427ce7381b6e5be94fad7c3dbaac3de919dabee473ce241
                • Instruction Fuzzy Hash: 4CF0CD3550468067C22227357C46F5FA5D7EFE27A1F2445B7F864923E2FF6488015271
                Function 00C38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                  • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                  • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                  • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C38A4E
                • LineTo.GDI32(?,00000003,00000000), ref: 00C38A62
                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C38A70
                • LineTo.GDI32(?,00000000,00000003), ref: 00C38A80
                • EndPath.GDI32(?), ref: 00C38A90
                • StrokePath.GDI32(?), ref: 00C38AA0
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                • String ID:
                • API String ID: 43455801-0
                • Opcode ID: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                • Instruction ID: 953d6ab4f93fa86e8809979c1f9f316ee5eec4618055c58f9910fda41a64e137
                • Opcode Fuzzy Hash: ec1dca2212c91a7755f5bcd00fbd69f45d9511900370a60657bebd63e24bbf2c
                • Instruction Fuzzy Hash: AF11C97601014DFFDB129F94DC88FAE7F6DEB08354F048052BA19AA1A1C7719E55DFA0
                Function 00C051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00C05218
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C05229
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C05230
                • ReleaseDC.USER32(00000000,00000000), ref: 00C05238
                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C0524F
                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C05261
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                • Instruction ID: a14a596e33b08468d26639d701c90f97fcc69b057d10d8d9e2e15b45a9482105
                • Opcode Fuzzy Hash: 7af4ca61c170ed5fb4d15625cf49087e31ac4284f4e17aef6bf05d9925b1b267
                • Instruction Fuzzy Hash: CF014F75A01719BBEB109BA59C89B5EBFB8EF48751F044065FA04E7291D6709900CFA0
                Function 00BA1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BA1BF4
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00BA1BFC
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BA1C07
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BA1C12
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00BA1C1A
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BA1C22
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                • Instruction ID: 37a869a46f8b19288a6e39e61a6df53e70984358f0d6e0a265d208b73761cc0f
                • Opcode Fuzzy Hash: 1e9ce2bd9a7790f6b6dfde947b681316539b74e35ec8a72bfeb2668823d89610
                • Instruction Fuzzy Hash: 190144B0902B5ABDE3008F6A8C85B56FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                Function 00C0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C0EB30
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C0EB46
                • GetWindowThreadProcessId.USER32(?,?), ref: 00C0EB55
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB64
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB6E
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C0EB75
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                • Instruction ID: 6b629becbc261f123aa8f9cefd4dcd18feeb5ea25f3134323eecd1bff76f88c2
                • Opcode Fuzzy Hash: a50323e71dbe50948b936bff4ed548883b7de563834627df36d62bdec0c5aa89
                • Instruction Fuzzy Hash: 69F03A72250158BBE7215B629C8EFEF3A7CEFCAB11F004158F611E1091D7A05A01DBB5
                Function 00C01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C0187F
                • UnloadUserProfile.USERENV(?,?), ref: 00C0188B
                • CloseHandle.KERNEL32(?), ref: 00C01894
                • CloseHandle.KERNEL32(?), ref: 00C0189C
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C018A5
                • HeapFree.KERNEL32(00000000), ref: 00C018AC
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                • Instruction ID: 7c59a94b981d715b6b436e904d3bb4aba61807102083d38a0b2149049fad765a
                • Opcode Fuzzy Hash: 7a0476c533cd7de5e17986e327bd3b95fff389426f41493664f67c8e278e9927
                • Instruction Fuzzy Hash: 01E0E536014101BBDB015FA1ED8CB4EBF39FF4AB22B108220F225A1070CB329430EF50
                Function 00C0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C0C6EE
                • _wcslen.LIBCMT ref: 00C0C735
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C0C79C
                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C0C7CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ItemMenu$Info_wcslen$Default
                • String ID: 0
                • API String ID: 1227352736-4108050209
                • Opcode ID: 5cea559edcba00665ca282fde703c572da82db271981a824fa3c960e7e2f75f1
                • Instruction ID: f097164b10e2465d60b7b031202dab1e7e5aacf1d0baaa44f830d6ddfe227ee4
                • Opcode Fuzzy Hash: 5cea559edcba00665ca282fde703c572da82db271981a824fa3c960e7e2f75f1
                • Instruction Fuzzy Hash: 46519D716183019BD7259F2CC8C5B6E77E8AB89310F040B29F9A5E21E0DBB4DA44DB52
                Function 00C2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                Download Yara Rule
                APIs
                • ShellExecuteExW.SHELL32(0000003C), ref: 00C2AEA3
                  • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                • GetProcessId.KERNEL32(00000000), ref: 00C2AF38
                • CloseHandle.KERNEL32(00000000), ref: 00C2AF67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseExecuteHandleProcessShell_wcslen
                • String ID: <$@
                • API String ID: 146682121-1426351568
                • Opcode ID: 22df7fd981d1b3e158314d9f08b5b638d44038e77e24985f354b8f6239c7196b
                • Instruction ID: 4086162e5bf82a8461742fb08f8f28c3fbe2088d1d29fd31bd7d58eddcfcf7e5
                • Opcode Fuzzy Hash: 22df7fd981d1b3e158314d9f08b5b638d44038e77e24985f354b8f6239c7196b
                • Instruction Fuzzy Hash: 2C71AE71A04625DFCB14EF94D494A9EBBF0FF09310F048499E826AB762CB74EE45CB91
                Function 00C36278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(01681760,?), ref: 00C362E2
                • ScreenToClient.USER32(?,?), ref: 00C36315
                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C36382
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID: @U=u
                • API String ID: 3880355969-2594219639
                • Opcode ID: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                • Instruction ID: 0f0185bf2da40dc6abbc294af2f74fd07e89d7b6f8174882c7899a928b97bfac
                • Opcode Fuzzy Hash: b4702cf378f53aa95bb79cf43a081dfd58811684d142b3a5a285a42ce76a3115
                • Instruction Fuzzy Hash: EE514F75A10209EFCF10DF68D881AAE7BB5FF45360F148169F9659B2A0D731EE81CB50
                Function 00C02716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021D0,?,?,00000034,00000800,?,00000034), ref: 00C0B42D
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C02760
                  • Part of subcall function 00C0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C0B3F8
                  • Part of subcall function 00C0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C0B355
                  • Part of subcall function 00C0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B365
                  • Part of subcall function 00C0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B37B
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C027CD
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C0281A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @$@U=u
                • API String ID: 4150878124-826235744
                • Opcode ID: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                • Instruction ID: e2a8df74d1264c4c9f20b45999cbe21c5d23a7c7b93a581ef63facd8a462fb00
                • Opcode Fuzzy Hash: 05149301e5923c0218c3e1a930707fc610bfbcedfab1b74582822b790317ced0
                • Instruction Fuzzy Hash: 34411B76900218AFDB10DFA4CD86BEEBBB8AF09700F108095FA55B7191DB706F45DBA1
                Function 00C0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C07206
                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C0723C
                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C0724D
                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C072CF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorMode$AddressCreateInstanceProc
                • String ID: DllGetClassObject
                • API String ID: 753597075-1075368562
                • Opcode ID: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                • Instruction ID: f0c755907e4e39e46cde0a21008a9c601967225d72c2a026262a477fcfb4607b
                • Opcode Fuzzy Hash: a7d255914085328a2418eddea6c0310545fa79e5be122808232f56a83a747e41
                • Instruction Fuzzy Hash: 32418EB1A04204EFDF19CF54C984B9A7BA9EF44310F1581A9BD059F28AD7B0EE40DBA0
                Function 00C352C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00C35352
                • GetWindowLongW.USER32(?,000000F0), ref: 00C35375
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C35382
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C353A8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LongWindow$InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 3340791633-2594219639
                • Opcode ID: 9270fd11a4480dcaec42430853869b337e780962ae3e870fe68d33c1d7bb493e
                • Instruction ID: e3805db626329d3505db54a4df558407ea489a4160cb08ff5089d05a0885a2aa
                • Opcode Fuzzy Hash: 9270fd11a4480dcaec42430853869b337e780962ae3e870fe68d33c1d7bb493e
                • Instruction Fuzzy Hash: DF319634AB5A08EFEB749F14CC56FE977A5EB05390F584101FA21961F1C7B09E80DB51
                Function 00C2C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: HKEY_LOCAL_MACHINE$HKLM
                • API String ID: 176396367-4004644295
                • Opcode ID: f570b04ffa0378efa7dfc80525903ab5f2c41a6f5f52050475e1ae9ae14d42d0
                • Instruction ID: 4952ca837f687f77ee4487191952947ddd9fe7933c347c1ed5d87601c43cec5e
                • Opcode Fuzzy Hash: f570b04ffa0378efa7dfc80525903ab5f2c41a6f5f52050475e1ae9ae14d42d0
                • Instruction Fuzzy Hash: 6331E673A00179CBCB20DF2CE9D15BE33919BA1794B154169FC65AB645EA71CF40A3A0
                Function 00C32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C32F8D
                • LoadLibraryW.KERNEL32(?), ref: 00C32F94
                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C32FA9
                • DestroyWindow.USER32(?), ref: 00C32FB1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$DestroyLibraryLoadWindow
                • String ID: SysAnimate32
                • API String ID: 3529120543-1011021900
                • Opcode ID: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                • Instruction ID: 5582d86e00d19c700a595a23e761959cf1f5dbccf4dc4e314e90c0ffe2e9f19a
                • Opcode Fuzzy Hash: 389bc1b42b49ac70c795032b17e80794cfacfdf76cf5d7fe0ecf970ae245fc68
                • Instruction Fuzzy Hash: A321AC72224225ABEF205FA4DC81FBB77B9EB5D364F100628FA60E2190D771DC919760
                Function 00C35660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C356BB
                • _wcslen.LIBCMT ref: 00C356CD
                • _wcslen.LIBCMT ref: 00C356D8
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C35816
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID: @U=u
                • API String ID: 455545452-2594219639
                • Opcode ID: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                • Instruction ID: bcd60e81419745a77166ab89adb6a4098cc9513ada2ce302c52970f1839e219e
                • Opcode Fuzzy Hash: 5f83bc062c542861c8e645d9ffbd277a75cc0a38fa73708f99cc852d6b894ab5
                • Instruction Fuzzy Hash: 0F11B1B16206189ADB20DF658C86BEE77BCAF11760F50406AF925D6181EB708B80CF64
                Function 00BA600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                • GetStockObject.GDI32(00000011), ref: 00BA6060
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateMessageObjectSendStockWindow
                • String ID: @U=u
                • API String ID: 3970641297-2594219639
                • Opcode ID: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                • Instruction ID: 505170ae86fbcb30247c9235bd58e2cf8ed8768269fa9bdb2e20225ef826aeff
                • Opcode Fuzzy Hash: 88cc219026a49f027aeece8a36279a3f6129530f1d5fe671fa19ab642fb9eb79
                • Instruction Fuzzy Hash: A61161B2505549BFEF264FA49C84FEE7BA9EF0A354F090155FA1452110D7329CA0EB90
                Function 00BC4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002), ref: 00BC4D8D
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BC4DA0
                • FreeLibrary.KERNEL32(00000000,?,?,?,00BC4D1E,00BD28E9,?,00BC4CBE,00BD28E9,00C688B8,0000000C,00BC4E15,00BD28E9,00000002,00000000), ref: 00BC4DC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                • Instruction ID: b423a1b96d8f2b2ce2444d8c4d0b6a3e84d4c3ce742370259c408c06eb50dad5
                • Opcode Fuzzy Hash: 2219bc8adec29cc25ff25690942328fa031ef0c2c16ce0ceb5f1a09e2febf9c2
                • Instruction Fuzzy Hash: 69F04F35A50208BBDB11AF90DC89FAEBBF5EF44751F0001A8F906A2260CB705E40DF91
                Function 00BA4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E9C
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BA4EAE
                • FreeLibrary.KERNEL32(00000000,?,?,00BA4EDD,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4EC0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-3689287502
                • Opcode ID: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                • Instruction ID: df97ec569fb9e49a3ffe69c765931d9b82328b6738db0bfd3f14d4879247aea4
                • Opcode Fuzzy Hash: ac9024a8dcc0339ce89c417eb619e88cd9040311c84faa0b6383224f6e97d24a
                • Instruction Fuzzy Hash: 6AE0C236A166225BD2321B25BC58B6FB698EFC3F63B050165FC01F3200DBE0CD0296E0
                Function 00BA4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E62
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BA4E74
                • FreeLibrary.KERNEL32(00000000,?,?,00BE3CDE,?,00C71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00BA4E87
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 145871493-1355242751
                • Opcode ID: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                • Instruction ID: f2a1e799a9c1f0c618d615254cec66e12739eeef8beb83322db0e0582b45dcd2
                • Opcode Fuzzy Hash: e9620ecb38303c9d0eec66c53eaf18c57479239925123cb45bd47c91805ef39a
                • Instruction Fuzzy Hash: 4CD0C2365166215746321B247C48F8F7A98EFC2B113050161B801F2110CFA0CD0296D0
                Function 00C2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32 ref: 00C2A427
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C2A435
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C2A468
                • CloseHandle.KERNEL32(?), ref: 00C2A63D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$CloseCountersCurrentHandleOpen
                • String ID:
                • API String ID: 3488606520-0
                • Opcode ID: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                • Instruction ID: 65c3ef6b10499b54b3c50abc484ca55d19446cfbec2e76529a1b7d4e84aa5f07
                • Opcode Fuzzy Hash: 4c74d1513bf2f82e7deccda05caed68875178bceb610894083697bfcc52f4930
                • Instruction Fuzzy Hash: 42A1C071604300AFD720EF24D882F2AB7E1AF84714F14885DF56A9B792DBB1ED41CB82
                Function 00BDBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C43700), ref: 00BDBB91
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C7121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BDBC09
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00C71270,000000FF,?,0000003F,00000000,?), ref: 00BDBC36
                • _free.LIBCMT ref: 00BDBB7F
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BDBD4B
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                • String ID:
                • API String ID: 1286116820-0
                • Opcode ID: a9e524c4932877bc3fd2c32eca5ea61eef7720339d9b3e97fd83efb2e22571a5
                • Instruction ID: 42f9f33a9b06a000ba71df321c878b18575ea0397b4816ec2e255f654a7d8d76
                • Opcode Fuzzy Hash: a9e524c4932877bc3fd2c32eca5ea61eef7720339d9b3e97fd83efb2e22571a5
                • Instruction Fuzzy Hash: 7B518371900209EFCB14EF699C81EAEF7F8EB44360B1542ABE554D73A1FB709E419B50
                Function 00C0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C0CF22,?), ref: 00C0DDFD
                  • Part of subcall function 00C0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C0CF22,?), ref: 00C0DE16
                  • Part of subcall function 00C0E199: GetFileAttributesW.KERNEL32(?,00C0CF95), ref: 00C0E19A
                • lstrcmpiW.KERNEL32(?,?), ref: 00C0E473
                • MoveFileW.KERNEL32(?,?), ref: 00C0E4AC
                • _wcslen.LIBCMT ref: 00C0E5EB
                • _wcslen.LIBCMT ref: 00C0E603
                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C0E650
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                • String ID:
                • API String ID: 3183298772-0
                • Opcode ID: d21728181d2d775af00a6c6aa5ec3f92e1aac6b843bd012418a07209d0dcd66c
                • Instruction ID: 3dd351c89d4c3fda18f6d7394e5d80f4f6795570a7ccf22735d4cf112026ac24
                • Opcode Fuzzy Hash: d21728181d2d775af00a6c6aa5ec3f92e1aac6b843bd012418a07209d0dcd66c
                • Instruction Fuzzy Hash: 405161B24483459BC724EB90DC81ADFB3ECAF85340F00491EF69993191EF75A688CB66
                Function 00C2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C2B6AE,?,?), ref: 00C2C9B5
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2C9F1
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA68
                  • Part of subcall function 00C2C998: _wcslen.LIBCMT ref: 00C2CA9E
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C2BAA5
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C2BB00
                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C2BB63
                • RegCloseKey.ADVAPI32(?,?), ref: 00C2BBA6
                • RegCloseKey.ADVAPI32(00000000), ref: 00C2BBB3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                • String ID:
                • API String ID: 826366716-0
                • Opcode ID: f088c124328d7a37d6edadffaa8ab28496de13fc3cccd12b070613f8796b8324
                • Instruction ID: 23510d5d3c1d72c88e8ddd57f4af192083a82c15327f6b1d5a28919e3149d27c
                • Opcode Fuzzy Hash: f088c124328d7a37d6edadffaa8ab28496de13fc3cccd12b070613f8796b8324
                • Instruction Fuzzy Hash: 1361B031208241EFC314DF14D490E2ABBE5FF85348F1485ACF49A8B6A2DB31ED45DB92
                Function 00C08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00C08BCD
                • VariantClear.OLEAUT32 ref: 00C08C3E
                • VariantClear.OLEAUT32 ref: 00C08C9D
                • VariantClear.OLEAUT32(?), ref: 00C08D10
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C08D3B
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$Clear$ChangeInitType
                • String ID:
                • API String ID: 4136290138-0
                • Opcode ID: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                • Instruction ID: ae8777d73348bca973f0728e8f41807a3f53e6a7dbdae283cb2d5bd2c8c7449b
                • Opcode Fuzzy Hash: 0b895080b06b92aa86f6758f427cbfb15b9b2e85ed9d5cfccaf85d4bcbe45c00
                • Instruction Fuzzy Hash: CE517AB5A1021AEFCB10CF68C884AAAB7F8FF89310B158559F955EB350E730E911CF90
                Function 00C18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C18BAE
                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C18BDA
                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C18C32
                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C18C57
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C18C5F
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String
                • String ID:
                • API String ID: 2832842796-0
                • Opcode ID: 70be43e83b932e2d45dc50543e8a7633541227b1795b7b5f192ab4e7a81c3338
                • Instruction ID: 7d97ba9bc8e91108835be120f67afc7b3d8d6b00bc4f00bf4882856449132acc
                • Opcode Fuzzy Hash: 70be43e83b932e2d45dc50543e8a7633541227b1795b7b5f192ab4e7a81c3338
                • Instruction Fuzzy Hash: 21515A35A042159FCB00DF64C891AAEBBF5FF4A314F088099E849AB362CB31ED55DF90
                Function 00C28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C28F40
                • GetProcAddress.KERNEL32(00000000,?), ref: 00C28FD0
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C28FEC
                • GetProcAddress.KERNEL32(00000000,?), ref: 00C29032
                • FreeLibrary.KERNEL32(00000000), ref: 00C29052
                  • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C11043,?,75B8E610), ref: 00BBF6E6
                  • Part of subcall function 00BBF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BFFA64,00000000,00000000,?,?,00C11043,?,75B8E610,?,00BFFA64), ref: 00BBF70D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                • String ID:
                • API String ID: 666041331-0
                • Opcode ID: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                • Instruction ID: 4bbdfd4c965fbb281edf9cc7e3e766bce25869a58a358e86b7ab0463222b1342
                • Opcode Fuzzy Hash: 932c385078e70106ea82b5757859a7b42910caf59e0e52070c259e22bcf15b2c
                • Instruction Fuzzy Hash: B8514935A05215DFC711DF58C4949ADBBF1FF49314F0880A9E81AAB762DB31EE85CB90
                Function 00BD2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: cdf5de6dafb319c2e987115b762df6a9acc9dae5099f6f373bbbc1c71dc60a4a
                • Instruction ID: 3eb8defb9e83ea9b3ebb098a7f3487898da65327011d300195c3a460de0d47e5
                • Opcode Fuzzy Hash: cdf5de6dafb319c2e987115b762df6a9acc9dae5099f6f373bbbc1c71dc60a4a
                • Instruction Fuzzy Hash: 3F41A136A00240AFCB24DF78C881A6DF7E5EF99314B1585AAE515EB351E631AD01DB80
                Function 00BB912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00BB9141
                • ScreenToClient.USER32(00000000,?), ref: 00BB915E
                • GetAsyncKeyState.USER32(00000001), ref: 00BB9183
                • GetAsyncKeyState.USER32(00000002), ref: 00BB919D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorScreen
                • String ID:
                • API String ID: 4210589936-0
                • Opcode ID: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                • Instruction ID: d52a739c84363192753db4955e1c1177b5bef627ae30259f41406995928ef0b8
                • Opcode Fuzzy Hash: 91f7dd4fb007af2e3c75b55788f0ea0c84328fd89783e3d585206559473e373d
                • Instruction Fuzzy Hash: 33415F7190850AFBDF159F68C884BFEB7B4FF05320F208299E525B7290CB745A58EB91
                Function 00C13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • GetInputState.USER32 ref: 00C138CB
                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C13922
                • TranslateMessage.USER32(?), ref: 00C1394B
                • DispatchMessageW.USER32(?), ref: 00C13955
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C13966
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                • String ID:
                • API String ID: 2256411358-0
                • Opcode ID: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                • Instruction ID: 92a4780192c8a45003f5b09d9717ee20feac7750b2f0b35fc9d39e12af9ada62
                • Opcode Fuzzy Hash: aab3c8410ad2f6dbdd913326f501d850244ac2e9b4b43c12664aeb921e035794
                • Instruction Fuzzy Hash: 2F31A6705043C19EEB35CB359849BFA3BA8AB07318F08456AE876961E0E3B497C5EB51
                Function 00C1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00C1CF38
                • InternetReadFile.WININET(?,00000000,?,?), ref: 00C1CF6F
                • GetLastError.KERNEL32(?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFB4
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFC8
                • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C1C21E,00000000), ref: 00C1CFF2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 3191363074-0
                • Opcode ID: 346ff7d035784cf9e2784522162c9ee4d5553d874366bd4aeaa68cc6fd1f8f41
                • Instruction ID: 4e854cecbdbcb5af1774b1c20bf106fdfcec5a133fa0695001a9408a8a05246c
                • Opcode Fuzzy Hash: 346ff7d035784cf9e2784522162c9ee4d5553d874366bd4aeaa68cc6fd1f8f41
                • Instruction Fuzzy Hash: 88313A71540205AFDB20DFA5C8C4AEFBBF9EB16350B10446EF526E2150DB30EE82AB60
                Function 00C01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00C01915
                • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C019C1
                • Sleep.KERNEL32(00000000,?,?,?), ref: 00C019C9
                • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C019DA
                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C019E2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                • Instruction ID: bacca62646479a4df96ab9028fc278cd09d227cb580f4cfc0225b976a35d5b4e
                • Opcode Fuzzy Hash: 23a914c890bd8451dfeaa0e07a0df7973612266432dd9ffa1ee9b3d1eeb4ea02
                • Instruction Fuzzy Hash: B331C071A10219EFCB00CFA8CD99BDE7BB5EB05315F144229FD21A72D1C7709A54DB90
                Function 00C20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00C20951
                • GetForegroundWindow.USER32 ref: 00C20968
                • GetDC.USER32(00000000), ref: 00C209A4
                • GetPixel.GDI32(00000000,?,00000003), ref: 00C209B0
                • ReleaseDC.USER32(00000000,00000003), ref: 00C209E8
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                • Instruction ID: 0e6bf201c946550ba1dbea22d6765c8ba7da533e814003981ef01eb4b12ea977
                • Opcode Fuzzy Hash: 11afa4819ab2a5feb5c8e3c2ac6b33718172633854ed1a951b2291ff4566d004
                • Instruction Fuzzy Hash: D821CD35A00214AFD704EF65D889BAEBBF9EF49300F048069F85AA7762CB30AC44DB50
                Function 00BDCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 00BDCDC6
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BDCDE9
                  • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BDCE0F
                • _free.LIBCMT ref: 00BDCE22
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BDCE31
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 3cb304f3bb59eef8edd7536a49d36bd8573e8a7080cd8421da9fe991411b3090
                • Instruction ID: 27f3177a66fd9e799ed9ddb0dda608ee6574f05873afc2a241b42ec464f1b9ae
                • Opcode Fuzzy Hash: 3cb304f3bb59eef8edd7536a49d36bd8573e8a7080cd8421da9fe991411b3090
                • Instruction Fuzzy Hash: 3A01B5B26012167F23211ABA6C88E7FFEADDEC6BA1315016AF905D7301FA619D01D2B0
                Function 00BB9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                Download Yara Rule
                APIs
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                • SelectObject.GDI32(?,00000000), ref: 00BB96A2
                • BeginPath.GDI32(?), ref: 00BB96B9
                • SelectObject.GDI32(?,00000000), ref: 00BB96E2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                • Instruction ID: 79a5842555607972d20fb686da37b4763602837cc317032b5fa0776980fc0ad6
                • Opcode Fuzzy Hash: 6b46ee5ee8e38814b88625446d4ea171b6f2bff35baf009191c9e21978c3f8f8
                • Instruction Fuzzy Hash: D2217C31812305EBDB119F28EC59BFD7BF8FB10315F180256FA19A61B0D3B09896DB94
                Function 00C05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                • Instruction ID: b3f04decee49c8a37f3660d3292017046e196b6526a660b5b77cc674082de1dc
                • Opcode Fuzzy Hash: ce82fda6f981ff65146a8f478946912645547da6cf10faaafbac1ef3c25bdec6
                • Instruction Fuzzy Hash: 2C01F9A1695605BBD71855199E42FBB738CDF61398F000438FD14AA2C2F720EE11DAE5
                Function 00BD2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,00BCF2DE,00BD3863,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6), ref: 00BD2DFD
                • _free.LIBCMT ref: 00BD2E32
                • _free.LIBCMT ref: 00BD2E59
                • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E66
                • SetLastError.KERNEL32(00000000,00BA1129), ref: 00BD2E6F
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: c6c3ab70d89a1aed092d23ae8f4f9231651677999b46c59aa5e7d3ccd76365fe
                • Instruction ID: 042d7b2b7b8e18d2e284a600ca7482dec5145e2e50dbcb03aa9a4cdc2bacd276
                • Opcode Fuzzy Hash: c6c3ab70d89a1aed092d23ae8f4f9231651677999b46c59aa5e7d3ccd76365fe
                • Instruction Fuzzy Hash: 1801F9365056806BC61227356CC5F6FA7D9EBF17B272444B7F425A3392FB74CC014120
                Function 00C0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?,?,00C0035E), ref: 00C0002B
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00046
                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00054
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?), ref: 00C00064
                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BFFF41,80070057,?,?), ref: 00C00070
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                • Instruction ID: a53521d93af85659b281bd688bc4a33c02a9066162d4fc69551b547d209c459a
                • Opcode Fuzzy Hash: c780d680302ca2512a2812fa8c934e8018d2926427f675b5525b185b1dcaaf66
                • Instruction Fuzzy Hash: 44018F76610204BFDB104F69DC48BAE7BADEB44756F254124F905E2290DB75DE40CBA0
                Function 00C0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E997
                • QueryPerformanceFrequency.KERNEL32(?), ref: 00C0E9A5
                • Sleep.KERNEL32(00000000), ref: 00C0E9AD
                • QueryPerformanceCounter.KERNEL32(?), ref: 00C0E9B7
                • Sleep.KERNEL32 ref: 00C0E9F3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                • Instruction ID: 79d3bf0edfff08f95ec5d81f1c48db9c898ad40eaa4d71e67e1223a654f8ecfc
                • Opcode Fuzzy Hash: 347f721c921abe24ec5d61d4173399e29454f26c62a1a93b8e60db7e03e04bf7
                • Instruction Fuzzy Hash: 19011331C41639DBCF00ABE5D999BEEBB78BB09701F000956E912B2291CB309695DBA1
                Function 00C010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                Download Yara Rule
                APIs
                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C01114
                • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01120
                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C0112F
                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C00B9B,?,?,?), ref: 00C01136
                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C0114D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                • String ID:
                • API String ID: 842720411-0
                • Opcode ID: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                • Instruction ID: 4ab7c2d21e9c093c37e2c04b44c92b20f66d79885ad9f59bfa6486a756c775a6
                • Opcode Fuzzy Hash: 2aa60dfb7cd5619118decad54cf6b514dd4c29d1802a28982143cf1dacace830
                • Instruction Fuzzy Hash: 7D016975200205BFDB154FA4DC89BAE3B6EEF8A3A0B240418FE41E33A0DA31DD00DB60
                Function 00C00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C00FCA
                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C00FD6
                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C00FE5
                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C00FEC
                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C01002
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                • Instruction ID: 6fc16de846e03cde805c7c5a4a20f5683438ed6d7b7a1aa3142b41a0722f0488
                • Opcode Fuzzy Hash: 6ef08b5b95c7e850cbbb85c9548eae0e2745691d55a6557d7cca472914b91c1d
                • Instruction Fuzzy Hash: BFF04935210301AFDB224FA49C89F5E3BADEF89762F144414FA85E7291CA70DC50CB60
                Function 00C01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                • Instruction ID: 9bb10c7243aa512d7de0f6b5393400eb2cb7044eabc53ec91412224ff92d7d7b
                • Opcode Fuzzy Hash: d07dc6278361b13e665314ef1817262e7b538f70ce346c9f1d551fb750f0cf67
                • Instruction Fuzzy Hash: 3AF06D35210301EBDB215FA4EC89F5E3BADEF89761F140414FE85E7290CA70D950CB60
                Function 00C1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10324
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10331
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C1033E
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C1034B
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10358
                • CloseHandle.KERNEL32(?,?,?,?,00C1017D,?,00C132FC,?,00000001,00BE2592,?), ref: 00C10365
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                • Instruction ID: f2a79699114a262bed80875c0be496ad8c38537cbfa9bedad09905795aea1d84
                • Opcode Fuzzy Hash: 3be5036fe0d27ba08e8212c364921c635c5f146978900d62afb8883224e62c5c
                • Instruction Fuzzy Hash: 5501A272800B15DFC730AF66D880456F7F5BF513153658A3FD1A652931C3B1AA95EF80
                Function 00BDD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BDD752
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BDD764
                • _free.LIBCMT ref: 00BDD776
                • _free.LIBCMT ref: 00BDD788
                • _free.LIBCMT ref: 00BDD79A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: a0d34ea2e86ea89843da5053ae422d34617b8700f02ccff5b19f81670924c28e
                • Instruction ID: dd583b9f85c91b76bf32cb8d2907a0944346ba99ca78630409c3dca1873b800e
                • Opcode Fuzzy Hash: a0d34ea2e86ea89843da5053ae422d34617b8700f02ccff5b19f81670924c28e
                • Instruction Fuzzy Hash: 77F04F32544244ABC635EB65F9C1E2ABBDDFB44310B940897F098D7741EB24FC808A64
                Function 00C05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00C05C58
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C05C6F
                • MessageBeep.USER32(00000000), ref: 00C05C87
                • KillTimer.USER32(?,0000040A), ref: 00C05CA3
                • EndDialog.USER32(?,00000001), ref: 00C05CBD
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 2869a91a641330aad52fc6cd90150d2c726c83b297cd95b00717aabb0fce7c67
                • Instruction ID: 32c5211d4c7826c2488462d97a487c0c0ae1247fec4ff818820c4292fc45d07e
                • Opcode Fuzzy Hash: 2869a91a641330aad52fc6cd90150d2c726c83b297cd95b00717aabb0fce7c67
                • Instruction Fuzzy Hash: 1C016D31510B04ABFB215B10DE8FFAA7BB8BB04B05F041559B693B10E1DBF4AA84CF90
                Function 00BD22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00BD22BE
                  • Part of subcall function 00BD29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000), ref: 00BD29DE
                  • Part of subcall function 00BD29C8: GetLastError.KERNEL32(00000000,?,00BDD7D1,00000000,00000000,00000000,00000000,?,00BDD7F8,00000000,00000007,00000000,?,00BDDBF5,00000000,00000000), ref: 00BD29F0
                • _free.LIBCMT ref: 00BD22D0
                • _free.LIBCMT ref: 00BD22E3
                • _free.LIBCMT ref: 00BD22F4
                • _free.LIBCMT ref: 00BD2305
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 4a77340186be8b78ea52316415de3037dd6b02af3268e82473ab879663af4901
                • Instruction ID: 0e4b081c8ef25af41eef942c1a70146cf6975911b0f2204ca6aa2e6cb58a3a3d
                • Opcode Fuzzy Hash: 4a77340186be8b78ea52316415de3037dd6b02af3268e82473ab879663af4901
                • Instruction Fuzzy Hash: 57F030784001908B8722AFA8BC51B1C7BA8F72C7507140597F418D73B2DB740491BBA4
                Function 00BB95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • EndPath.GDI32(?), ref: 00BB95D4
                • StrokeAndFillPath.GDI32(?,?,00BF71F7,00000000,?,?,?), ref: 00BB95F0
                • SelectObject.GDI32(?,00000000), ref: 00BB9603
                • DeleteObject.GDI32 ref: 00BB9616
                • StrokePath.GDI32(?), ref: 00BB9631
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                • Instruction ID: 89480a73a4c13bc06dd36ec5117fd12057a963acf62198fe68937e1a705efd8a
                • Opcode Fuzzy Hash: 44d26e9e9ba133ee68a08c3952953bffe18cd99207cb786331fc2a9fb53e8b28
                • Instruction Fuzzy Hash: E8F0EC31015744EBDB265F69ED5C7BC3FA5EB11322F088254FA6A650F0C7748996DF20
                Function 00BD0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: __freea$_free
                • String ID: a/p$am/pm
                • API String ID: 3432400110-3206640213
                • Opcode ID: 65cec1ac7b2ccc76cf53d8982f6f3580768245f2e74c8d85e28144f738648a86
                • Instruction ID: 8063c240f2e7b9307d505d88005285abffa36cd08963edfe08d026a61576d4e0
                • Opcode Fuzzy Hash: 65cec1ac7b2ccc76cf53d8982f6f3580768245f2e74c8d85e28144f738648a86
                • Instruction Fuzzy Hash: 23D1E131900206BADB289F6CC895BBAF7F1EF05710F24499BE505AB751F3359D80CB65
                Function 00C27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BC0242: EnterCriticalSection.KERNEL32(00C7070C,00C71884,?,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC024D
                  • Part of subcall function 00BC0242: LeaveCriticalSection.KERNEL32(00C7070C,?,00BB198B,00C72518,?,?,?,00BA12F9,00000000), ref: 00BC028A
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00BC00A3: __onexit.LIBCMT ref: 00BC00A9
                • __Init_thread_footer.LIBCMT ref: 00C27BFB
                  • Part of subcall function 00BC01F8: EnterCriticalSection.KERNEL32(00C7070C,?,?,00BB8747,00C72514), ref: 00BC0202
                  • Part of subcall function 00BC01F8: LeaveCriticalSection.KERNEL32(00C7070C,?,00BB8747,00C72514), ref: 00BC0235
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                • String ID: 5$G$Variable must be of type 'Object'.
                • API String ID: 535116098-3733170431
                • Opcode ID: f9aa8f988b34ccca24c5b1d353cb269c7f7fb9542ac5d759b1822da642ba076c
                • Instruction ID: 6eaae023dc6b296db55037e3ea1a54a0f9e60bc263cd9c478618dd433ee2d552
                • Opcode Fuzzy Hash: f9aa8f988b34ccca24c5b1d353cb269c7f7fb9542ac5d759b1822da642ba076c
                • Instruction Fuzzy Hash: CB918A70A04219EFCB14EF94E8D19BDB7B1FF49300F108199F816AB6A2DB71AE41DB51
                Function 00BD172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\pagamento.exe,00000104), ref: 00BD1769
                • _free.LIBCMT ref: 00BD1834
                • _free.LIBCMT ref: 00BD183E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Users\user\Desktop\pagamento.exe
                • API String ID: 2506810119-1260009302
                • Opcode ID: 8ad7a1ca8e9ee5b7e70e3ed3caf2b9168da0b5b0376b72a3abbf79e3839df700
                • Instruction ID: 00b63d2289d0ec3b913b9b03172150365ea773c9383adc7f4e35c402db33addb
                • Opcode Fuzzy Hash: 8ad7a1ca8e9ee5b7e70e3ed3caf2b9168da0b5b0376b72a3abbf79e3839df700
                • Instruction Fuzzy Hash: A1319CB5A00248BBDB21DB9D9885E9EFBFCEB85310B1445E7F80497321E6708E80DB90
                Function 00C0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C0C306
                • DeleteMenu.USER32(?,00000007,00000000), ref: 00C0C34C
                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C71990,01678AC0), ref: 00C0C395
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem
                • String ID: 0
                • API String ID: 135850232-4108050209
                • Opcode ID: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                • Instruction ID: fdfa5f3334d085cd5b069189f1f650456f77e8ad39ca2ae8047e27b74cfaa86b
                • Opcode Fuzzy Hash: d04f42c04cd5929287a23ee1f4115a2de681169ce16dfe64838f2ae557229ce5
                • Instruction Fuzzy Hash: F1417C312143019FDB20DF25D8C4B9EBBE4AB85320F148B5EF9A5972E1D730EA04DB62
                Function 00C34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C3CC08,00000000,?,?,?,?), ref: 00C344AA
                • GetWindowLongW.USER32 ref: 00C344C7
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C344D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                • Instruction ID: 6a5b270b58ab4e2663549b3b1e6c47aa9ce1201763999c9517ab0dc35f90e8b7
                • Opcode Fuzzy Hash: dbe4d67f5998f918d1105d9fb7bd04e6d471441017d679d358c383a2a8e963fc
                • Instruction Fuzzy Hash: BA318B32220205AFDB249E38DC85BEA7BA9EB09334F204725F979E21E0D770ED509B50
                Function 00C2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C23077,?,?), ref: 00C23378
                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C2307A
                • _wcslen.LIBCMT ref: 00C2309B
                • htons.WSOCK32(00000000,?,?,00000000), ref: 00C23106
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 946324512-2422070025
                • Opcode ID: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                • Instruction ID: 4098ebcfba9ccdc37f1c3695bcc2bb377ec2a0ced45a6302347ca9f3c9c07069
                • Opcode Fuzzy Hash: 331a431b93b247596c551ddac7e9eed140ab169b56fc607aa9faf29cb7cb803d
                • Instruction Fuzzy Hash: 7431E4352042A19FCB10CF68D485FA977E0EF54318F248099E8258BB92CB79DF41C771
                Function 00C34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C34705
                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C34713
                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C3471A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 4014797782-2298589950
                • Opcode ID: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                • Instruction ID: 9ae51823dabf94eee500964f8eb16bc3e2515e1b8795ae1c3cb4a3194380a4ff
                • Opcode Fuzzy Hash: e9dd0a124faf54cdd79805f33bcd5ded5f451ced5822efc2a68a74c70c4d6fbb
                • Instruction Fuzzy Hash: FB215CB5610208AFDB14DF68DCD1EAB37ADEB5A3A4B040059FA149B291CB70FD51CA60
                Function 00C095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 176396367-2734436370
                • Opcode ID: cc8d939a323c616dbc2fdbdfb3b2ae43b93578639d5887e51b0a71b6cb77987a
                • Instruction ID: ef4fe21b12cf4fc87903da8a633e737f738678e5b29aba922b1daeb99915007f
                • Opcode Fuzzy Hash: cc8d939a323c616dbc2fdbdfb3b2ae43b93578639d5887e51b0a71b6cb77987a
                • Instruction Fuzzy Hash: 2D212B72208511A7D731BB299C02FB773D8DF55310F14442AF959971C3EBB29E41D2D5
                Function 00C337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C33840
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C33850
                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C33876
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                • Instruction ID: 5e6e4831bd33944cce6628fc16a0b50c54dfd4668558bc5abaaf25e16aab5c33
                • Opcode Fuzzy Hash: 663084757383357f7672f216179744eab3d5ffd790660410bb8be62a0d1c101c
                • Instruction Fuzzy Hash: F421CF72620218BBEF218F54CC85FBF376EEF8A764F118125FA149B190C671DD528BA0
                Function 00C0223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02258
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C0228A
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C022CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID: @U=u
                • API String ID: 763830540-2594219639
                • Opcode ID: 720c6044ba5a1d15b4db8f607ffdd7e292996c1c7160daad17cb367b05112999
                • Instruction ID: 49d41e880314e5989604ea0535e3d450f332c2fad1fa8e96eefc39e9ed4fe7fa
                • Opcode Fuzzy Hash: 720c6044ba5a1d15b4db8f607ffdd7e292996c1c7160daad17cb367b05112999
                • Instruction Fuzzy Hash: 0E21D731700304ABDB219B959D8EFEE7BECEB59720F084024FA05E71D0D7709A45DBA1
                Function 00C149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 00C14A08
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C14A5C
                • SetErrorMode.KERNEL32(00000000,?,?,00C3CC08), ref: 00C14AD0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: %lu
                • API String ID: 2507767853-685833217
                • Opcode ID: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                • Instruction ID: 2272b1026f7e20fcf683b5f03194e8c16eced6a656ebdbe8204faf4e49850ba0
                • Opcode Fuzzy Hash: a7bf450651168278c408253d37933115a443018dbb2ee250994358b2d379398e
                • Instruction Fuzzy Hash: 70319175A00109AFDB10DF54C881EAE7BF8EF09308F1480A5F909EB252D771EE45DB61
                Function 00C01B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C01B4F
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C01B61
                • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C01B99
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: ab964e4859666ede0e2277605f8992b7f5ac81d1a40ffad6ef64c5940485f02b
                • Instruction ID: 373162279ba82a7f5b394a299f4b8e20ebf1ef93bf1b041135a497cd5551a7c2
                • Opcode Fuzzy Hash: ab964e4859666ede0e2277605f8992b7f5ac81d1a40ffad6ef64c5940485f02b
                • Instruction Fuzzy Hash: 84218172600119BFDB15DBA9C942EBEF7FAEF44340F1404AAE505E3290EB71AE41CB94
                Function 00C20CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000402,00000000,00000000), ref: 00C20D24
                • SendMessageW.USER32(0000000C,00000000,?), ref: 00C20D65
                • SendMessageW.USER32(0000000C,00000000,?), ref: 00C20D8D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 60397a01f363913bcfc349622d135f90719a53ce08a4214d8f1e36e0ea1f6ddd
                • Instruction ID: 2c76a15bb95c5db8d577c7f21b9e10298db3ca827266e19cb19d176dc455192c
                • Opcode Fuzzy Hash: 60397a01f363913bcfc349622d135f90719a53ce08a4214d8f1e36e0ea1f6ddd
                • Instruction Fuzzy Hash: B0215935614910AFE710EB68ED95E2AB7F6FF0A310B148456F9199BA72CB30FC50CB90
                Function 00C341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C3424F
                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C34264
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C34271
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                • Instruction ID: 9e814899e714897025e89921477b00a6a0d3dfa114b063c9e283c74935c8c42d
                • Opcode Fuzzy Hash: cbd858fbd2eaa24ac50818df3775eaea653e1b72237b6adcc4de7fca7c92f9b7
                • Instruction Fuzzy Hash: CB11C671250248BFEF205F69CC46FAB3BACEF95B54F110524FA55E60A0D672EC519B10
                Function 00C02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                  • Part of subcall function 00C02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                  • Part of subcall function 00C02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                  • Part of subcall function 00C02DA7: GetCurrentThreadId.KERNEL32 ref: 00C02DDD
                  • Part of subcall function 00C02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C02DE4
                • GetFocus.USER32 ref: 00C02F78
                  • Part of subcall function 00C02DEE: GetParent.USER32(00000000), ref: 00C02DF9
                • GetClassNameW.USER32(?,?,00000100), ref: 00C02FC3
                • EnumChildWindows.USER32(?,00C0303B), ref: 00C02FEB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                • String ID: %s%d
                • API String ID: 1272988791-1110647743
                • Opcode ID: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                • Instruction ID: b4b8ecb6d6a6aa27dd643aed4bba8b6e797467d2c396abcb1e52b458dd443ce4
                • Opcode Fuzzy Hash: eec4165bb7ae141b7d65f1d4dd3a49746c7a807b852d9c6a380d478e29bac77f
                • Instruction Fuzzy Hash: 0C1172716002056BCF157F649CCAFED77AAAF95304F044075BA09AB192DE709A45DB70
                Function 00C33429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 00C334AB
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C334BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: @U=u$edit
                • API String ID: 2978978980-590756393
                • Opcode ID: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                • Instruction ID: cfa5176d2bbb5b593207d0392f45fb870b97d01f7c2784c3d8146737b76cc508
                • Opcode Fuzzy Hash: 192a17871c7fef428afafb6d11f707949065668db80bae8b5ba85f6f27a8dd0f
                • Instruction Fuzzy Hash: D8118F71120248ABEB224F64DC84BAB3B6AEB05374F504724F975A71E0C771DE919B50
                Function 00C01CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C01D4C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: @U=u$ComboBox$ListBox
                • API String ID: 624084870-2258501812
                • Opcode ID: 3f758af1149362234531755583118dc9fa15d5532fdf1c0ec051a62237f6cbfe
                • Instruction ID: 061ec5e997d9d1d7b9f20a900aae17b42b19778aae81aa6607840c1fc3d1dc49
                • Opcode Fuzzy Hash: 3f758af1149362234531755583118dc9fa15d5532fdf1c0ec051a62237f6cbfe
                • Instruction Fuzzy Hash: 3701D471605228ABCB19EBA4CC51DFEB3A8EB473A0B180619FC32672C1EA305908D760
                Function 00C01BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C01C46
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: @U=u$ComboBox$ListBox
                • API String ID: 624084870-2258501812
                • Opcode ID: 768e6563b42978eb04afa4e61229f065055790cd1f08bbfe8491d5ff4d324a93
                • Instruction ID: f1ffbc064279bb18975db05bbdc6b1c308cfab6e3af4a49180d5f0c1df5c0162
                • Opcode Fuzzy Hash: 768e6563b42978eb04afa4e61229f065055790cd1f08bbfe8491d5ff4d324a93
                • Instruction Fuzzy Hash: 7C01A77568510467DB18EB90C952AFFB7E8DB52380F140019B816772C1EA24DF48D6B1
                Function 00C01C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                  • Part of subcall function 00C03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C03CCA
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C01CC8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ClassMessageNameSend_wcslen
                • String ID: @U=u$ComboBox$ListBox
                • API String ID: 624084870-2258501812
                • Opcode ID: 6c8f5f2e2e6a26937f81e93df637685d4e2ee9f4fa7cea92ba2f9733ce268f95
                • Instruction ID: a5e7d2cf3045f26952dc37a8d28546ea72473b91310dc4ea65cdf479de039b12
                • Opcode Fuzzy Hash: 6c8f5f2e2e6a26937f81e93df637685d4e2ee9f4fa7cea92ba2f9733ce268f95
                • Instruction Fuzzy Hash: BD018675695128A7EF14EBA5CA52AFEB7EC9B12380F180015BC12B32C1EA65DF08D671
                Function 00C35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C358C1
                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C358EE
                • DrawMenuBar.USER32(?), ref: 00C358FD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw
                • String ID: 0
                • API String ID: 3227129158-4108050209
                • Opcode ID: 996380eea18bb287756a7796973635f0b5ef7e2eeaf5cf78e86988c2a0e2724b
                • Instruction ID: 30e101c444470bae442b3506fbc3b6b9aa4b6d27a737faba03fcee13a4a619f5
                • Opcode Fuzzy Hash: 996380eea18bb287756a7796973635f0b5ef7e2eeaf5cf78e86988c2a0e2724b
                • Instruction Fuzzy Hash: 18016972520218EFDB219F21DC44BFEBBB4FB45360F1080A9E849E6151DB708A95EF21
                Function 00C37803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,00C718B0,00C3A364,000000FC,?,00000000,00000000,?,?,?,00BF76CF,?,?,?,?,?), ref: 00C37805
                • GetFocus.USER32 ref: 00C3780D
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                  • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                • SendMessageW.USER32(01681760,000000B0,000001BC,000001C0), ref: 00C3787A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Long$FocusForegroundMessageSend
                • String ID: @U=u
                • API String ID: 3601265619-2594219639
                • Opcode ID: 47f4245a78c8662b881dc14b87b01aded98ede9906cee19dfd8f005cc0c5c566
                • Instruction ID: c118916e0fb0741ca2503bcfe93be269bca29383d9eacc80dc1ca15ff580e8b8
                • Opcode Fuzzy Hash: 47f4245a78c8662b881dc14b87b01aded98ede9906cee19dfd8f005cc0c5c566
                • Instruction Fuzzy Hash: E7018F716112009FC739DB28D898BBA33F6AF8A320F18436DE525972E0CB316D42CF41
                Function 00BFD3AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BFD3BF
                • FreeLibrary.KERNEL32 ref: 00BFD3E5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: AddressFreeLibraryProc
                • String ID: GetSystemWow64DirectoryW$X64
                • API String ID: 3013587201-2590602151
                • Opcode ID: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                • Instruction ID: 767de14f08b4e44d912c147f8d49315c5cdf8d0b5c2ce64b0e4083477a5f108a
                • Opcode Fuzzy Hash: 26eba1617530efadedc704099b96bbff56f097d0d52f77b1a0939bc82807726e
                • Instruction Fuzzy Hash: 19E04F7290252A9BD6715710CCD4BBE72E5AF10B01F8445D4FA02F7148EB64CD086BD5
                Function 00C0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                • Instruction ID: 19abc86af8ad034c24ed1347fc445eee32b25baf650a3249c10215a703b6a5b5
                • Opcode Fuzzy Hash: a7ec8244e8bea8500c760ef220877795a57e01db9042bd377f6d45528f157712
                • Instruction Fuzzy Hash: 19C13A75A0020AEFDB15CF94C898BAEB7B5FF48704F218598E515EB2A1D731DE81CB90
                Function 00C2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Variant$ClearInitInitializeUninitialize
                • String ID:
                • API String ID: 1998397398-0
                • Opcode ID: a4a123c53dc1720ddc091adb03344b436b7915b38dc6adf06936e163966f7a75
                • Instruction ID: 3dcbd650a6fb7fb3c18eb68a0f105085f8bc764f38018dd97ad255148706a65d
                • Opcode Fuzzy Hash: a4a123c53dc1720ddc091adb03344b436b7915b38dc6adf06936e163966f7a75
                • Instruction Fuzzy Hash: 39A160756183109FC700EF24D895A2AB7E5FF89710F04889DF99A9B362DB34EE01CB51
                Function 00C00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C005F0
                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C00608
                • CLSIDFromProgID.OLE32(?,?,00000000,00C3CC40,000000FF,?,00000000,00000800,00000000,?,00C3FC08,?), ref: 00C0062D
                • _memcmp.LIBVCRUNTIME ref: 00C0064E
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FromProg$FreeTask_memcmp
                • String ID:
                • API String ID: 314563124-0
                • Opcode ID: 8036c798561b1eb3e658ee3408509af4021c7f12f5f6705101cfd34d4f6616ef
                • Instruction ID: 1aeaeb202f84206570ec4f16acc8cf9e971c845cb64d31dd6bfec30c37236a31
                • Opcode Fuzzy Hash: 8036c798561b1eb3e658ee3408509af4021c7f12f5f6705101cfd34d4f6616ef
                • Instruction Fuzzy Hash: 23810B71A00109EFCB04DF94C984EEEB7B9FF89315F214598F516AB290DB71AE46CB60
                Function 00BE1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 520cdcb6ad549562c5242fbe61fd4ef244021620e926c9e2cd6b34d659099cc5
                • Instruction ID: 536a211250805b93851b478e081f52b8e4bf64879f4f4193f9b3da644ac8e43d
                • Opcode Fuzzy Hash: 520cdcb6ad549562c5242fbe61fd4ef244021620e926c9e2cd6b34d659099cc5
                • Instruction Fuzzy Hash: 79414D35600591ABDB216BBE8C85FBE3AF5EF41330F344AEAF419D63D2E73448419A61
                Function 00C21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 00C21AFD
                • WSAGetLastError.WSOCK32 ref: 00C21B0B
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C21B8A
                • WSAGetLastError.WSOCK32 ref: 00C21B94
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorLast$socket
                • String ID:
                • API String ID: 1881357543-0
                • Opcode ID: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                • Instruction ID: 34dd0ae74a8f99892c233a5d402ef92c9f7171b543b960df5dadaabfaa34b87f
                • Opcode Fuzzy Hash: 413e89300a482c6dbc2e5b27f16039314d3ab90c93e92e82b59fe8b83ebb243a
                • Instruction Fuzzy Hash: B341D274640210AFE720AF24D886F3A77E5AB45718F588488F92A9F7D3D772DD418B90
                Function 00BDB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                • Instruction ID: 35adf8395adfbae753172781870d14cb318d63e08712ae301621d858efa05b09
                • Opcode Fuzzy Hash: cb43fc115f1efda2aa4526e2fdc32c2f6273ef7dc272ce26e137ca6d05ec1dc9
                • Instruction Fuzzy Hash: B641C175A00644EFD724EF78C841FAABBE9EB88710F2145AFF551DB382E77199018B90
                Function 00C156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C15783
                • GetLastError.KERNEL32(?,00000000), ref: 00C157A9
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C157CE
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C157FA
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                • Instruction ID: b250cff0909042054e6df5850588749d0bf2ec87618f41908877776d00bf9ab1
                • Opcode Fuzzy Hash: 59a6ac7422a2270336d9362c51ad612674a1edc29c0dae8ee7c2b536aac3cd8d
                • Instruction Fuzzy Hash: BD415E35654610DFCB11EF15C495A5EBBE2EF9A320F18C488E85AAB362CB31FD40DB91
                Function 00BDD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BC6D71,00000000,00000000,00BC82D9,?,00BC82D9,?,00000001,00BC6D71,8BE85006,00000001,00BC82D9,00BC82D9), ref: 00BDD910
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BDD999
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BDD9AB
                • __freea.LIBCMT ref: 00BDD9B4
                  • Part of subcall function 00BD3820: RtlAllocateHeap.NTDLL(00000000,?,00C71444,?,00BBFDF5,?,?,00BAA976,00000010,00C71440,00BA13FC,?,00BA13C6,?,00BA1129), ref: 00BD3852
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                • String ID:
                • API String ID: 2652629310-0
                • Opcode ID: 4be2b48f5f414dacc0d758cc473fea8264912934b1064e1fe070091f3b14ae06
                • Instruction ID: f90f399dd50dc92f926e8b3551826f0670516352f292e06ccabe85aa61e65d2b
                • Opcode Fuzzy Hash: 4be2b48f5f414dacc0d758cc473fea8264912934b1064e1fe070091f3b14ae06
                • Instruction Fuzzy Hash: 5831E172A0020AABDF24DF65DC91EAEBBE5EB40310F0502A9FC44D7250EB3ADD50CB90
                Function 00C0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C0ABF1
                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C0AC0D
                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C0AC74
                • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C0ACC6
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                • Instruction ID: 28d9d03224f40d0905ffc0acb22d2c500be22e6c4f2514e72eaf62849703ca14
                • Opcode Fuzzy Hash: 528ca6048dc14900e78d64a7bbcdfefa3f4d9abdbafb343e5dfdb57a272ff45a
                • Instruction Fuzzy Hash: FE310530A04718AFFF35CB65CC097FE7BA5AB89310F05431AE4A5961D1C3768B85D792
                Function 00C37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,?), ref: 00C3769A
                • GetWindowRect.USER32(?,?), ref: 00C37710
                • PtInRect.USER32(?,?,00C38B89), ref: 00C37720
                • MessageBeep.USER32(00000000), ref: 00C3778C
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                • Instruction ID: 3f5ed2dc6eeb21ee92ee50e2c973ab54d037fbd76f82430fa11e0ad702b4c7f5
                • Opcode Fuzzy Hash: cb5987ff9894e62bc578704a14dc21af3eb1284c3729f69ed5dd95898b4b7f08
                • Instruction Fuzzy Hash: F84182B4615214EFCB22CF58C895FAD77F5FB4A314F1942A8E9259B261C730A942CF90
                Function 00C316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00C316EB
                  • Part of subcall function 00C03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C03A57
                  • Part of subcall function 00C03A3D: GetCurrentThreadId.KERNEL32 ref: 00C03A5E
                  • Part of subcall function 00C03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C025B3), ref: 00C03A65
                • GetCaretPos.USER32(?), ref: 00C316FF
                • ClientToScreen.USER32(00000000,?), ref: 00C3174C
                • GetForegroundWindow.USER32 ref: 00C31752
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                • Instruction ID: ef2ccf1c91bd1a1bb693f3af0610933e0873e48032dae4aa165a6c4e6bf166d8
                • Opcode Fuzzy Hash: 8fe41b99b2ce8f7aed3aabfd19ff32e6b42726e7e542d2fb72fc9801b2c28a07
                • Instruction Fuzzy Hash: FC315071E14149AFCB00EFA9C8C1DAEBBFDEF49304B5480AAE415E7211DB319E45CBA0
                Function 00C0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00C0D501
                • Process32FirstW.KERNEL32(00000000,?), ref: 00C0D50F
                • Process32NextW.KERNEL32(00000000,?), ref: 00C0D52F
                • CloseHandle.KERNEL32(00000000), ref: 00C0D5DC
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: d5b504ebaa1e9f3c8c6fe458206d17e46f9dd142a71e7e9139161a9c97dbd60b
                • Instruction ID: 31cf465ecb248201f34f7cb62d760e17c47b97dc56c7b52888c4d7e03f5d1813
                • Opcode Fuzzy Hash: d5b504ebaa1e9f3c8c6fe458206d17e46f9dd142a71e7e9139161a9c97dbd60b
                • Instruction Fuzzy Hash: AA31A2711083009FD300EF54CC81BAFBBF8EF9A394F14096DF592961A1EB719A45DBA2
                Function 00C38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • GetCursorPos.USER32(?), ref: 00C39001
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BF7711,?,?,?,?,?), ref: 00C39016
                • GetCursorPos.USER32(?), ref: 00C3905E
                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BF7711,?,?,?), ref: 00C39094
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Cursor$LongMenuPopupProcTrackWindow
                • String ID:
                • API String ID: 2864067406-0
                • Opcode ID: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                • Instruction ID: 9962df3fdd35bb8345cf50ff62c3762df20266b21077667121f7ba71c07ee0bb
                • Opcode Fuzzy Hash: 671032604aef52b406a374da5eb718b3b43067c39ad9ab3ca45991fcb191253b
                • Instruction Fuzzy Hash: 3721D135610118EFCB298F98CC98FFE3BB9EF49360F044055F91557261C7719A90EB60
                Function 00C0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?,00C3CB68), ref: 00C0D2FB
                • GetLastError.KERNEL32 ref: 00C0D30A
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C0D319
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C3CB68), ref: 00C0D376
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast
                • String ID:
                • API String ID: 2267087916-0
                • Opcode ID: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                • Instruction ID: 43b9421a44599c5b424f930376e7fd43dff73720295812526f56aa148edbe27f
                • Opcode Fuzzy Hash: d2dbd6fe5765b7a881bdc36361bddb53e2c1e6670e2245760ab3368c40b71863
                • Instruction Fuzzy Hash: 0D219C705083019FC700DF68C8819AEB7F8AE5A764F104A5DF4AAD32E1DB31DA46CB93
                Function 00C01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C0102A
                  • Part of subcall function 00C01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C01036
                  • Part of subcall function 00C01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01045
                  • Part of subcall function 00C01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C0104C
                  • Part of subcall function 00C01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C01062
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C015BE
                • _memcmp.LIBVCRUNTIME ref: 00C015E1
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C01617
                • HeapFree.KERNEL32(00000000), ref: 00C0161E
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                • String ID:
                • API String ID: 1592001646-0
                • Opcode ID: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                • Instruction ID: 465ae430702812ac6423dd852e38a032985023cbd945223f83b3390c0184fcb5
                • Opcode Fuzzy Hash: b91f20ba3d271aafd18b33b20d932ceb4232ba6567bcf07b63f5c88e0f37d320
                • Instruction Fuzzy Hash: 5E216931E00108AFDB14DFA4C985BEEB7B8EF44354F084459E851AB281E731AA45DBA0
                Function 00C32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EC), ref: 00C3280A
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C32824
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C32832
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C32840
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                • Instruction ID: f6943ed6cb8cb8e74753b45defa50bdd807a799a031c1af2f5fda361df7a4a13
                • Opcode Fuzzy Hash: 59ad1b82efc54d80cb7988d8c970b07ca76d0748fdc7320fe5edff90f000a1bc
                • Instruction Fuzzy Hash: 7421D332228111AFDB149B24C895FAA7B95FF46324F148158F4268B6E2C771FD82C791
                Function 00C078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08D8C
                  • Part of subcall function 00C08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00C08DB2
                  • Part of subcall function 00C08D7D: lstrcmpiW.KERNEL32(00000000,?,00C0790A,?,000000FF,?,00C08754,00000000,?,0000001C,?,?), ref: 00C08DE3
                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07923
                • lstrcpyW.KERNEL32(00000000,?), ref: 00C07949
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C08754,00000000,?,0000001C,?,?,00000000), ref: 00C07984
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: b9413c240070f0aff3b516536f00417880cceb085bbf46481264e767e03e3d2c
                • Instruction ID: 036f430289170e3178c43a05ef5b99fc5fb8f567bddf945a25400278e0570f42
                • Opcode Fuzzy Hash: b9413c240070f0aff3b516536f00417880cceb085bbf46481264e767e03e3d2c
                • Instruction Fuzzy Hash: DF11063A200302ABCF156F34DC45E7E77A9FF45350B00412AF842C72A4EB31D911D7A1
                Function 00C37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000F0), ref: 00C37D0B
                • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C37D2A
                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C37D42
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C1B7AD,00000000), ref: 00C37D6B
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$Long
                • String ID:
                • API String ID: 847901565-0
                • Opcode ID: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                • Instruction ID: 914d4ebeb63152ef623ed7262d62a489cee38c533a10fceef9b0892cddfe0d23
                • Opcode Fuzzy Hash: b49ce03331241c2a792d6e548d436e8aa3189f11156873c369901b3062a0b1d9
                • Instruction Fuzzy Hash: 6E11DF72224654AFCB208F28CC04BAA3BA4AF453B0F258324FD39D72F0D7308A51DB40
                Function 00C01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00C01A47
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A59
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A6F
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C01A8A
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                • Instruction ID: 57961d7aec1394256abeabe10ff5804486d9bc5bf038ae1b6a6c40831c1c17ce
                • Opcode Fuzzy Hash: 050af3e10a543b592f07ed3d59a445f24eb7956903b2c76e1e3e766eb9a7616d
                • Instruction Fuzzy Hash: 4011F73AA01219FFEB119BA5CD85FADFB78EB08750F240091EA14B7290D6716F50EB94
                Function 00C0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00C0E1FD
                • MessageBoxW.USER32(?,?,?,?), ref: 00C0E230
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C0E246
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C0E24D
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                • Instruction ID: fcdb60e9f40711340f5460e1b142060804228063922daf3f146eea440bf6f1b9
                • Opcode Fuzzy Hash: 44c75edaaa2febe3055fe899ece7e5daf2cb950b20b12cc21b8fb77135674053
                • Instruction Fuzzy Hash: 5311C876904254BBC7019BAC9C49B9E7FAC9B45324F044669F924E32D1D670CA44C7A0
                Function 00BCD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,?,00BCCFF9,00000000,00000004,00000000), ref: 00BCD218
                • GetLastError.KERNEL32 ref: 00BCD224
                • __dosmaperr.LIBCMT ref: 00BCD22B
                • ResumeThread.KERNEL32(00000000), ref: 00BCD249
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Thread$CreateErrorLastResume__dosmaperr
                • String ID:
                • API String ID: 173952441-0
                • Opcode ID: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                • Instruction ID: 616595278a69d60f055009694e05547546e177fc8e3851d5b7a4d81a3b9d1e30
                • Opcode Fuzzy Hash: 28f15ff2a8e5e30287cf0f073ddf3d8f00d9a52db8e2b0884b4e7ca187236b76
                • Instruction Fuzzy Hash: DE01D67A4051047BC7115BA5DC49FAE7AEDDF81331F1002ADF925AA1E0DB70C901D7A0
                Function 00BC3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 00BC3B56
                  • Part of subcall function 00BC3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BC3AD2
                  • Part of subcall function 00BC3AA3: ___AdjustPointer.LIBCMT ref: 00BC3AED
                • _UnwindNestedFrames.LIBCMT ref: 00BC3B6B
                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BC3B7C
                • CallCatchBlock.LIBVCRUNTIME ref: 00BC3BA4
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                • String ID:
                • API String ID: 737400349-0
                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction ID: 9cd57fbded81cc45a84f9107489d06b73e5915930c558d470c172a5c4bcf4694
                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                • Instruction Fuzzy Hash: C3011732100148BBDF125E95CC42EEB7BEDEF58B54F448098FE4856121C732E9619BA0
                Function 00BD3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00BA13C6,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue), ref: 00BD30A5
                • GetLastError.KERNEL32(?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000,00000364,?,00BD2E46), ref: 00BD30B1
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BD301A,00BA13C6,00000000,00000000,00000000,?,00BD328B,00000006,FlsSetValue,00C42290,FlsSetValue,00000000), ref: 00BD30BF
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                • Instruction ID: 3844657a976c7a76db754bd295f8195f292a9e4745068593cc076d5609913e0d
                • Opcode Fuzzy Hash: e0ad2d46bc3e34f75249ba683c5bbc7a48e81dc130e8aa59de783ca87c37d832
                • Instruction Fuzzy Hash: 7701D436311222ABCB214A78AC84B5FBBD8EF05F61B240662F909F3242E721D901C7E1
                Function 00C07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C0747F
                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C07497
                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C074AC
                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C074CA
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Type$Register$FileLoadModuleNameUser
                • String ID:
                • API String ID: 1352324309-0
                • Opcode ID: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                • Instruction ID: 83418bb90f4861146e5286638e10f46c4b93d29b7d65cf66817ba4ae1d953ba0
                • Opcode Fuzzy Hash: a3fc5e462275e39806ecf160ed55b41c607037c75e2688191f01d68b4b093142
                • Instruction Fuzzy Hash: 2E11C4B5A053149FE7208F94DC48FAA7FFCEB00B00F108669A666D6191D7B0F944DF60
                Function 00C0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0C4
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0E9
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B0F3
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C0ACD3,?,00008000), ref: 00C0B126
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                • Instruction ID: 418d68d1ed86753bbe163a4795936f45b58a11f62645bf22c1c81449d8efdcad
                • Opcode Fuzzy Hash: a93d38b4faee127a171df01743514cfa5c56ba0cece8551efd8f7b332897e283
                • Instruction Fuzzy Hash: 91113971C01928E7CF00EFA5E998BEEBB78FF19711F104085DA51B2181CB309A60DB91
                Function 00BB990E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 00BB98CC
                • SetTextColor.GDI32(?,?), ref: 00BB98D6
                • SetBkMode.GDI32(?,00000001), ref: 00BB98E9
                • GetStockObject.GDI32(00000005), ref: 00BB98F1
                • GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Color$LongModeObjectStockTextWindow
                • String ID:
                • API String ID: 1860813098-0
                • Opcode ID: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                • Instruction ID: 97ed17d70d1a1e0cc90f8b9e2cb4bd75c155870085e2483ecbf5f99e71a8551a
                • Opcode Fuzzy Hash: 4b24206c40f967b7e1ee0692b8fbfb354aba643e1f2f40f9ebad956030a36136
                • Instruction Fuzzy Hash: B50168336862109BC7128F25ECA5FFE3BA0DB66765B09009DF782DB2A1CBB54981C750
                Function 00C02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C02DC5
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C02DD6
                • GetCurrentThreadId.KERNEL32 ref: 00C02DDD
                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C02DE4
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                • Instruction ID: f6f4c6068fa098152cdf3f5f61360fa50b29884920f52dc2a281d1323378ca56
                • Opcode Fuzzy Hash: c9c52c2a7482a42d1d8b89ee3733b6db7c29eeb9a69e913ba47eb2e097670057
                • Instruction Fuzzy Hash: 23E01271511724BBDB201B739C8EFEF7E6CEF56BA1F400115F505E10909AA5C941D7B1
                Function 00C38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB9693
                  • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96A2
                  • Part of subcall function 00BB9639: BeginPath.GDI32(?), ref: 00BB96B9
                  • Part of subcall function 00BB9639: SelectObject.GDI32(?,00000000), ref: 00BB96E2
                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C38887
                • LineTo.GDI32(?,?,?), ref: 00C38894
                • EndPath.GDI32(?), ref: 00C388A4
                • StrokePath.GDI32(?), ref: 00C388B2
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                • String ID:
                • API String ID: 1539411459-0
                • Opcode ID: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                • Instruction ID: cb04907acd1de4c003d39435b199a5d88053c01d3bf1a17d706b81b102169c1f
                • Opcode Fuzzy Hash: d9c9373388bdf2cea086e0ad96db27897078d0799bb066647faee617e0b802b9
                • Instruction Fuzzy Hash: 4AF03A36055658BADB126F98AC09FCE3B69AF06710F048000FB12750E2C7B55651DBA5
                Function 00BB98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 00BB98CC
                • SetTextColor.GDI32(?,?), ref: 00BB98D6
                • SetBkMode.GDI32(?,00000001), ref: 00BB98E9
                • GetStockObject.GDI32(00000005), ref: 00BB98F1
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Color$ModeObjectStockText
                • String ID:
                • API String ID: 4037423528-0
                • Opcode ID: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                • Instruction ID: b68195b43489252511bda0ed74c57f76570a7fc7e9d3bebc020e2ac3b7fe46db
                • Opcode Fuzzy Hash: 09848b27196b1ca2b084e286c1bfa038ee74779f33d45d4e4fa20c39bfb30433
                • Instruction Fuzzy Hash: BDE06531254244AEDB215B74AC49BEC3F60EB11335F048259F7F5650E1C7714644AB10
                Function 00C0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThread.KERNEL32 ref: 00C01634
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0163B
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C011D9), ref: 00C01648
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C011D9), ref: 00C0164F
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CurrentOpenProcessThreadToken
                • String ID:
                • API String ID: 3974789173-0
                • Opcode ID: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                • Instruction ID: cf4c3348cc1877c5daed7b1877e49d3afe94742b7e078e3abac7f937259ec3c1
                • Opcode Fuzzy Hash: 74efa4270091606be8100f6f508a2d9658c1cb9f7382123b06c7f536d7a5b27f
                • Instruction Fuzzy Hash: 0DE08C32612211EBD7201FA0AE8DB8F7B7CEF447A2F188808F655E9090E7358544CB60
                Function 00BFD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00BFD858
                • GetDC.USER32(00000000), ref: 00BFD862
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                • ReleaseDC.USER32(?), ref: 00BFD8A3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                • Instruction ID: cb6f619aac62b18cbf8b7640cacc2efe2ad4cb9ae9ae08284dd15beed07017db
                • Opcode Fuzzy Hash: 7262bf3a4840767c1e63ca3cfeaf04fa468ab0ddfb5aa5f5ec1bef0ae7e0a18f
                • Instruction Fuzzy Hash: 53E0E5B1810204DFCB41AFA0D88976DBBF2AB08310F108049F856A7260C7398905AF40
                Function 00BFD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00BFD86C
                • GetDC.USER32(00000000), ref: 00BFD876
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BFD882
                • ReleaseDC.USER32(?), ref: 00BFD8A3
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                • Instruction ID: dbdbc3563191a9768c86078632e61a9e83281ce22ffd3c1cb4049ece75dc3d20
                • Opcode Fuzzy Hash: cb0364d3a3770563c6055c6cca38ad935e2a51238827ccb01190445c81d37970
                • Instruction Fuzzy Hash: 95E012B1810200EFCB40AFA0D88D76DBFF1BB08310F108048F85AF7260CB389901AF40
                Function 00C14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA7620: _wcslen.LIBCMT ref: 00BA7625
                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C14ED4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Connection_wcslen
                • String ID: *$LPT
                • API String ID: 1725874428-3443410124
                • Opcode ID: ee79c4bd49fd86482a66e59e9ce0f091aae7fb6377d43485928178623135a2b3
                • Instruction ID: d86817c19c2b9f8948324cd0fad8c0833a973262111e00f06d1de6643558f259
                • Opcode Fuzzy Hash: ee79c4bd49fd86482a66e59e9ce0f091aae7fb6377d43485928178623135a2b3
                • Instruction Fuzzy Hash: F8915175A042049FCB18DF98C494EE9BBF1BF46304F198099E41A9F392D731EE86DB91
                Function 00BCE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 00BCE30D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                • Instruction ID: de6120ff4715f0bac8d1289c299f3a3f8154be91922a9b84c457209922f2bc7a
                • Opcode Fuzzy Hash: eaa165182c4134573245f3cd454d262ced0853cf536c95a1786993e1fa2b6902
                • Instruction Fuzzy Hash: 84517BA1A4C201D7DB167714C942BFDABE8EB40740F6449EEF0A5863A9FF34CC859A46
                Function 00BBE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: b519695c84752ed5e97e4d638c6b147bd6c1d9816107c9799afeadedb463c193
                • Instruction ID: ac4c021884c078cf4735990cedd3997807001cdabe35f301a15e8e3288b7266a
                • Opcode Fuzzy Hash: b519695c84752ed5e97e4d638c6b147bd6c1d9816107c9799afeadedb463c193
                • Instruction Fuzzy Hash: CD510F7550424A9FDB15EF28C081AFE7BE4EF16310F2440E5E9A19B2E0DA74DD46CBA0
                Function 00BBF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 00BBF2A2
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00BBF2BB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                • Instruction ID: 20a9d03745f036afe3067ad962ee0e52df544b37c577cc08a34bf989ab0a1279
                • Opcode Fuzzy Hash: 31edefd3ff915d871abf4dc2b349ac77c0ba1ae147ee03559006b058ec49e055
                • Instruction Fuzzy Hash: 4551237241C7449BD320AF10DC86BAFBBF8FB85300F81889DF199511A5EB718569CB66
                Function 00C02999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C029EB
                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C02A8D
                  • Part of subcall function 00C02C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C02CE0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 679f7b8d18c9101529f41da7606c8894477a0f763dc81464993bff113cdfc802
                • Instruction ID: 3d6c609b236c2a4d89d82acf8cb075487cd24a7cc32667b2ca7c8f7bb1155d4f
                • Opcode Fuzzy Hash: 679f7b8d18c9101529f41da7606c8894477a0f763dc81464993bff113cdfc802
                • Instruction Fuzzy Hash: 52419270A04208ABDF25DF54CC49BEE7BF9AF45750F040069F915A32D1DB709A45DBA2
                Function 00C25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C257E0
                • _wcslen.LIBCMT ref: 00C257EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: BuffCharUpper_wcslen
                • String ID: CALLARGARRAY
                • API String ID: 157775604-1150593374
                • Opcode ID: b6b82a4c60cfde028820a82c1c5f1cd0dcfb6f1860d9c4f406fdaa0e4c8c2704
                • Instruction ID: 5f9e55dbcfaffabfd8b53fe8a4017276893b158f46b6d92c17cb1aa965e0f98b
                • Opcode Fuzzy Hash: b6b82a4c60cfde028820a82c1c5f1cd0dcfb6f1860d9c4f406fdaa0e4c8c2704
                • Instruction Fuzzy Hash: 3B41E131E002199FCB04DFA9D8819FEBBF4FF59324F104069E415AB291E7B09E81CBA0
                Function 00C1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00C1D130
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C1D13A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CrackInternet_wcslen
                • String ID: |
                • API String ID: 596671847-2343686810
                • Opcode ID: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                • Instruction ID: 1c692efbab8562a6a57be018727d26126869ebc921a963636188c7974e26314d
                • Opcode Fuzzy Hash: 4d7cbc6de79bdf7754114fc502bfe41fa4797ff51a9255fd7094403108070e93
                • Instruction Fuzzy Hash: 90313E71D00219ABCF15EFA5CC85EEEBFB9FF06350F100059F825A6161D735AA46DB60
                Function 00C3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?), ref: 00C33621
                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C3365C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$DestroyMove
                • String ID: static
                • API String ID: 2139405536-2160076837
                • Opcode ID: eb198d76abf904e7c1b74fb6b3b4841b1399d3c527db15127b198468ae2e16ff
                • Instruction ID: ef2808cdfc1f5453755a7530b46a9b1b97ff1d7d7888187d3c0f755383a8ff3a
                • Opcode Fuzzy Hash: eb198d76abf904e7c1b74fb6b3b4841b1399d3c527db15127b198468ae2e16ff
                • Instruction Fuzzy Hash: F9318B71120244AEDB209F28DC81FFB73B9FF88724F009619F9A5D7290DA35AE91D760
                Function 00C34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C3461F
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C34634
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                • Instruction ID: 19423df43a5da8749fa41ae678531598305918ae0017ba468f61fc4b6ab622ab
                • Opcode Fuzzy Hash: 18cb2abcc48e4c245cc59fe9d363151cee6d7dcb3d8d4bc5ebd6aa2140b24571
                • Instruction Fuzzy Hash: B5311874E013099FDB18CFA9C991BDABBB5FF49300F14406AE915AB351D770AA41CF90
                Function 00C0286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C02884
                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C028B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 085838015fa5597f5ab1c80a25d85fbdb464c9dcf852f0968d347b87a038bb52
                • Instruction ID: 096b44320c68793fcf8415f1f9d4bf041b5530c00950da0f45a6f18847a41d45
                • Opcode Fuzzy Hash: 085838015fa5597f5ab1c80a25d85fbdb464c9dcf852f0968d347b87a038bb52
                • Instruction Fuzzy Hash: 2D21E536E00214ABCB15AF94C885DBFB7F9EF89710F144159F915A72D0EB749D42C7A0
                Function 00C03BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C03D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C03D18
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C03C23
                • _strlen.LIBCMT ref: 00C03C2E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$Timeout_strlen
                • String ID: @U=u
                • API String ID: 2777139624-2594219639
                • Opcode ID: c1589bebb32d961aab4acb654517802bc9410b751d7df84034f9bf9e7fdd1930
                • Instruction ID: 6db79edba14a308bfd09025346ad0fa771489593ddf51b82836752ad2a49afe6
                • Opcode Fuzzy Hash: c1589bebb32d961aab4acb654517802bc9410b751d7df84034f9bf9e7fdd1930
                • Instruction Fuzzy Hash: 6E11E4327041552BDB28AA7898829BE77AC8F46B40F10017DF902EB2D2DE209F42C7E4
                Function 00C3336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0ED19: GetLocalTime.KERNEL32 ref: 00C0ED2A
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0ED3B
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0ED79
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0EDAF
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0EDDF
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0EDEF
                  • Part of subcall function 00C0ED19: _wcslen.LIBCMT ref: 00C0EE2B
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C3340A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$LocalMessageSendTime
                • String ID: @U=u$SysDateTimePick32
                • API String ID: 2216836867-2530228043
                • Opcode ID: 910a975e30ac0b6c5c06873227fbf4e28511c85f1d80fdc929131f42067e2038
                • Instruction ID: a264e69e4db2ba7ed1dfbbaaaeb0f735c1abbba2fb82542137b2387fac1a5392
                • Opcode Fuzzy Hash: 910a975e30ac0b6c5c06873227fbf4e28511c85f1d80fdc929131f42067e2038
                • Instruction Fuzzy Hash: DF2103323602096FEF229E54DC82FEE33AAEB44754F204519F950AB1D0DAB5ED918760
                Function 00C0215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02178
                  • Part of subcall function 00C0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C0B355
                  • Part of subcall function 00C0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B365
                  • Part of subcall function 00C0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C02194,00000034,?,?,00001004,00000000,00000000), ref: 00C0B37B
                  • Part of subcall function 00C0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021D0,?,?,00000034,00000800,?,00000034), ref: 00C0B42D
                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00C021DF
                  • Part of subcall function 00C0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C0B3F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @U=u
                • API String ID: 1045663743-2594219639
                • Opcode ID: f0cae5ed3c058972764239631de02903d24aca5b33f1f4a5845ca2838949f0cd
                • Instruction ID: e853e300ed03ec080995f200d92d2c4869e2dba121a9e005dcdf59f59caeb83e
                • Opcode Fuzzy Hash: f0cae5ed3c058972764239631de02903d24aca5b33f1f4a5845ca2838949f0cd
                • Instruction Fuzzy Hash: 86213C31901128ABEF15EFA8DC85FDDBBB8FF09354F1001A5F658A61E0EA715E44DB60
                Function 00C331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C3327C
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C33287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                • Instruction ID: c45383a4a841630c55fe29535690acf7b1e41f85930f9f90d29e4fe7c52c8698
                • Opcode Fuzzy Hash: e063a266226d33306fef1be75ab095430242b1787fadf854ff006d97a357c14e
                • Instruction Fuzzy Hash: FE11C4717102487FFF259F54DC81FBB376AEB94364F104228F9289B292D6729E518B60
                Function 00C33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BA604C
                  • Part of subcall function 00BA600E: GetStockObject.GDI32(00000011), ref: 00BA6060
                  • Part of subcall function 00BA600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BA606A
                • GetWindowRect.USER32(00000000,?), ref: 00C3377A
                • GetSysColor.USER32(00000012), ref: 00C33794
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                • Instruction ID: 9cbc42664de393e9b1be210ffab410747afeac5e34ce3c031ce44f521df7b483
                • Opcode Fuzzy Hash: 5353270f429e1674d2b0f128d1eeb527ef35d2c46b96210f32a9d6eae35d3b2e
                • Instruction Fuzzy Hash: 421129B2620209AFDF10DFA8CD46AEE7BB8EB09314F014514F965E2250D735E9519B50
                Function 00C36181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C361FC
                • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00C36225
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: d0daea1a700c138f0ea9e4671412efb64d9f75db984efeb2463ce30a1cee5414
                • Instruction ID: b7142fb6d0c17e1d69be027c0db60ff758a85374123461836b9feeecbdb12478
                • Opcode Fuzzy Hash: d0daea1a700c138f0ea9e4671412efb64d9f75db984efeb2463ce30a1cee5414
                • Instruction Fuzzy Hash: CA11B231160214BFEB148F68CC56FBF3BA4EB05310F118115FA26AA1D1D3B2DB00DB60
                Function 00C1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C1CD7D
                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C1CDA6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Internet$OpenOption
                • String ID: <local>
                • API String ID: 942729171-4266983199
                • Opcode ID: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                • Instruction ID: b8f18db571025650feec05b1fbc83d7d8e2be1e7cf3eb54a624f9f803c80dbaa
                • Opcode Fuzzy Hash: b079c6238524cdbacfacac2f809ce7d9fbddd66dfe078ee562d29eb5d8802666
                • Instruction Fuzzy Hash: 9F11E371281631BAD7345B669CC4FE7BE68EB137A4F004226F11992180D2609990E6F0
                Function 00C34F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,?,?,?), ref: 00C34FCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 3e36bc5df79273ada3a6e2f021adc72c91e25687e03fbfe731d4e95063c000a7
                • Instruction ID: bcd6f61e7fa60f0e9297c067dda2b9015986923b80e9a18c39bd0ff89f77c47e
                • Opcode Fuzzy Hash: 3e36bc5df79273ada3a6e2f021adc72c91e25687e03fbfe731d4e95063c000a7
                • Instruction Fuzzy Hash: 1B21D679610119EFCB19CFA8C9409EE7BB5FB4D344B004154FD16A7310D731EA11DBA0
                Function 00C330D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00C33147
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u$button
                • API String ID: 3850602802-1762282863
                • Opcode ID: 538fe44243414cf76e003a233f3490413bfd8996be420cb85dc3fc3cfb0304f1
                • Instruction ID: 52a93b2a07adc35c2f2418b3dda1cd46a535dd06b8a2bfa09f49fc5e743fff3f
                • Opcode Fuzzy Hash: 538fe44243414cf76e003a233f3490413bfd8996be420cb85dc3fc3cfb0304f1
                • Instruction Fuzzy Hash: E611A132260245ABDF118F64DC81FEE3BAAEB08354F150214FE64A7190C776E9A1AB50
                Function 00C06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BA9CB3: _wcslen.LIBCMT ref: 00BA9CBD
                • CharUpperBuffW.USER32(?,?,?), ref: 00C06CB6
                • _wcslen.LIBCMT ref: 00C06CC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen$BuffCharUpper
                • String ID: STOP
                • API String ID: 1256254125-2411985666
                • Opcode ID: 9637d3fc639febbbaff077f9db3d79483cad5b65ef82beff9fd0381b3db735df
                • Instruction ID: 5bff93f2684dfd0b375782f5e4ce7977bcdfe2bced1647412741f179903a47f5
                • Opcode Fuzzy Hash: 9637d3fc639febbbaff077f9db3d79483cad5b65ef82beff9fd0381b3db735df
                • Instruction Fuzzy Hash: AE01D232A146368BDB20AFFDDC81ABF77F5EB61710B100529E862971D0EB31DA60C650
                Function 00C023DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021D0,?,?,00000034,00000800,?,00000034), ref: 00C0B42D
                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C0243B
                • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C0245E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$MemoryProcessWrite
                • String ID: @U=u
                • API String ID: 1195347164-2594219639
                • Opcode ID: 196d3987915b0cca622cefcec71c22937439b8643ff9b3c2e0edb5df02fc0d61
                • Instruction ID: 7690d9f0000429e6848901dde80edabcb81c0d88c51a47c9fb53030068ae13b2
                • Opcode Fuzzy Hash: 196d3987915b0cca622cefcec71c22937439b8643ff9b3c2e0edb5df02fc0d61
                • Instruction Fuzzy Hash: 1501B932900218ABEB11AF68DC8AFEEBB7DDB14310F104166F525B61D1DB705E45CF60
                Function 00C34366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C343AF
                • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00C34408
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 909852535-2594219639
                • Opcode ID: dcf8d7568967966110039915fdb22bf0a381e768266ff2d5975921bb48450735
                • Instruction ID: 4386176beb4743f3cb777b1329879104120caae927401ce5f4bc523f90a7b8cf
                • Opcode Fuzzy Hash: dcf8d7568967966110039915fdb22bf0a381e768266ff2d5975921bb48450735
                • Instruction Fuzzy Hash: D311BF34500744AFE725CF24C891BEBBBE4BF05310F10851CE8AB97291C7707A45DB50
                Function 00C0250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00C02531
                • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00C02564
                  • Part of subcall function 00C0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C0B3F8
                  • Part of subcall function 00BA6B57: _wcslen.LIBCMT ref: 00BA6B6A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend$MemoryProcessRead_wcslen
                • String ID: @U=u
                • API String ID: 1083363909-2594219639
                • Opcode ID: 245afaacc4bc1e2b5f15090fb8175cc7ef4cf071eeb0cde31a3b14971f106f2f
                • Instruction ID: 6c79e9eb75aeabf60fde16b216b509b7131a20df18092d2fb7d32093d408258f
                • Opcode Fuzzy Hash: 245afaacc4bc1e2b5f15090fb8175cc7ef4cf071eeb0cde31a3b14971f106f2f
                • Instruction Fuzzy Hash: BB016971900128AFDB50EF94CC91EEE77BCEB14340F80C0A5F64AA6190EE305E89DFA0
                Function 00C390A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BB9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB9BB2
                • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00BF769C,?,?,?), ref: 00C39111
                  • Part of subcall function 00BB9944: GetWindowLongW.USER32(?,000000EB), ref: 00BB9952
                • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C390F7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LongWindow$MessageProcSend
                • String ID: @U=u
                • API String ID: 982171247-2594219639
                • Opcode ID: 12db4defd38a8a09a1323219890c1af2a149a5b96a0379fefa72f0fcce26ab1f
                • Instruction ID: 22dbb65e19fe862afc39d82b5fd76f6f733f2cabe117b8671ea5cdc7edc4ca67
                • Opcode Fuzzy Hash: 12db4defd38a8a09a1323219890c1af2a149a5b96a0379fefa72f0fcce26ab1f
                • Instruction Fuzzy Hash: D401DF31110204ABDB219F18DC89FAA3BB6FF85365F144168FA662B2E1CBB26D51DB50
                Function 00C0246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C02480
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C02497
                  • Part of subcall function 00C023DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C0243B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 70e0c0db40ff1a86908deaf03d926e7b907f16b399c91569eebefd7d0837358b
                • Instruction ID: 495aed719fd087e4f9c8f1bde92f78e83ef2ae8277e4c16947906d83f536a59c
                • Opcode Fuzzy Hash: 70e0c0db40ff1a86908deaf03d926e7b907f16b399c91569eebefd7d0837358b
                • Instruction Fuzzy Hash: 77F0EC30601121BBEB211B6ADC0FEDFBF6DDF46B60B100024F809A21A1CAA05E41DBA0
                Function 00C2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: 3, 3, 16, 1
                • API String ID: 176396367-3042988571
                • Opcode ID: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                • Instruction ID: c7b9243e2adfc6af99938ebea4e0ee49202cef8efdca019843c726be3936bd17
                • Opcode Fuzzy Hash: 7647b379bdf81c8e697a12c3ca45a3963484305817183a91d74d873492be5428
                • Instruction Fuzzy Hash: 3FE02B026043301492313279BCC1EBF56C9CFC5750710193FF981C2266EBE48F9193A0
                Function 00C02BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C02BFA
                • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C02C2A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 03c9b355fabc8ce7699a2da45183f1a5fe0feccb5024a35f6177a5aad623914d
                • Instruction ID: 2b7e51e6efc2101e6fd64595100978699083e58ad92e4aa401a043db2e6c3d0c
                • Opcode Fuzzy Hash: 03c9b355fabc8ce7699a2da45183f1a5fe0feccb5024a35f6177a5aad623914d
                • Instruction Fuzzy Hash: 93F0A076340304BFFA116B84EC8BFEE7B58EB14761F000024F7056A0D0C9E25C0097A0
                Function 00C02D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C0286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C02884
                  • Part of subcall function 00C0286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C028B6
                • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00C02D80
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C02D90
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 4c84f2ba075e9906d8d7cde0c2c2f1e9d3d07962abdbe1335f99909e8fb8a2ff
                • Instruction ID: dbef4c1ff66adece810caaf16fbe505791841f4e030e2c12e687d3992e63664b
                • Opcode Fuzzy Hash: 4c84f2ba075e9906d8d7cde0c2c2f1e9d3d07962abdbe1335f99909e8fb8a2ff
                • Instruction Fuzzy Hash: C2E0D83A3443057FF6210B519C8FFAB376CD758B55F100026F304650D1DEA2CC10EA20
                Function 00C35829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000133D,?,?), ref: 00C35855
                • InvalidateRect.USER32(?,?,00000001), ref: 00C35877
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: InvalidateMessageRectSend
                • String ID: @U=u
                • API String ID: 909852535-2594219639
                • Opcode ID: fea5d8dffd011974e104345f705da5e76afb1c72e20a36d4d17d000b1c6b4c67
                • Instruction ID: a41f22d9cac91525b5e888d793455aac824726d70941a3ae48c32855feb5a23c
                • Opcode Fuzzy Hash: fea5d8dffd011974e104345f705da5e76afb1c72e20a36d4d17d000b1c6b4c67
                • Instruction Fuzzy Hash: B5F08272614140AFDB20CB65DC45FEEBBF8EB85321F0441B2E56AE9051D6308B91CF20
                Function 00C00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C00B23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: Message
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 2030045667-4017498283
                • Opcode ID: fe902727a8bc7c2a6b3e8a1148a84eac5c13c584866663caa6b5e76a7caf27bf
                • Instruction ID: 6b7efd2867d24e7e0fc66eb5d9d9009adb9a2651acf4ae5d659d6d10c8588070
                • Opcode Fuzzy Hash: fe902727a8bc7c2a6b3e8a1148a84eac5c13c584866663caa6b5e76a7caf27bf
                • Instruction Fuzzy Hash: 84E0483125431927D21436547C43FED7BC49F05B61F21047AFB58655C38BD1655047A9
                Function 00BC0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00BBF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BC0D71,?,?,?,00BA100A), ref: 00BBF7CE
                • IsDebuggerPresent.KERNEL32(?,?,?,00BA100A), ref: 00BC0D75
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BA100A), ref: 00BC0D84
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BC0D7F
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 55579361-631824599
                • Opcode ID: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                • Instruction ID: 3f3d939859c9e541355aa851f0ef6552f2f7acc597836e14a7594ce26eb2f39e
                • Opcode Fuzzy Hash: 541eec3c3950a83c81ee5518417edf0fe9e4b95f159b90501e4ec7371066d90f
                • Instruction Fuzzy Hash: CDE06DB02203118BD730AFBDE84475A7BE0AB00740F0089BDE896C6661DBF5E4448BA1
                Function 00BFD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: LocalTime
                • String ID: %.3d$X64
                • API String ID: 481472006-1077770165
                • Opcode ID: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                • Instruction ID: 39d7f991d3fa1c72ab7a9e2ec73536ded05fc7f78a6081a77cf8b06611b30a76
                • Opcode Fuzzy Hash: 501e193ee9940360151444d70f1f187a586631cd98d19956c7087a0082a23585
                • Instruction Fuzzy Hash: B7D0127180810DEACB5097D0CCC59FEB3FDAB08301F5084E2FA06A3040E624C50C6BA1
                Function 00C32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3236C
                • PostMessageW.USER32(00000000), ref: 00C32373
                  • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                • Instruction ID: b9a5f651eb69dffafe87c400f04e90e2724db9ab1dfbe699f25054df89c3ee5a
                • Opcode Fuzzy Hash: 5108869078f9d821c55c8537865b52da60160ed0a42f64802545de3b3327d572
                • Instruction Fuzzy Hash: 5BD0C9323D53107AE664A771AC8FFCE76149B05B10F0049167745BA1D0C9A0A841DB54
                Function 00C32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C3232C
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C3233F
                  • Part of subcall function 00C0E97B: Sleep.KERNEL32 ref: 00C0E9F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                • Instruction ID: 9ce6da295f598b66a6f4c871d70598bb01ab8ef8654c614993856eb377c0622f
                • Opcode Fuzzy Hash: 1a78efdd52cefcc43d6ac2f82a909c1db27113e250340b4ce72f5ef73e865d0d
                • Instruction Fuzzy Hash: 6FD0C9363A4310B6E664A771AC8FFCE7A149B00B10F0049167745BA1D0C9A0A841DB54
                Function 00C02313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C0231F
                • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C0232D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1618319254.0000000000BA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true
                • Associated: 00000000.00000002.1618302059.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618368189.0000000000C62000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618407475.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1618422641.0000000000C74000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ba0000_pagamento.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: @U=u
                • API String ID: 3850602802-2594219639
                • Opcode ID: 5bbc91f87f29e921537413151fe90f697b7b4b1d77ebb1caa7f7a99bf503a18d
                • Instruction ID: 890af98a6eb301af40f99e480d112ca2b6908bc7d9806b70ba1ba138f9129173
                • Opcode Fuzzy Hash: 5bbc91f87f29e921537413151fe90f697b7b4b1d77ebb1caa7f7a99bf503a18d
                • Instruction Fuzzy Hash: C6C00231150180BBE6211B67AD4EE5F3E3DE7DAF517101158B215A50A586650055DA24